[Question] Problems with OAuthProvider if provider is ssl-configured

[thinkORo]

Question

As in my Bug report #3045 mentioned I think there is a problem with certificate handling in Flet.

Has anyone ever connected Flet together with NGINX and TLS certificates to TLS secured IDM (e.g. Keycloak)?

Code sample

def on_login(e):
    access_token = router.page.auth.token.access_token

Error message

future: <Future finished exception=AttributeError("'NoneType' object has no attribute 'access_token'")>
Traceback (most recent call last):
  File "/home/oro/Program/miniforge3/envs/expand/lib/python3.12/concurrent/futures/thread.py", line 58, in run
    result = self.fn(*self.args, **self.kwargs)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/mnt/m2data/Data/decr/_code/scm/gitea/internal/python/expand/app/views/view_auth.py", line 47, in on_login
    access_token = router.page.auth.token.access_token
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'NoneType' object has no attribute 'access_token'

------------------------------------------------------

• I have searched for answers to my question both in the issues and in previous discussions.

[thinkORo]

To get to the bottom of the problem a little further, I tried to rebuild the OAuth provider, or rather the login process, using Flet and Keyclock "on-board" (builtin) resources.

In doing so, I also encountered problems, although these were described in more detail. The problem was the integration of my CA certificates. Unfortunately, "from flet.auth import OAuthProvider" simply failed, but did not display the actual "error".

I had always assumed that I could either integrate my CA certificate via the environment variable "REQUESTS_CA_BUNDLE" or that the certificates would be read in via the Python SSL framework. I have therefore adapted the PEM file "ssl/cert.pem" accordingly in my Python environment. Or, everytime I re-built my Python virtual env this cert.pem was re-built automatically as my own CA cert is/was part of my Linux environment already.

However, this does not apply to Flet (and perhaps to all Python web frameworks). Here, however, the certificates are verified with a different framework (certifi) and thus against a different authority: "lib/python3.1/site-packages/certifi/cacert.pem". If you now adapt this PEM file, access from Flet also works against my TLS-secured Keycloak.

Maybe that's obvious? Unfortunately, I was not aware of this. I hope this information helps others who would also like to secure Flet with TLS.