This is the development setup I have. All host references are localhost.
I am using Flask-OIDC 2.0.3 along with Keycloak 22.0.3 (running on Docker as a service). The Flask app runs on port 8080, Keycloak on 9080 and I have a React UI running on port 9001.
All these services are running on http and not https
My Keycloak docker-compose file is as follows
version: '3.8'
name: keycloak
services:
keycloak:
image: quay.io/keycloak/keycloak:22.0.3
command: ['start-dev --import-realm']
volumes:
- ./realm-config:/opt/keycloak/data/import
environment:
- KC_DB=dev-file
- KEYCLOAK_ADMIN=admin
- KEYCLOAK_ADMIN_PASSWORD=admin
- KC_FEATURES=scripts
- KC_HTTP_PORT=9080
- KC_HEALTH_ENABLED=true
- KC_HTTPS_REQUIRED=false
# If you want to expose these ports outside your dev PC,
# remove the "127.0.0.1:" prefix
ports:
- 127.0.0.1:9080:9080
- 127.0.0.1:9443:9443
My client_secrets.json is as follows
{
"web": {
"client_id": "<client>",
"client_secret": "<secret>",
"auth_uri": "http://127.0.0.1:9080/realms/jhipster/protocol/openid-connect/auth",
"token_uri": "http://127.0.0.1:9080/realms/jhipster/protocol/openid-connect/token",
"issuer": "http://127.0.0.1:9080/realms/jhipster",
"userinfo_uri": "http://127.0.0.1:9080/realms/jhipster/protocol/openid-connect/userinfo",
"token_introspection_uri": "http://127.0.0.1:9080/realms/jhipster/protocol/openid-connect/token/introspect"
}
}
I configure my Flask app as follows
OIDC_CLIENT_SECRETS = "src/main/python/config/client_secrets.json"
OIDC_REDIRECT_URI = "http://127.0.0.1:8080/oidc_callback"
My Keycloak client configuration is as follows
When I click on the sign-in URL of my UI, it takes me to the Keycloak sign-in page of the new realm I created. But I see that the redirect_uri
has been changed to https.
If I proceed with the login, I get an error Secure Connection Failed
I have tried the following
- Removed https from the redirect_uri list in Keycloak for the client
- Then I get an error on the Keycloak sign-in page saying "Invalid redirect_uri"
- Removed https from the URL in the browser address bar manually and signed-in
- Then I get an error "invalid_grant: Incorrect redirect_uri"
Actual question:
Part 1: Since this entire setup is running entirely on my local machine, I an not sure where the https redirect is being picked up and how to prevent it? This looks like a Keycloak issue (just a guess) of redirection preference to https but it seems strange since the traffic originates from http.
Part 2: Do I need to explicitly implement /oidc_callback. I assume Flask-OIDC will take care of handling this.
This article is mentioned in the github issue Conversion of HTTP URLs to HTTPS in request_uris. A config setting
OIDC_OVERWRITE_REDIRECT_URI
was added as a part of the fix for the issue.You can see the relevant code in /flask_oidc/views.py.
My reading of the code is: if you have
OIDC_CALLBACK_ROUTE
it will get converted to https. You can override by settingOIDC_OVERWRITE_REDIRECT_URI
.This worked for me: