Keycloak Gitpod Flask OIDC: oauth2client.client.FlowExchangeError: Invalid response: 301 - flask

I'm trying to implement Flask-OIDC and Keycloak in a Flask app run inside a Gitpod workspace.
I'm running the application and the Keycloak server like this:
./keycloak-11.0.3/bin/standalone.sh -b 0.0.0.0 -bmanagement 0.0.0.0 &
flask run --host=0.0.0.0 &
Based on this post
I'm able to redirect to the Keycloak login page for regular users from within the Flask application, but when I login with an existing user I get the following:
oauth2client.client.FlowExchangeError: Invalid response: 301
My client_secrets.json currently looks something like this:
{
"web": {
"auth_uri": "http://keycloak-hostname-gitpod/auth/realms/realm/protocol/openid-connect/auth",
"issuer": "http://keycloak-hostname-gitpod/auth/realms/realm",
"userinfo_uri": "http://keycloak-hostname-gitpod/auth/realms/realm/protocol/openid-connect/userinfo",
"client_id": "client",
"client_secret": "client_secret",
"redirect_uris": ["http://flask-app-hostname-gitpod/oidc_callback"],
"token_uri": "http://keycloak-hostname-gitpod/auth/realms/realm/protocol/openid-connect/token",
"token_introspection_uri": "http://keycloak-hostname-gitpod/auth/realms/realm/openid-connect/token/introspect"
}
}
Relevant client configuration inside keycloak:
Root URL: http://flask-app-hostname-gitpod/*
Valid Redirect URIs: http://flask-app-hostname-gitpod/*
Admin URL: http://flask-app-hostname-gitpod/*
Web Origins: http://flask-app-hostname-gitpod
I use http in all of these urls instead of https, because when I use https Keycloak says the redirect_uri is invalid. This seems to be the actual problem here since the gitpod urls use https, but I'm not sure how to handle this. I've tried some solutions like described here, but couldn't get them to work.
Relevant part routing:
#app.route("/")
def hello_world():
if oidc.user_loggedin:
return (
'Hello, %s, See private '
'Log out'
) % oidc.user_getfield("preferred_username")
else:
return 'Welcome anonymous, Log in'
#app.route("/private")
#oidc.require_login
def test():
return "test"
Parts of standalone.xml that might be relevant:
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true" read-timeout="30000" proxy-address-forwarding="true" />
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true" read-timeout="30000" />
Update
After following changing the http urls to https as Jan Garaj suggested and setting the OVERWRITE_REDIRECT_URI I don't get the invalid response: 301 error anymore:
OVERWRITE_REDIRECT_URI = "https://flask-app-hostname-gitpod/oidc_callback"
Now I'm able to go to the keycloak login form, but on logging in I now get:
oauth2client.client.FlowExchangeError: Invalid response: 401.
These are the requests made:
https://keycloak-hostname-gitpod/auth/realms/realm/login-actions/authenticate?session_code=session_code&execution=execution&client_id=client&tab_id=tab_id
https://flask-app-hostname-gitpod/oidc_callback?state=state&session_state=session_state&code=code
Requests inside the network inspector:

After much trial end error I've finally figured out what the problem was.
The redirect problem in the original question was solved by setting OVERWRITE_REDIRECT_URI:
OVERWRITE_REDIRECT_URI = "https://flask-app-hostname-gitpod/oidc_callback"
The oidc_callback request was still not working however, I was getting this:
oauth2client.client.FlowExchangeError: Invalid response: 401.
Jan Garaj's comment made me realise the problem was that the token endpoint request was not working.
I had checked the token endpoint uri multiple times and copied the value from:
https://flask-app-hostname-gitpod/auth/realms/demo/.well-known/openid-configuration
but it still didn't work.
The reason it didn't work was actually unrelated to my Keycloak configuration, but the way my keycloak server was running inside Gitpod.
Gitpod set the port that the keycloak server was running on to private. Because the keycloak server was running on a private port, the request to the follwing url failed:
https://keycloak-hostname-gitpod/auth/realms/demo/protocol/openid-connect/token
After making the port public it worked.
if you already know that you want a particular port exposed, you can configure it in .gitpod.yml:
ports:
- port: 5000
onOpen: open-preview
- port: 8080
https://www.gitpod.io/docs/config-ports

