OpenID Connect - redirect_uri http vs https

xadamz23 · January 29, 2021, 5:10pm

Hello,

I have successfully deployed a simple python flask app that uses Flask-OIDC to authenticate to our orgs okta server. Everything works perfectly when the redirect_uri is http like this:

http://stizzle2.azurewebsites.net/authorization-code/callback

If I try and switch it to https like this:

https://stizzle2.azurewebsites.net/authorization-code/callback

it does not work and I get a 400 response:

Description: The ‘redirect_uri’ parameter must be a Login redirect URI in the client app settings: https://[ommitted].okta.com/admin/app/oidc_client/instance/0oa1kcgem6f9vTsOn0h8#tab-general

I have https in my client_secrets.json and also in my application config in my orgs okta server. I noticed this is the url that is sent to my orgs okta server from my client:
https://[ommitted].okta.com/oauth2/v1/authorize?client_id=[ommitted]&redirect_uri=http%3A%2F%2Fstizzle2.azurewebsites.net%2Fauthorization-code%2Fcallback&scope=openid+profile+email&access_type=offline&response_type=code&state=eyJjc3JmX3Rva2VuIjogIlRrTUpZMXU4NTNDYzl4RVlQa2ZLaE8tRkJPY0pFMFVnIiwgImRlc3RpbmF0aW9uIjogImV5SmhiR2NpT2lKSVV6STFOaUo5LkltaDBkSEE2THk5emRHbDZlbXhsTWk1aGVuVnlaWGRsWW5OcGRHVnpMbTVsZEM5c2IyZHBiaUkub01uRzRfZ0pacVM5UFpSRERCT2NJSzdOdnVJWG16QW5KUEd1UXRoa2F1cyJ9

I noticed “http%3A%2F%2Fstizzle2”. Shouldnt it be sending “https%3A%2F%2Fstizzle2”?

Any ideas on why it works via http, but doesnt work via https?

erik · January 29, 2021, 6:02pm

Hello,
How is the /authorize call being generated? Is this with one of our libraries or do you generate the call in your code?

There is a parameter access_type that I am not familiar with. I believe Google may use this for an auth code flow? The value is set to ‘offline’ which I believe means you want to include a refresh token? If that is the case the access_type parameter should be removed and in the scope parameter add ‘offline_access’ to the existing scopes.

For passing ‘http’ instead of ‘https’ that depends on how the /authorize call is made. If it was with one of our libraries it would be a config issue, but I am not familiar with our libraries passing access_type. So I am assuming the /authorize call is being generated by some other means.

xadamz23 · January 29, 2021, 6:25pm

I am using the auth code flow. I’m using the Flask-OIDC package in my python Flask app. It takes care of the heavy lifting. My code is as simple as this:

from flask_oidc import OpenIDConnect

app = Flask(name)

app.config.update({
‘SECRET_KEY’: ‘SomethingNotEntirelySecret’,
‘OIDC_CLIENT_SECRETS’: ‘./client_secrets.json’,
‘OIDC_ID_TOKEN_COOKIE_SECURE’: False,
‘OIDC_SCOPES’: [“openid”, “profile”, “email”],
‘OIDC_CALLBACK_ROUTE’: ‘/authorization-code/callback’,
‘OIDC_CLOCK_SKEW’: 300
})

oidc = OpenIDConnect(app)

app.route("/")
def home():
return render_template(“home.html”, oidc=oidc)

@app.route("/login")
@oidc.require_login
def login():
return redirect(url_for(“profile”))

@app.route("/profile")
@oidc.require_login
def profile():
info = oidc.user_getinfo([“sub”, “name”, “email”])
return render_template(“profile.html”, profile=info, oidc=oidc)

None of what I am doing requires a refresh token. Again, everything works fine as long as I’m using http when defining my redirect_uri. It fails when I try to use https.

erik · January 29, 2021, 10:26pm

As far as how to get Flask-OIDC to send https I am not sure, I have not worked with it.

Looking at the app.config I do not see where you supply a full callback, only relative.

My guess would be that Flask-OIDC would generate the full redirect uri based off of how your application is being accessed. If you access it with http, it will use http, if you access https, it will use https.

Just a guess.