Since requests==2.32.2 got SSL / certificate verify failed: self signed certificate when using python-keycloak

I init keycloak functionality via:

keycloak_openid = KeycloakOpenID(server_url=KEYCLOAK_URL,
                                 client_id="dashboard-app",
                                 realm_name="dashboard",
                                 client_secret_key=_KEYCLOAK_SECRET_KEY_)

I used requests==2.31.0 before and everything worked fine. With upgrading to requests==2.32.2 I run into a SSL prob:

KeycloakConnectionError: Can't connect to server (HTTPSConnectionPool(host='xxx.de', port=443): Max retries exceeded with url: /auth/realms/xxx/.well-known/openid-configuration (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:997)'))))

Has there been any changes in package requests that could explain this? May I fix this myself?

Env:

Python 3.10
python-keycloak==4.0.0

Solution

KeycloakOpenID uses a ConnectionManager, which uses a requests HTTPAdapter.

In requests v2.32.2,

To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed _get_connection to
a new public API, get_connection_with_tls_context. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
get_connection is considered deprecated in all versions of Requests>=2.32.0.

(source)

So python-keycloak is just not up-to-date with requests v2.32.2. Since it seems to be a maintained project, I'd expect this bug to be fixed relatively soon.

Here's a pull request on the requests GitHub page, which includes a minimal pass-through you should be able to use until python-keycloak is updated.