Search code examples

Getting handshake error while doing Oauth 2.0 flow with IdentityServer4 and Authlib

I have implemented an authorization server using IdentityServer4 and also a client app using Python Flask and try to test authentication with Authlib. I managed to get past the error one by one but there is one that I am stuck with and have no idea why am I getting the error. here is the exception thrown in the Python(client) side:

usr/lib/python3/dist-packages/urllib3/ InsecureRequestWarning: Unverified HTTPS request is being made to host ''. Adding certificate verification is strongly advised. See:
ERROR:root:HTTPSConnectionPool(host='', port=4443): Max retries exceeded with url: /.well-known/openid-configuration/jwks (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', '', 'certificate verify failed')])")))
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/contrib/", line 485, in wrap_socket
  File "/usr/local/lib/python3.8/dist-packages/OpenSSL/", line 1991, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "/usr/local/lib/python3.8/dist-packages/OpenSSL/", line 1700, in _raise_ssl_error
  File "/usr/local/lib/python3.8/dist-packages/OpenSSL/", line 55, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', '', 'certificate verify failed')]

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/", line 665, in urlopen
    httplib_response = self._make_request(
  File "/usr/lib/python3/dist-packages/urllib3/", line 376, in _make_request
  File "/usr/lib/python3/dist-packages/urllib3/", line 996, in _validate_conn
  File "/usr/lib/python3/dist-packages/urllib3/", line 366, in connect
    self.sock = ssl_wrap_socket(
  File "/usr/lib/python3/dist-packages/urllib3/util/", line 370, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3/dist-packages/urllib3/contrib/", line 491, in wrap_socket
    raise ssl.SSLError("bad handshake: %r" % e)
ssl.SSLError: ("bad handshake: Error([('SSL routines', '', 'certificate verify failed')])",)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/requests/", line 439, in send
    resp = conn.urlopen(
  File "/usr/lib/python3/dist-packages/urllib3/", line 719, in urlopen
    retries = retries.increment(
  File "/usr/lib/python3/dist-packages/urllib3/util/", line 436, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='', port=4443): Max retries exceeded with url: /.well-known/openid-configuration/jwks (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', '', 'certificate verify failed')])")))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/securify/SecurifyID/chrome-extension/chrome-extension-backend/", line 96, in callback_handling
  File "/home/securify/.local/lib/python3.8/site-packages/authlib/integrations/flask_client/", line 107, in authorize_access_token
    userinfo = self.parse_id_token(token, nonce=state_data['nonce'])
  File "/home/securify/.local/lib/python3.8/site-packages/authlib/integrations/base_client/", line 66, in parse_id_token
    claims = _jwt.decode(
  File "/home/securify/.local/lib/python3.8/site-packages/authlib/jose/rfc7519/", line 96, in decode
    data = self._jws.deserialize_compact(s, load_key, decode_payload)
  File "/home/securify/.local/lib/python3.8/site-packages/authlib/jose/rfc7515/", line 101, in deserialize_compact
    algorithm, key = self._prepare_algorithm_key(jws_header, payload, key)
  File "/home/securify/.local/lib/python3.8/site-packages/authlib/jose/rfc7515/", line 254, in _prepare_algorithm_key
    key = key(header, payload)
  File "/home/securify/.local/lib/python3.8/site-packages/authlib/integrations/base_client/", line 38, in load_key
    jwk_set = JsonWebKey.import_key_set(self.fetch_jwk_set())
  File "/home/securify/.local/lib/python3.8/site-packages/authlib/integrations/base_client/", line 17, in fetch_jwk_set
    resp = session.request('GET', uri, withhold_token=True)
  File "/home/securify/.local/lib/python3.8/site-packages/authlib/integrations/requests_client/", line 104, in request
    return super(OAuth2Session, self).request(
  File "/usr/lib/python3/dist-packages/requests/", line 533, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3/dist-packages/requests/", line 646, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/", line 514, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='', port=4443): Max retries exceeded with url: /.well-known/openid-configuration/jwks (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', '', 'certificate verify failed')])"))) - - [30/May/2022 07:21:13] "GET /callback?code=4FD8DE309058C13FF8FD0A3FC70A1793D9B2CA0F6CFF84362309BBEC56881C60&scope=openid%20profile%20email%20Roles&state=Bzlq7Ot4O6lIdmEOs0tYpSWZIj1nV8&session_state=RF3Fhyoxgg097pLXygTmXLKjWuSj1DbzIsuL_MEMURs.7038FDC84E3DD2C2F908E76BA513B2E2 HTTP/1.1" 500 -

This exception occurs in test.authorize_access_token(verify=False) step of the Python code I even passed verify=False as on my IdentityServer I am using self signed certificates but not for client side. I am suspecting it might be related to JWKS_URI but not sure. Here is the JWKS_URI contents.


Oh and here is the error seen in the browser:

  "message": "HTTPSConnectionPool(host='', port=4443): Max retries exceeded with url: /connect/userinfo (Caused by SSLError(SSLError(\"bad handshake: Error([('SSL routines', '', 'certificate verify failed')])\")))"


  • All I needed to do was setting CURL_CA_BUNDLE="". It seems setting verify = False in authorize access token does not overwrite all requests.