Related

flask sessions not persistent between requests from cross domains

I have a frontend vue site hosted on google's firebase with the url (https://front-end.web.com) , while my flask backend is hosted on heroku with the url (https://back-end.heroku.com). This makes my session not to persist across requests, I tried fixing this by implementing CORS on my backend, but for some reason it's not working , below are snippets of my code to show my implementation
config_class.py
class ConfigClass():
CORS_ALLOW_HEADERS = ['Content-Type']
CORS_ORIGINS = ['https://front-end.web.com']
SECRET_KEY = os.environ.get("APP_SECRET_KEY")
SESSION_TYPE = 'redis'
_init.py
from flask import Flask, session
from flask_session import Session
from flask_cors import CORS
from root_folder.config import ConfigClass
db = SQLAlchemy()
migrate = Migrate()
ma = Marshmallow()
sess = Session()
def create_app(ConfigClass):
# initiate the flask app and assign the configurations #
app = Flask(__name__)
app.config.from_object(config_options[config_class])
sess.init_app(app)
from root_folder.clients import clients_app
# register all the blueprints in this application
app.register_blueprint(clients_app)
CORS(app, supports_credentials=True)
# return the app object to be executed
return app
app.py
from root_folder import create_app
app = create_app()
Procfile:
web: gunicorn -w 1 app:app
axios front end request
let formData = new FormData();
formData.append("email", email);
formData.append("password", password);
axios.post(
backendUrl+'create_client_account',
formData,
{
withCredentials: true,
headers:{
"Content-Type": "multipart/form-data"
}
}
);
create client route ( I have stripped this code block to the bare minimum to make it understandable):
from flask import session
# route for creating account credentials
#bp_auth_clients_app.route("/create_client", methods=["POST"])
def create_client():
username = request.form.get("username").lower()
email = request.form.get("email").lower()
# create account code goes here #
auth_authentication = True
session["auth_authentication"] = auth_authentication
req_feedback = {
"status": True,
"message": "Account was successfully created",
"data": feedback_data
}
return jsonify(req_feedback), 200
After the account is successfully created, I am unable to access the session value in subsequent requests, it returns None.
To recreate the problem on my local server, I access the front-end via the domain "localhost:8080" , while I access the flask server via "127.0.0.1:8000" . If I change the front end domain to "127.0.0.1:8080", I don't usually have any problems.
Kindly advice on what to do.
Thanks to Ahmad's suggestion, I was able to resolve the issue using custom domains for both my frontend and backend as follows:
frontend.herokuapp.com -> customDomain.com
backend.herokuapp.com -> api.customDOmain.com
finally I added the line below to my session config:
SESSION_COOKIE_DOMAIN = ".customDomain.com"
And all was well and good.
Sessions use cookies:
On session creation the server will send the cookie value in the set-cookie header. It doesn't work for you because of cross origin issue.
It works fine for you when you use 127.0.0.1 because 127.0.0.1:8080 and 127.0.0.1:8000 are the same origin so the browser accepts the set-cookie header and do set the cookie no problem.
Cookies are sent in the header on each request and your server loads the session from Redis by cookie value (The cookie value is called session_id).
How it gets inserted => Normally your session gets serialized and inserted in Redis with the cookie hash as Key in the end of the request life cycle.
If you want to keep using sessions and cookies you need to find another solution for your deployment to so that your backend and frontend have the same hostname.
If you can't do I'd recommend to read about JWT (Json-Web-Tokens).
EDIT
You can send the session id in your response body and save it in local storage.
Then you need to configure:
frontend set the session id value it in the Authorization header base64 encoded.
Backend base64 decode Authorization header value from request and check for the session in Redis, if exists load it.
EDIT
How to deploy both backend/frontend on same hostname using apache:
using apache you need to create 2 virtual hosts one for backend and the other for frontend listening on different ports then configure your web server deployment to use the backend VH if the path is prefixed by /api/ and use the frontend Virtual host for anything else.
This way any request you make to your api your backend will handle it otherwise it'll serve your frontend app.
This is just a way on how to do it there is plenty others
Check this question.

Redirect URI mismatch error from Google OAuth

I have a Flask web application which is hosting in Google Cloud Run which is hosted with https://mydomain.run.app.
Now I am trying to add google authentication to it. I have created the API under credentials in GCP. I have given https://mydomain.run.app/authorize in the redirect uri but when I tried to login from my app it throws me redirect mismatch error.
And the error shows me http://mydomain.run.app/authorize.
The mismatch is the https and http
When I tried to give http in the credentials uri it throws me
Invalid Redirect: This app has a publishing status of "In production". URI must use https:// as the scheme.
#app.route('/login/google')
def google_login():
google = oauth.create_client('google')
redirect_uri = url_for('authorize', _external=True,_scheme='https')
return google.authorize_redirect(redirect_uri)
#app.route('/authorize')
def authorize():
google = oauth.create_client('google')
token = google.authorize_access_token()
resp = google.get('userinfo')
user_info = resp.json()
user = oauth.google.userinfo()
session['profile'] = user_info
session.permanent = True
return redirect('/select')
Under Authorized redirect URIs
You should put 1 more URI :
https://mydomain.run.app/
Then check again. I have got same issue before.
your app is currently set to production in google developer console.
This means that all of the redirect uris you try to add to your project. Must be HTTPS and not HTTP you can also not use localhost
As you are trying to use http://mydomain.run.app/authorize you need to change it so that it is https://mydomain.run.app/authorize note that the first one was http:// and not https://
The error is coming because your application itself is trying to send a redirect uri of http and not https. You need to fix your application so that it is using https.

Axios is adding a prefix to the api target url

I know this may be the dumpest question ever asked, however it really got me this hopeless :(
I have the React front End with a simple property in package.json
"proxy": "http://localhost:5000/"
which I believe is redirecting all api sent through axios to that servr address.
My axios request is
const canvas_type="standard"
axios.post('api/v1/new_canvas',{
canvas_type
})
}
The backend flask api is:
#api_bp.route("/new_canvas", methods=["POST"])
#requires_auth
def get_new_cavas():
"""working code"""
The code works perfectly when tested with Postman,
but when I call the axios, I get this line in the server output
127.0.0.1 - - [01/Sep/2018 23:51:12] "POST /designer/api/v1/new_canvas HTTP/1.1" 405 -

Getting Facebook callback error even after enabling 'Embedded browser OAuth Login' and specifying the callback url

