Issue with custom certification authority

[njordr]

Hi.

flask-oidc==1.3.0
python 3.6.5
flask 0.12.2
ubuntu 16.4.3

I setup everything to login with keycloak. Everything worked as expected if run against keycloak over HTTP.

Then I configured keycloak over HTTPS with a certificate created from a self signed CA:

• flask redirect the browser to keycloak (no SSL issue because I imported the custom CA on my laptop)
• I can do the login phase on keycloak
• keycloak redirect the browser to flask (/oidc_callback)
• flask return http code 500, error:

::ffff:172.18.0.11 - - [2018-03-31 21:19:23] "GET / HTTP/1.1" 302 2133 0.031266
Traceback (most recent call last):
  File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/gevent/pywsgi.py", line 935, in handle_one_response
    self.run_application()
  File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/gevent/pywsgi.py", line 908, in run_application
    self.result = self.application(self.environ, self.start_response)
  File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/flask/app.py", line 1997, in __call__
    return self.wsgi_app(environ, start_response)
  File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/flask/app.py", line 1985, in wsgi_app
    response = self.handle_exception(e)
  File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/flask/app.py", line 1540, in handle_exception
    reraise(exc_type, exc_value, tb)
  File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/flask/_compat.py", line 33, in reraise
    raise value
  File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/flask/app.py", line 1982, in wsgi_app
    response = self.full_dispatch_request()
  File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/flask/app.py", line 1614, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/flask/app.py", line 1517, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/flask/_compat.py", line 33, in reraise
    raise value
  File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/flask/app.py", line 1612, in full_dispatch_request
    rv = self.dispatch_request()
  File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/flask/app.py", line 1598, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/flask_oidc/__init__.py", line 650, in _oidc_callback
    credentials = flow.step2_exchange(code)
  File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/oauth2client/_helpers.py", line 133, in positional_wrapper
    return wrapped(*args, **kwargs)
  File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/oauth2client/client.py", line 2054, in step2_exchange
    http, self.token_uri, method='POST', body=body, headers=headers)
  File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/oauth2client/transport.py", line 282, in request
    connection_type=connection_type)
  File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/httplib2/__init__.py", line 1514, in request
    (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
  File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/httplib2/__init__.py", line 1264, in _request
    (response, content) = self._conn_request(conn, request_uri, method, body, headers)
  File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/httplib2/__init__.py", line 1187, in _conn_request
    conn.connect()
  File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/httplib2/__init__.py", line 1013, in connect
    self.sock = self._context.wrap_socket(sock, server_hostname=self.host)
  File "/opt/python36/lib/python3.6/ssl.py", line 407, in wrap_socket
  _context=self, _session=session)
 File "/opt/python36/lib/python3.6/ssl.py", line 814, in __init__
   self.do_handshake()
 File "/opt/python36/lib/python3.6/ssl.py", line 1068, in do_handshake
   self._sslobj.do_handshake()
 File "/opt/python36/lib/python3.6/ssl.py", line 689, in do_handshake
   self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:833)
Sat Mar 31 21:19:23 2018 {'REMOTE_ADDR': '::ffff:172.18.0.11', 'REMOTE_PORT': '46558', 'HTTP_HOST': '10.100.100.10:6000', (hidden keys: 30)} failed with SSLError

I suppose the problem is in these rows (flask_oidc/__init__.py, method _oidc_callback):

        # make a request to IdP to exchange the auth code for OAuth credentials 
        flow = self._flow_for_request()                                         
        credentials = flow.step2_exchange(code)                                 
        id_token = credentials.id_token 

I think flask tries to communicate with keycloak and the SSL handshake fails.

Custom CA cert is imported in system ca store where flask runs.

I tried to use the following env vars:

• REQUESTS_CA_BUNDLE
• PYTHONHTTPSVERIFY
• SSL_CERT_DIR
• SSL_CERT_FILE

but no way to get rid of the issue.

I tried to follow the code, but I missed myself in it.

Thanks

[trourance]

I have exactly the same problem and I haven't found any solution to bypass that error at the moment.
I've tried to create an unverified ssl context, but without any success:
ssl._create_default_https_context = ssl._create_unverified_context

[njordr]

@trourance as a workaround I configured userinfo_uri, token_uri, token_introspection_uri with the http endpoint. This is my client_secret.json:

{
    "web": {
        "issuer": "https://auth.spy.local/auth/realms/Spy",
        "auth_uri": "https://auth.spy.local/auth/realms/Spy/protocol/openid-connect/auth",
        "client_id": "spy-registry",
        "client_secret": "0be4d4c7-4d82-4951-86ba-1deb8bca5c08",
        "redirect_uris": [
            "https://registry.spy.local/oidc_callback"
        ],
        "userinfo_uri": "http://192.168.33.40:8080/auth/realms/Spy/protocol/openid-connect/userinfo",
        "token_uri": "http://192.168.33.40:8080/auth/realms/Spy/protocol/openid-connect/token",
        "token_introspection_uri": "http://192.168.33.40:8080/auth/realms/Spy/protocol/openid-connect/token/introspect"
    }
}

Hope this can help you in the meantime

[trourance]

@njordr Thank you so much, your workaround works perfectly.

[trourance]

Btw, I have the same issue when using a perfectly valid certificate. It's impossible at the moment to use https at all and it's a blocker.

[trourance]

@njordr I've found the workaround. The problem comes from the httplib2 library which uses its own ca file to validate the ssl certificates. You can add your own ca certificate to this file and enable https endpoints in client_secret.json:
cat myca-cert.crt >> [path_to_python_libs]/httplib2/cacerts.txt

HTH

[njordr]

@trourance great, thanks a lot

[puiterwijk]

Yeah, so this depends on your deployment of httplib2 and the fact that it uses its own CA.
I do not think I want to really support overriding that from inside flask-oidc, and people should instead add the CA to the file that httplib2 uses as CA file.

[rodriguez-facundo]

cat myca-cert.crt >> [path_to_python_libs]/certifi/cacert.pem did it for me