From bb28339ca80a8410880d1150fdca12d59aa2bf21 Mon Sep 17 00:00:00 2001 From: Julian Rother <julianr@fsmpi.rwth-aachen.de> Date: Wed, 7 Oct 2020 12:23:12 +0200 Subject: [PATCH] Got rid of requirement to use HTTPS for testing --- app.py | 13 ++++++++----- testapp/nginx.conf | 16 +++++++++------- 2 files changed, 17 insertions(+), 12 deletions(-) diff --git a/app.py b/app.py index b7aa395..8f5cee3 100644 --- a/app.py +++ b/app.py @@ -1,3 +1,4 @@ +import os from functools import wraps import secrets, json import urllib.parse @@ -9,9 +10,9 @@ from requests_oauthlib import OAuth2Session app = Flask(__name__) app.secret_key = b'my secret' app.config['SESSION_COOKIE_NAME'] = 'oauth-session' -app.config['OAUTH2_AUTH_URL'] = 'https://localhost:5001/oauth2/authorize' -app.config['OAUTH2_TOKEN_URL'] = 'https://localhost:5001/oauth2/token' -app.config['OAUTH2_USERINFO_URL'] = 'https://localhost:5001/oauth2/userinfo' +app.config['OAUTH2_AUTH_URL'] = 'http://localhost:5001/oauth2/authorize' +app.config['OAUTH2_TOKEN_URL'] = 'http://localhost:5001/oauth2/token' +app.config['OAUTH2_USERINFO_URL'] = 'http://localhost:5001/oauth2/userinfo' @app.route("/auth") def auth(): @@ -37,7 +38,7 @@ def login(): @app.route("/callback") def callback(): client = get_oauth(state=session.pop('state')) - token = client.fetch_token(app.config['OAUTH2_TOKEN_URL'], client_secret=request.headers['X-CLIENT-SECRET'], authorization_response=request.url, verify=False) + token = client.fetch_token(app.config['OAUTH2_TOKEN_URL'], client_secret=request.headers['X-CLIENT-SECRET'], authorization_response=request.url, verify=(not app.debug)) userinfo = client.get(app.config['OAUTH2_USERINFO_URL']).json() session['user'] = userinfo['email'] return redirect(session.pop('url')) @@ -75,4 +76,6 @@ a valid redirect_uri for the client_id. return resp if __name__ == '__main__': - app.run(debug=True, host='localhost', port=5002, ssl_context='adhoc') + # oauthlib enforces the OAuth2.0 requirement to use HTTPS, when this is not set + os.environ['OAUTHLIB_INSECURE_TRANSPORT'] = '1' # Don't do that in production! + app.run(debug=True, host='localhost', port=5002) diff --git a/testapp/nginx.conf b/testapp/nginx.conf index 284a5fd..06c8b76 100644 --- a/testapp/nginx.conf +++ b/testapp/nginx.conf @@ -18,9 +18,11 @@ http { tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; - ssl on; - ssl_certificate ../devcert.crt; - ssl_certificate_key ../devcert.key; + # OAuth2.0 mandates HTTPS for all involved services. OAuthProxy will refuse + # to work over unencrypted connections. + #ssl on; + #ssl_certificate mycert.crt; + #ssl_certificate_key myert.key; server { #listen 50004; #listen [::]:5004; @@ -39,17 +41,17 @@ http { } location /oauthproxy/ { - proxy_set_header X-REDIRECT-URI "https://localhost:5004/oauthproxy/callback"; + # The OAuth client credentials must match those configured on the OAuth server. + proxy_set_header X-REDIRECT-URI "http://localhost:5004/oauthproxy/callback"; proxy_set_header X-CLIENT-ID "test"; proxy_set_header X-CLIENT-SECRET "testsecret"; proxy_set_header X-SCOPE "userinfo"; - proxy_ssl_verify off; - proxy_pass https://localhost:5002/; + proxy_pass http://localhost:5002/; } error_page 401 = @error401; location @error401 { - return 302 /oauthproxy/login?url=https://$http_host$request_uri; + return 302 /oauthproxy/login?url=http://$http_host$request_uri; } } -- GitLab