New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
authorized_url is http, not https: #188
Comments
Why do you specify the You should do something like:
and then when you go to |
Thanks for your response - I should have mentioned the code above was my attempt at fixing the problem - my original code was using the default route:
Which leads to the redirect to http://mydomain.com/login/slack/authorized The website and calls are all hosted on https:// which is why I mentioned the gunicorn config. How do I check / set the root of my WSGI app? |
FYI the code above is called in a setup() method that is called before_first_request - what's the best place to specify? Can't / don't want to put it inline as I like to keep all init code clean.
|
And to be comprehensive, Flask-Dance login & auth work on my dev server with the insecure HTTPS env variable set so my routes & flow seem to be properly setup. The issue is the default handler uses the http:// base instead of https:// on the production server. |
Well, then it might be the issue with gunicorn. Also, check your Slack app redirect URLs. |
Hmm, this redirect_url should redirect to http://mydomain.com/slack_authorized, exactly as you specified. |
It does redirect to http://mydomain.com/slack_authorized, but not to https://mydomain.com/slack_authorized which I expect. Is there a way to fully overload the redirect_url with an absolute path and not a relative one? |
Try solutions from here:
or
|
Yes, if you specify the URL with the protocol, https://mydomain.com, it will redirect to absolute path. |
Lexy, Solution #2 worked! Thank you for your help.
After this, the auth_url points to the correct https:// url instead of the http:// one. The items below are for reference for those encountering a similar issue. I tried (unsuccessfully)
PS: concerning your previous comment, in my case, if I specify the absolute URL with the protocol it treats it as a relative path (see my initial post up top).
--> uses relative path I did not find a way to specify an absolute path. |
Yes, https URL's are to be specified in the Slack App Redirect URL's section - , although http URL's can be specified too as valid redirect URL's for local testing. |
For anyone else coming across this issue who might be using heroku + cloudflare encountering this issue. Your issue may lay within your Cloudflare settings. SSL mode needs to be set to full so that Cloudflare will forward the request correctly. Without heroku will only see |
Digging deeper, I found out that this situation is well-known and mentioned in Flask documentation. Thus, instead of implementing a custom reverse proxy handler, you could use a nicer code of
|
There's a few things here:
That should be enough for Flask to do the right thing, no need for the For Apache there's also mod_remoteip nowadays, to be paired with a setting of |
There's also documentation on our side: https://flask-dance.readthedocs.io/en/latest/proxies.html |
I'm calling flask-dance with make_slack_blueprint, and the URL flask-dance sends to Slack as the authorized_url is
"http://mydomain.com/login/slack/authorized"
instead of the proper
"https://mydomain.com/login/slack/authorized"
This means the call fails on my production server since I did not set the insecure HTTPS env variable there (and shouldn't)
how do I get flask dance to pass the https URL for the authorized_url? If I try to specify an absolute path as the authorized url then it gets treated as a relative path.
)
If it is meaningful:
I'm running Flask 1.0+
secure_proxy_ssl_header = ('HTTP_X_FORWARDED_PROTO', 'https')
forwarded_allow_ips = '*'
secure_scheme_headers = {'X-Forwarded-Proto': 'https'}
x_forwarded_for_header = 'X-FORWARDED-FOR'
PS: And yes, the client_id and secret above are bogus!
The text was updated successfully, but these errors were encountered: