OAuth callback, https and reverse proxy

[victornoel]

I'm using an application relying on flask-appbuilder (aiflow) and it is deployed behind a reverse proxy which takes care of https.

For a reason I don't understand, the callback sent to the oauth server (google in this case) is not using the https scheme even though it uses the correct dns name.

I suppose there is some kind of hardcoded way of determining the scheme used.

Either this is a bug (https should have been detected) or this should at least be configurable via the OAUTH_PROVIDERS setting.

Please tell me if I'm mistaken and this should be reported directly to flask-oauthlib.

[dpgaspar]

Hi,

Is your reverse proxy setting the HTTP header: X-Forwarded-Proto https?

[victornoel]

@dpgaspar it does indeed. The reverse proxy is traefik, and when proxying to a simple whoami service, this is the output:

Hostname: a9d56f7dabc2
IP: 127.0.0.1
IP: 10.0.0.27
IP: 10.0.0.28
IP: 172.18.0.8
GET / HTTP/1.1
Host: my-hostname.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.5
Dnt: 1
Upgrade-Insecure-Requests: 1
X-Forwarded-For: x.x.x.x
X-Forwarded-Host: my-hostname.com
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: 48150f4f5681
X-Real-Ip: x.x.x.x

[dpgaspar]

Sorry for the delay,

FAB is doing this:

return self.appbuilder.sm.oauth_remotes[provider].authorize(callback=url_for('.oauth_authorized',provider=provider, _external=True))

so url_for is not sending https behind the proxy, this is a Flask config thing.

[dpgaspar]

Take a look at: https://github.com/apache/incubator-superset/blob/bbfd69a138e97c062774c8f5997c9ecfce395fe4/superset/__init__.py#L141

[victornoel]

@dpgaspar thx for the information, more details here and here.

I wonder if Flask shouldn't be responsible of this?

[victornoel]

Zell actually, it seems ProxyFix is delivered with Flask, so it is already the case I suppose in a way… should I close this issue?

[dolfandringa]

@victornoel I think what we should do is just document the ProxyFix solution. It is trivial to setup: just add app.wsgi_app = ProxyFix(app.wsgi_app). It wouldn't hurt to have some more docs on deploying flask appbuilder in a few scenarios and this could be included there for reverse proxy setups. So if you are interested, a PR for the documentation on deploying FAB in a reverse proxy setup would be nice. We seem to be getting more questions regarding deploying flask appbuilder.

[dpgaspar]

I would say this problem is "solved".

[victornoel]

@dpgaspar it is already documented in http://flask.pocoo.org/docs/1.0/deploying/wsgi-standalone/#proxy-setups

In the end, I don't think it was really an issue related to FAB.

[victornoel]

@dpgaspar actually, this doesn't seem to work: airflow has its own way of enabling the proxy fix, but this doesn't seem to have an impact on the aforementioned problem.

I will report the bug at flask instead since it seems to be related to url_for.

[victornoel]

@dpgaspar my bad, the ProxyFix support wasn't merged in the latest release apparently.