search

singingwolfboy / flask-dance

Doing the OAuth dance with style using Flask, requests, and oauthlib.
https://pypi.python.org/pypi/Flask-Dance/
MIT License
1.01k stars 158 forks source link

make_google_blueprint - redirect_uri is injected with HTTP scheme instead of HTTPS #347

Closed royberkoweee closed 3 years ago

royberkoweee commented 3 years ago

Hey,

I am wondering why redirect_uri uses an HTTP scheme by default instead of HTTPS. Can't find a good way to override it. This happens although I have the following setup:

  1. app.config['PREFERRED_URL_SCHEME'] = 'https'
  2. app.register_blueprint(google_blueprint, url_prefix='/login', url_scheme='https')

in OAuth2ConsumerBlueprint classe's login method: self.session.redirect_uri = url_for(".authorized", _external=True)

Should be: self.session.redirect_uri = url_for(".authorized", _external=True, **_scheme='https'**)

Is there a way to override this (a.k.a make the redirect_uri scheme use HTTPS) during the blueprint initiation?

daenney commented 3 years ago

The protocol of the generated URL is based on whether Flask believes the connection to be http or https.

It’s usually a setup/configuration issue with your reverse proxy if it doesn’t generate an https URL when you’re expecting one.

The usual issue is you’re not setting X-Forwarded-Proto when proxying: https://flask.palletsprojects.com/en/1.1.x/deploying/wsgi-standalone/#proxy-setups

royberkoweee commented 3 years ago

Thanks

app.wsgi_app = ProxyFix(app.wsgi_app, x_proto=1, x_host=1)

solved it indeed