I have a rails(4.2.0) application that uses Facebook login functionality. The main gems are devise(3.4.0) and omniauth-facebook(2.0.0). I have registered the application on Facebook and have been using its test app for development. The Facebook login functionality works in the development env.
When trying to use the facebook login feature on the production server, I get error as "Given URL is not allowed by the Application configuration: One or more of the given URLs is not allowed by the App's settings. It must match the Website URL or Canvas URL, or the domain must be a subdomain of one of the App's domains."
The details for settings for test app being used in the dev env are as -
Settings:
Basic:
App Domains: 'localhost'
Website:
Site URL: 'http://localhost:3000'
Advanced:
OAuth Settings:
Embedded browser OAuth Login: Yes
Valid OAuth redirect URIs: "http://localhost:3000/users/auth/facebook/callback"
The details for settings for registered app being used in the production env are as -
Settings:
Basic:
App Domains: 'www.mysite.co'
Website:
Site URL: 'http://www.mysite.co'
Advanced:
OAuth Settings:
Embedded browser OAuth Login: Yes
Valid OAuth redirect URIs: "http://www.mysite.co/users/auth/facebook/callback"
I have specified the following in my secrets.yml
development:
secret_key_base: some_secret_key
facebook:
app_id: test_app_id
app_secret: test_app_secret
production:
secret_key_base: some_secret_key
facebook:
app_id: registered_app_id
app_secret: registered_app_secret
And have been using the creds from secrets.yml in the devise initialiser as
# ==> OmniAuth
# Add a new OmniAuth provider. Check the wiki for more information on setting
# up on your models and hooks.
# config.omniauth :github, 'APP_ID', 'APP_SECRET', scope: 'user,public_repo'
require 'omniauth-facebook'
config.omniauth :facebook, Rails.application.secrets.facebook['app_id'], Rails.application.secrets.facebook['app_secret'], scope: ['user_photos', 'email', 'public_profile']
The actual domain name(blackened) has no typos anywhere and is same wherever it is used.
Contains of routes.rb related to omniauth are as
cat config/routes.rb
Rails.application.routes.draw do
root 'home#index'
devise_for :users, controllers: { omniauth_callbacks: "users/omniauth_callbacks" }
# routes related to other controllers
end
The routes are as below
bundle exec rake routes | grep user
new_user_session GET /users/sign_in(.:format) devise/sessions#new
user_session POST /users/sign_in(.:format) devise/sessions#create
destroy_user_session DELETE /users/sign_out(.:format) devise/sessions#destroy
user_omniauth_authorize GET|POST /users/auth/:provider(.:format) users/omniauth_callbacks#passthru {:provider=>/facebook/}
user_omniauth_callback GET|POST /users/auth/:action/callback(.:format) users/omniauth_callbacks#:action
The only code related to omniauth in the entire app is as
$ cat app/controllers/users/omniauth_callbacks_controller.rb
class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
def facebook
#You need to implement the method below in your model (e.g. app/models/user.rb)
#user = User.from_omniauth(request.env["omniauth.auth"])
if #user.persisted?
sign_in_and_redirect #user, event: :authentication #this will throw if #user is not activated
set_flash_message(:notice, :success, kind: "Facebook") if is_navigational_format?
else
session["devise.facebook_data"] = request.env["omniauth.auth"]
redirect_to new_user_registration_url
end
end
end
Upon further digging the problem, it was observed that the error didnt occur when 'www.example.com' was specified in the url and hence, the callback worked. When 'example.com' was specified in the address bar and facebook login tried, the login crashed with the above error.
So, I fixed the above issue by making some changes to the settings in for the facebook app. I donno if this is the right approach but it worked out. Just making the change as in point 2 didnt solve the problem.
Changes are:
1) Specified the 'App Domains' with 'example.com' and 'www.example.com'
2) Enabled 'Client OAuth Login' to 'Yes'
3) Specified 'Valid OAuth redirect URIs' with 'http://example.com/users/auth/facebook/callback' and 'http://www.example.com/users/auth/facebook/callback'
Ok, so I assume that you have a web app NOT running on Facebook that simply uses the Facebook OAuth flow for login functionality, correct? If so, you must enable "Client OAuth Login" in your application settings for the production environment. If you don't, then the web OAuth flow will not work. See this article: https://developers.facebook.com/docs/facebook-login/security

Openshift cors request returns 405 method not allowed

I have the following setup on openshift:
one application running wildfly 8 and mysql (A) - sort of a REST api.
one application running a flask app through wsgi (B) - client app.
I want to do a POST request from B to A in order to authenticate. Locally I'm sort of running the same setup, port 8080 for A, 5000 for B and everything works smoothly (of course it does :P), but doing this on openshift I get a 405 response.
Another thing that I've noticed is that if I do the same request from a chrome rest client(Postman) to A the call completes ok, so I'm starting to think that maybe there's something wrong with B, but I can't find anything on the openshift app and again ... locally it behaves as expected.
The flask app uses the requests library. Snippet from login method bellow:
url = API_ROOT + '/login'
payload = {'userId': username, 'password': password}
headers = {'content-type': 'application/json'}
return requests.post(url, verify=False, headers=headers, data=json.dumps(payload))
Thanks.