Recently I have been working on a website project that allows users to login with their Discord accounts to browse the website with their account.
The website utilizes the Flask-Discord library, Quart as my WSGI web framework, Hypercorn as my production server and Nginx as a proxy to pass web requests to my Hypercorn socket. I have set up an SSL certificate using Certbot-Nginx with Let Encrypt as the Certificate Issuer. However, after users are redirected to the Discord login page, the user logs into Discord and the callback is requested to my Quart Server I am receiving the following error:
oauthlib.oauth2.rfc6749.errors.InsecureTransportError: (insecure_transport) OAuth 2 MUST utilize https.
The website is set up and working correctly with a domain setup with noip temporarily and the SSL certificate valid, making all requests redirect to HTTPS instead of HTTP.
Is it possible that because the SSL certificate is set up with Nginx that the Python OAuth2 library is just unaware of the SSL certificate? It seems unlikely considering all requests are being redirected to HTTPS.
I've found plenty of people recommending to prevent such an error to just change the OAuth environment variables to allow for insecure transport but I don't want to compromise the security of the website.
Any ideas as to why this might be happening would be extremely helpful.
Thanks
This is happening because requests coming from Nginx reverse proxy is in HTTP form. Since you're running Quart app locally at say http://127..0.0.1:5000 and when Nginx makes requests to this URL, its starts with http. So insecure transport is done only from Nginx to your Quart app. You can supress this by setting "OAUTHLIB_INSECURE_TRANSPORT" = "true". More highlight on this: https://github.com/thec0sm0s/Flask-Discord/issues/3#issuecomment-676567390