烧瓶应用程序OAuth使用keycloak登录的ssl.SSLCertVerificationError [英] ssl.SSLCertVerificationError for flask application OAuth login with keycloak
问题描述
我的client-secrets.json如下:
My client-secrets.json is as follows:
{
"web": {
"issuer": "https://keycloak-keycloak.router.default.svc.cluster.local.167.254.224.26.nip.io/auth/realms/myrealm",
"auth_uri": "https://keycloak-keycloak.router.default.svc.cluster.local.167.254.224.26.nip.io/auth/realms/myrealm/protocol/openid-connect/auth",
"client_id": "myclient",
"client_secret": "****",
"redirect_uris": [
"https://167.254.224.26:30397/*"
],
"userinfo_uri": "https://keycloak-keycloak.router.default.svc.cluster.local.167.254.224.26.nip.io/auth/realms/myrealm/protocol/openid-connect/userinfo",
"token_uri": "https://keycloak-keycloak.router.default.svc.cluster.local.167.254.224.26.nip.io/auth/realms/myrealm/protocol/openid-connect/token",
"token_introspection_uri": "https://keycloak-keycloak.router.default.svc.cluster.local.167.254.224.26.nip.io/auth/realms/myrealm/protocol/openid-connect/token/introspect"
}
}
当我运行python app.py
时,它可以成功运行,但是一旦我浏览了应用程序的网址并单击登录,就将我带到密钥克隆登录页面,输入凭据后,我会收到以下错误消息
When I run python app.py
it runs successfully but once I browse the app url and click on login, it takes me to keycloack login page, after I enter my credentials I get the following error
Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/flask/app.py", line 2309, in __call__
return self.wsgi_app(environ, start_response)
File "/usr/local/lib/python3.7/site-packages/flask/app.py", line 2295, in wsgi_app
response = self.handle_exception(e)
File "/usr/local/lib/python3.7/site-packages/flask/app.py", line 1741, in handle_exception
reraise(exc_type, exc_value, tb)
File "/usr/local/lib/python3.7/site-packages/flask/_compat.py", line 35, in reraise
raise value
File "/usr/local/lib/python3.7/site-packages/flask/app.py", line 2292, in wsgi_app
response = self.full_dispatch_request()
File "/usr/local/lib/python3.7/site-packages/flask/app.py", line 1815, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/local/lib/python3.7/site-packages/flask/app.py", line 1718, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/usr/local/lib/python3.7/site-packages/flask/_compat.py", line 35, in reraise
raise value
File "/usr/local/lib/python3.7/site-packages/flask/app.py", line 1813, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/local/lib/python3.7/site-packages/flask/app.py", line 1799, in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
File "/usr/local/lib/python3.7/site-packages/flask_oidc/__init__.py", line 657, in _oidc_callback
plainreturn, data = self._process_callback('destination')
File "/usr/local/lib/python3.7/site-packages/flask_oidc/__init__.py", line 689, in _process_callback
credentials = flow.step2_exchange(code)
File "/usr/local/lib/python3.7/site-packages/oauth2client/_helpers.py", line 133, in positional_wrapper
return wrapped(*args, **kwargs)
File "/usr/local/lib/python3.7/site-packages/oauth2client/client.py", line 2054, in step2_exchange
http, self.token_uri, method='POST', body=body, headers=headers)
File "/usr/local/lib/python3.7/site-packages/oauth2client/transport.py", line 282, in request
connection_type=connection_type)
File "/usr/local/lib/python3.7/site-packages/httplib2/__init__.py", line 1994, in request
cachekey,
File "/usr/local/lib/python3.7/site-packages/httplib2/__init__.py", line 1651, in _request
conn, request_uri, method, body, headers
File "/usr/local/lib/python3.7/site-packages/httplib2/__init__.py", line 1557, in _conn_request
conn.connect()
File "/usr/local/lib/python3.7/site-packages/httplib2/__init__.py", line 1326, in connect
self.sock = self._context.wrap_socket(sock, server_hostname=self.host)
File "/usr/local/lib/python3.7/ssl.py", line 423, in wrap_socket
session=session
File "/usr/local/lib/python3.7/ssl.py", line 870, in _create
self.do_handshake()
File "/usr/local/lib/python3.7/ssl.py", line 1139, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1091)
我怀疑这可能是由于我的密钥库服务器是https而flask app是http,因此我已经修改了
I suspected this might be due to my key-cloack server is https and flask app is http and hence I have have modified the app.py to be https:
app.run(host='0.0.0.0', port=8000, debug=True, ssl_context='adhoc')
但是即使在将烧瓶应用程序设置为https后,问题仍然存在.
But even after making the flask app https, the issue remains the same.
请注意,由于我是在容器中运行此应用程序,因此我已将8000端口公开给Nodeport,即30397,因此应用程序的网址为:https://167.254.224.26:30397
Note since im running this application in containers , I have exposed the 8000 port to Nodeport i.e 30397 , hence the app url is : https://167.254.224.26:30397
推荐答案
这是一个问题瓶oidc .它使用httplib2,该库提供disable_ssl_certificate_validation
选项以禁用ssl/tls证书验证,但不幸的是,不能从flask-oidc对其进行配置.
That's a problem of flask-oidc. It uses httplib2, which offers disable_ssl_certificate_validation
option to disable ssl/tls cert verification, but unfortunately it is not configurable from the flask-oidc.
唯一的选择是将用于创建https://keycloak-keycloak.router.default.svc.cluster.local.167.254.224.26.nip.io
的TLS证书的CA证书添加到httplib2 ca证书:
The only option is to add CA cert which was used to create TLS cert for https://keycloak-keycloak.router.default.svc.cluster.local.167.254.224.26.nip.io
to the httplib2 ca certs:
cat ca-cert.crt >> [path_to_python_libs]/certifi/cacert.pem
Offtopic:您的部署看起来像Kubernetes,因此应该很容易从集群中获取ca-cert.crt
,并在应用启动时将其复制到正确的位置.
Offtopic: your deployment looks like Kubernetes, so it should be easy to get ca-cert.crt
from the cluster and copy it to right place when app is starting.
这篇关于烧瓶应用程序OAuth使用keycloak登录的ssl.SSLCertVerificationError的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!