Hi.
I setup everything to login with keycloak. Everything worked as expected if run against keycloak over HTTP.
Then I configured keycloak over HTTPS with a certificate created from a self signed CA:
::ffff:172.18.0.11 - - [2018-03-31 21:19:23] "GET / HTTP/1.1" 302 2133 0.031266
Traceback (most recent call last):
File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/gevent/pywsgi.py", line 935, in handle_one_response
self.run_application()
File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/gevent/pywsgi.py", line 908, in run_application
self.result = self.application(self.environ, self.start_response)
File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/flask/app.py", line 1997, in __call__
return self.wsgi_app(environ, start_response)
File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/flask/app.py", line 1985, in wsgi_app
response = self.handle_exception(e)
File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/flask/app.py", line 1540, in handle_exception
reraise(exc_type, exc_value, tb)
File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/flask/_compat.py", line 33, in reraise
raise value
File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/flask/app.py", line 1982, in wsgi_app
response = self.full_dispatch_request()
File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/flask/app.py", line 1614, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/flask/app.py", line 1517, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/flask/_compat.py", line 33, in reraise
raise value
File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/flask/app.py", line 1612, in full_dispatch_request
rv = self.dispatch_request()
File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/flask/app.py", line 1598, in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/flask_oidc/__init__.py", line 650, in _oidc_callback
credentials = flow.step2_exchange(code)
File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/oauth2client/_helpers.py", line 133, in positional_wrapper
return wrapped(*args, **kwargs)
File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/oauth2client/client.py", line 2054, in step2_exchange
http, self.token_uri, method='POST', body=body, headers=headers)
File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/oauth2client/transport.py", line 282, in request
connection_type=connection_type)
File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/httplib2/__init__.py", line 1514, in request
(response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/httplib2/__init__.py", line 1264, in _request
(response, content) = self._conn_request(conn, request_uri, method, body, headers)
File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/httplib2/__init__.py", line 1187, in _conn_request
conn.connect()
File "/root/.virtualenvs/spy-registry-kjDCNykl/lib/python3.6/site-packages/httplib2/__init__.py", line 1013, in connect
self.sock = self._context.wrap_socket(sock, server_hostname=self.host)
File "/opt/python36/lib/python3.6/ssl.py", line 407, in wrap_socket
_context=self, _session=session)
File "/opt/python36/lib/python3.6/ssl.py", line 814, in __init__
self.do_handshake()
File "/opt/python36/lib/python3.6/ssl.py", line 1068, in do_handshake
self._sslobj.do_handshake()
File "/opt/python36/lib/python3.6/ssl.py", line 689, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:833)
Sat Mar 31 21:19:23 2018 {'REMOTE_ADDR': '::ffff:172.18.0.11', 'REMOTE_PORT': '46558', 'HTTP_HOST': '10.100.100.10:6000', (hidden keys: 30)} failed with SSLError
# make a request to IdP to exchange the auth code for OAuth credentials
flow = self._flow_for_request()
credentials = flow.step2_exchange(code)
id_token = credentials.id_token
I think flask tries to communicate with keycloak and the SSL handshake fails.
Custom CA cert is imported in system ca store where flask runs.
but no way to get rid of the issue.
I tried to follow the code, but I missed myself in it.