Conversion of HTTP URLs to HTTPS in request_uris

[weeix]

Hello,

I've been testing Flask-OIDC with Keycloak and noticed that the redirect_uri sent to Keycloak is automatically converted from http://localhost:5000/oidc/callback to https://localhost:5000/oidc/callback.

According to Section 3.1.2.1 of the OAuth 2.0 specification, which discusses Endpoint Request Confidentiality:

The redirection endpoint SHOULD require the use of TLS as described in Section 1.6 when the requested response type is "code" or "token", or when the redirection request will result in the transmission of sensitive credentials over an open network. This specification does not mandate the use of TLS because at the time of this writing, requiring clients to deploy TLS is a significant hurdle for many client developers. If TLS is not available, the authorization server SHOULD warn the resource owner about the insecure endpoint prior to redirection (e.g., display a message during the authorization request).

Lack of transport-layer security can have a severe impact on the security of the client and the protected resources it is authorized to access. The use of transport-layer security is particularly critical when the authorization process is used as a form of delegated end-user authentication by the client (e.g., third-party sign-in service).

Given that the specification does not strictly mandate clients to use TLS, I propose that we allow HTTP URLs in request_uris.

Here are a few scenarios where this could be beneficial:

• Local testing
• Air-gapped environments

Thank you for considering this suggestion.

[sudeephazra]

This issue impacted my local development till I found out the reason. Documented here - https://stackoverflow.com/questions/77155289/flask-oidc-keycloak-https-redirect-on-localhost

[github-actions]

Included in release Version 2.1.0.