I have implemented an authorization server using IdentityServer4 and also a client app using Python Flask and try to test authentication with Authlib. I managed to get past the error one by one but there is one that I am stuck with and have no idea why am I getting the error. here is the exception thrown in the Python(client) side:
usr/lib/python3/dist-packages/urllib3/connectionpool.py:999: InsecureRequestWarning: Unverified HTTPS request is being made to host '192.168.1.90'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
warnings.warn(
ERROR:root:HTTPSConnectionPool(host='192.168.1.90', port=4443): Max retries exceeded with url: /.well-known/openid-configuration/jwks (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', '', 'certificate verify failed')])")))
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 485, in wrap_socket
cnx.do_handshake()
File "/usr/local/lib/python3.8/dist-packages/OpenSSL/SSL.py", line 1991, in do_handshake
self._raise_ssl_error(self._ssl, result)
File "/usr/local/lib/python3.8/dist-packages/OpenSSL/SSL.py", line 1700, in _raise_ssl_error
_raise_current_error()
File "/usr/local/lib/python3.8/dist-packages/OpenSSL/_util.py", line 55, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', '', 'certificate verify failed')]
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 665, in urlopen
httplib_response = self._make_request(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 376, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 996, in _validate_conn
conn.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 366, in connect
self.sock = ssl_wrap_socket(
File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 370, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 491, in wrap_socket
raise ssl.SSLError("bad handshake: %r" % e)
ssl.SSLError: ("bad handshake: Error([('SSL routines', '', 'certificate verify failed')])",)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 439, in send
resp = conn.urlopen(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 719, in urlopen
retries = retries.increment(
File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 436, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='192.168.1.90', port=4443): Max retries exceeded with url: /.well-known/openid-configuration/jwks (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', '', 'certificate verify failed')])")))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/securify/SecurifyID/chrome-extension/chrome-extension-backend/app.py", line 96, in callback_handling
securify.authorize_access_token(verify=False)
File "/home/securify/.local/lib/python3.8/site-packages/authlib/integrations/flask_client/apps.py", line 107, in authorize_access_token
userinfo = self.parse_id_token(token, nonce=state_data['nonce'])
File "/home/securify/.local/lib/python3.8/site-packages/authlib/integrations/base_client/sync_openid.py", line 66, in parse_id_token
claims = _jwt.decode(
File "/home/securify/.local/lib/python3.8/site-packages/authlib/jose/rfc7519/jwt.py", line 96, in decode
data = self._jws.deserialize_compact(s, load_key, decode_payload)
File "/home/securify/.local/lib/python3.8/site-packages/authlib/jose/rfc7515/jws.py", line 101, in deserialize_compact
algorithm, key = self._prepare_algorithm_key(jws_header, payload, key)
File "/home/securify/.local/lib/python3.8/site-packages/authlib/jose/rfc7515/jws.py", line 254, in _prepare_algorithm_key
key = key(header, payload)
File "/home/securify/.local/lib/python3.8/site-packages/authlib/integrations/base_client/sync_openid.py", line 38, in load_key
jwk_set = JsonWebKey.import_key_set(self.fetch_jwk_set())
File "/home/securify/.local/lib/python3.8/site-packages/authlib/integrations/base_client/sync_openid.py", line 17, in fetch_jwk_set
resp = session.request('GET', uri, withhold_token=True)
File "/home/securify/.local/lib/python3.8/site-packages/authlib/integrations/requests_client/oauth2_session.py", line 104, in request
return super(OAuth2Session, self).request(
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 533, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 646, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 514, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='192.168.1.90', port=4443): Max retries exceeded with url: /.well-known/openid-configuration/jwks (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', '', 'certificate verify failed')])")))
2.186.124.22 - - [30/May/2022 07:21:13] "GET /callback?code=4FD8DE309058C13FF8FD0A3FC70A1793D9B2CA0F6CFF84362309BBEC56881C60&scope=openid%20profile%20email%20Roles&state=Bzlq7Ot4O6lIdmEOs0tYpSWZIj1nV8&session_state=RF3Fhyoxgg097pLXygTmXLKjWuSj1DbzIsuL_MEMURs.7038FDC84E3DD2C2F908E76BA513B2E2 HTTP/1.1" 500 -
This exception occurs in test.authorize_access_token(verify=False) step of the Python code I even passed verify=False as on my IdentityServer I am using self signed certificates but not for client side. I am suspecting it might be related to JWKS_URI but not sure. Here is the JWKS_URI contents.
{"keys":[{"kty":"RSA","use":"sig","kid":"626D09B2DC030BE93D98473AAD272727","e":"AQAB","n":"rSEKbbU0E7GgnuGHMVAfzhYj34Z7rgGcNy5nukzY-Ci6M_U0S-sab52cpoALSKPNep46aXgBpoSTGCuonHTIyy1ZJtx5aGFNnj80t4Lu1l9R-dKmUE3zr4JgdzO8eHBN1ZQ9ybvM5-k6zB9nyYavfFTFhgCGNVvwWpCko_fVU7ma8sled-h4iKRTcupy4mtCS9JPfa9Iu2O0sm9K6cqM_HrDM9p_wiM0D7e5ZL_27XwS_O1MfaBeLsAOZQ-1ayvCRq4eGI9yMGcr_U_EGV_pKqyDL1SzNguVbZaBkUqZrBKZl4OQOl8thjPld7ontTmoF2DvN_U0hpXiQOT_ZSAgOQ","alg":"RS256"}]}
Oh and here is the error seen in the browser:
{
"message": "HTTPSConnectionPool(host='192.168.1.90', port=4443): Max retries exceeded with url: /connect/userinfo (Caused by SSLError(SSLError(\"bad handshake: Error([('SSL routines', '', 'certificate verify failed')])\")))"
}
All I needed to do was setting CURL_CA_BUNDLE="".
It seems setting verify = False in authorize access token does not overwrite all requests.