I have referred a sample hello-world flask app integrated with key-cloak login from https://gist.github.com/thomasdarimont/145dc9aa857b831ff2eff221b79d179a

My client-secrets.json is as follows:

{"web": {"issuer": "https://keycloak-keycloak.router.default.svc.cluster.local.167.254.224.26.nip.io/auth/realms/myrealm","auth_uri": "https://keycloak-keycloak.router.default.svc.cluster.local.167.254.224.26.nip.io/auth/realms/myrealm/protocol/openid-connect/auth","client_id": "myclient","client_secret": "****","redirect_uris": ["https://167.254.224.26:30397/*"],"userinfo_uri": "https://keycloak-keycloak.router.default.svc.cluster.local.167.254.224.26.nip.io/auth/realms/myrealm/protocol/openid-connect/userinfo","token_uri": "https://keycloak-keycloak.router.default.svc.cluster.local.167.254.224.26.nip.io/auth/realms/myrealm/protocol/openid-connect/token","token_introspection_uri": "https://keycloak-keycloak.router.default.svc.cluster.local.167.254.224.26.nip.io/auth/realms/myrealm/protocol/openid-connect/token/introspect"}
}

When I run python app.py it runs successfully but once I browse the app url and click on login, it takes me to keycloack login page, after I enter my credentials I get the following error

Traceback (most recent call last):File "/usr/local/lib/python3.7/site-packages/flask/app.py", line 2309, in __call__return self.wsgi_app(environ, start_response)File "/usr/local/lib/python3.7/site-packages/flask/app.py", line 2295, in wsgi_appresponse = self.handle_exception(e)File "/usr/local/lib/python3.7/site-packages/flask/app.py", line 1741, in handle_exceptionreraise(exc_type, exc_value, tb)File "/usr/local/lib/python3.7/site-packages/flask/_compat.py", line 35, in reraiseraise valueFile "/usr/local/lib/python3.7/site-packages/flask/app.py", line 2292, in wsgi_appresponse = self.full_dispatch_request()File "/usr/local/lib/python3.7/site-packages/flask/app.py", line 1815, in full_dispatch_requestrv = self.handle_user_exception(e)File "/usr/local/lib/python3.7/site-packages/flask/app.py", line 1718, in handle_user_exceptionreraise(exc_type, exc_value, tb)File "/usr/local/lib/python3.7/site-packages/flask/_compat.py", line 35, in reraiseraise valueFile "/usr/local/lib/python3.7/site-packages/flask/app.py", line 1813, in full_dispatch_requestrv = self.dispatch_request()File "/usr/local/lib/python3.7/site-packages/flask/app.py", line 1799, in dispatch_requestreturn self.view_functions[rule.endpoint](**req.view_args)File "/usr/local/lib/python3.7/site-packages/flask_oidc/__init__.py", line 657, in _oidc_callbackplainreturn, data = self._process_callback('destination')File "/usr/local/lib/python3.7/site-packages/flask_oidc/__init__.py", line 689, in _process_callbackcredentials = flow.step2_exchange(code)File "/usr/local/lib/python3.7/site-packages/oauth2client/_helpers.py", line 133, in positional_wrapperreturn wrapped(*args, **kwargs)File "/usr/local/lib/python3.7/site-packages/oauth2client/client.py", line 2054, in step2_exchangehttp, self.token_uri, method='POST', body=body, headers=headers)File "/usr/local/lib/python3.7/site-packages/oauth2client/transport.py", line 282, in requestconnection_type=connection_type)File "/usr/local/lib/python3.7/site-packages/httplib2/__init__.py", line 1994, in requestcachekey,File "/usr/local/lib/python3.7/site-packages/httplib2/__init__.py", line 1651, in _requestconn, request_uri, method, body, headersFile "/usr/local/lib/python3.7/site-packages/httplib2/__init__.py", line 1557, in _conn_requestconn.connect()File "/usr/local/lib/python3.7/site-packages/httplib2/__init__.py", line 1326, in connectself.sock = self._context.wrap_socket(sock, server_hostname=self.host)File "/usr/local/lib/python3.7/ssl.py", line 423, in wrap_socketsession=sessionFile "/usr/local/lib/python3.7/ssl.py", line 870, in _createself.do_handshake()File "/usr/local/lib/python3.7/ssl.py", line 1139, in do_handshakeself._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1091)

I suspected this might be due to my key-cloack server is https and flask app is http and hence I have have modified the app.py to be https:

app.run(host='0.0.0.0', port=8000, debug=True, ssl_context='adhoc')

But even after making the flask app https, the issue remains the same.

Note since im running this application in containers , I have exposed the 8000 port to Nodeport i.e 30397 , hence the app url is : https://167.254.224.26:30397

That's a problem of flask-oidc. It uses httplib2, which offers disable_ssl_certificate_validation option to disable ssl/tls cert verification, but unfortunately it is not configurable from the flask-oidc.

The only option is to add CA cert which was used to create TLS cert for https://keycloak-keycloak.router.default.svc.cluster.local.167.254.224.26.nip.io to the httplib2 ca certs:

cat ca-cert.crt >> [path_to_python_libs]/certifi/cacert.pem

Offtopic: your deployment looks like Kubernetes, so it should be easy to get ca-cert.crt from the cluster and copy it to right place when app is starting.