Hi guys, i have a Flask application running on https 172.16.150.36:5000
app = Flask(__name__)
app.config.from_pyfile("idp.py")
oidc = OpenIDConnect(app)
the idp.py
SECRET_KEY = ‘12345678’
OIDC_CLIENT_SECRETS = "/code/app/client_secret.json"
OIDC_RESOURCE_SERVER_ONLY = False
OIDC_SCOPES = ["openid", "email", "profile"]
OIDC_INTROSPECTION_AUTH_METHOD = "client_secret_post"
OIDC_RESOURCE_CHECK_AUD = True
and the client_secret.json
{
"web": {
"client_id": "km3-connector",
"client_secret": "aO71fP5MBaBJdKowaIhadM5hYztPKMOD",
"auth_uri": "https 172.16.65.49:8443/realms/jb/protocol/openid-connect/auth",
"token_uri": "https 172.16.65.49:8443/realms/jb/protocol/openid-connect/token",
"userinfo_uri": "https 172.16.65.49:8443/realms/jb/protocol/openid-connect/userinfo",
"issuer": "https 172.16.65.49:8443/realms/jb",
"redirect_uris": [
"https 172.16.150.36:5000/*"
]
}
}
So in keycloak 26 i have configurated a client service called km3-connector like OIDC
root url: https 172.16.150.36:5000/
valid redirect uris: https 172.16.150.36:5000/, http 172.16.150.36:5000/
client auth ON with
Authentication flow → Standard flow & Direct access grants
the external IDP give to me the metadata xml so i have created the IDP SAML
redirect URI: https 172.16.65.49:8443/realms/jb/broker/km3db/endpoint
service provider entity: https 172.16.65.49:8443/realms/jb
and set identity provider entity ID, SSO login and SSO logout with his data
rest options are all OFF (no assertion signed or encrypted no authrequest signed, ecc)
this is my views.py
@app.route("/abc")
def index_():
if oidc.user_loggedin:
return jsonify({"Hello" : f"{oidc.user_getfield('email')}!"})
else:
return jsonify({'a' : 'Welcome, please <a href="/login_">log in</a>.'})
@app.route("/login_")
@oidc.require_login
def login_():
return redirect(url_for("index_"))
@app.route("/logout_")
def logout_():
oidc.logout_()
return redirect(url_for("index_"))
when i go in https 172.16.150.36:5000/login_ flask redirect me to my keycloak server
https 172.16.65.49:8443/realms/jb/protocol/openid-connect/auth?client_id=km3-connector&redirect_uri=https%253A%252F%252F172.16.150.36%253A5000%252Foidc_callbac…
i see the alias of my idp, click on it and redirect to SSO login. When i try to login i can see the SAML from idp with login ok, keycloak add the new user discovered but the flow redirect me to
https 172.16.150.36:5000/oidc_callback?state=eyJjc3JmX3Rva2VuIjogInprNi1BMHFVZUxiMzNLMmlzU05RUlQ3djUwSkFDMWptIiwgImRlc3RpbmF0aW9uIjogImV5SmhiR2NpT2lKSVV6VXhNaUo5LkltaDBkSEJ6T2k4dk1UY3lMakUyTGpFMU1DNHpOam8xTURBd0wyeHZaMmx1WHlJLl9vUVFfRW9KYWFPUFpqLTlEeC15b0RzNUF6MVZJQmVkSGNndWNvdjRGREFaRmlGc3RueFItckQzQ2FwNlRfVXhjdFJuWEtRcUQyVDdzOUw2MGh6NDVnIn0%3D&session_state=1efef2f0-8821-4d3b-85b2-ece9fe6f28c9&iss=https%3A%2F%2F172.16.65.49%3A8443%2Frealms%2Fjb&code=9aba3b71-b33a-4f67-b83a-40ae002a3ab2.1efef2f0-8821-4d3b-85b2-ece9fe6f28c9.d9294025-03bb-4156-9390-b30985d37971
where a page with error
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1091)
is showed… why??? The external IDP asked me just the redirect uri that i gave https 172.16.65.49:8443/realms/jb/broker/km3db/endpoint
and my service provider entity: https 172.16.65.49:8443/realms/jb
What’s the problem? p.s. my ssl certs are all self-signed