Testing flask-oauthlib locally without https

Asked 5/1, 2015 at 18:12 Answered 31/5, 2019 at 8:29

I have implemented an oauth2 server and an oauth2 client using flask-oauthlib.

When I am trying to test locally, the client returns an InsecureTransportError and tells me that I should be using https.

Is there a way to test the app locally without https?

The client is running on 127.0.0.2:5000 and the server is running on 127.0.0.1:5000.

Thanks

Wakerife answered 5/1, 2015 at 18:12 Comment(0)

115

From http://requests-oauthlib.readthedocs.org/en/latest/examples/real_world_example.html:

You should note that Oauth2 works through SSL layer. If your server is not parametrized to allow HTTPS, the fetch_token method will raise an oauthlib.oauth2.rfc6749.errors.InsecureTransportError . Most people don’t set SSL on their server while testing and that is fine. You can disable this check in two ways:

By setting an environment variable.

export OAUTHLIB_INSECURE_TRANSPORT=1

Equivalent to above you can set this in Python (if you have problems setting environment variables)

# Somewhere in webapp_example.py, before the app.run for example
import os 
os.environ['OAUTHLIB_INSECURE_TRANSPORT'] = '1'

Hocker answered 5/1, 2015 at 18:44 Comment(7)

Just a comment, this same error, as well as the same solution can happen when running on gunicorn with nginx doing the SSL termination. This solution fixes the problem that the library somehow incorrectly things its on http... – Moonscape 3/1, 2017 at 0:28

Thank you for the tip. Do you know if requests_oauthlib is supposed to work with self signed certificates? I still had the insecure transport error after using one. I am wondering if it's normal or if I'm missing something. – Bullwhip 5/12, 2018 at 1:50

Also, do you know what it means If your server is not parametrized to allow HTTPS? Is it different from just running my app with self signed certificate? – Bullwhip 5/12, 2018 at 1:56

How come all answers show OAUTHLIB_INSERCURE_TRANSPORT when the code says AUTHLIB...? github.com/lepture/authlib/blob/… – Optimize 28/5, 2019 at 12:13

It is possible to customize some of the security settings in OAuthLib using environment variables. You can use this to bypass some of OAuthLib’s security checks in order to run automated tests. Never bypass these checks in production. – Edyth 1/1, 2020 at 13:8

The actual environment variable is AUTHLIB_INSECURE_TRANSPORT no O in front. See: github.com/authlib/example-oauth2-server/issues/38 – Arching 23/11, 2021 at 1:24

@Optimize No OAUTHLIB is for oauthlib and AUTHLIB is for authlib, they are distinct packages. – Petroglyph 24/6, 2022 at 19:58

For OAuth1 you can add setting

app.config.update({
    'OAUTH1_PROVIDER_ENFORCE_SSL': False
})

For OAuth2 you can setting in environment variable.

export OAUTHLIB_INSECURE_TRANSPORT=1

or in runtime

import os
os.environ['OAUTHLIB_INSECURE_TRANSPORT'] = '1'

Rincon answered 3/11, 2015 at 7:59 Comment(0)

For Authlib usesrs :

export AUTHLIB_INSECURE_TRANSPORT=1

Or if you want to set it programmatically :

import os

os.environ['AUTHLIB_INSECURE_TRANSPORT'] = '1'

I know it's not answering the question but everytime I ask Google about it I land on this page.

Ossa answered 31/5, 2019 at 8:29 Comment(0)

Recommended topics

Hot tags