We are currently developing a small Dash application. Our app is hosted in the cloud, so we need some sort of security. We have connected our app to our enterprise identity management system (KeyCloak).
Therefore we use the framework flask_oidc (1.4.0). We configured the client_secrets.json and protect every view-function of our dash-app:
for view_func in dash_app.server.view_functions:
dash_app.server.view_functions[view_func] = oidc.require_login(
I understand why this preflight request is sent. And i understand that the responding idm system needs to respond with a ‘Access-Control-Allow-Origin’ header. This could be a possible fix, but in the moment it is not possible to modify the settings of the idm system.
Is there any chance to fix this on our side (inside the app)? Is there any possibility to modify the component or request, so no preflight request is sent?
sadly i was not able to solve this problem entirely, but i believe this is a problem of our keycloak (idm).
I solved this problem by omitting the refresh of the token. We just do an initial login at the first visit of the session and save a flag in the cookie if the login was successful.
I hope the following code snippet helps to understand:
I use the following framework: flask_dance
oauth_blueprint = OAuth2ConsumerBlueprint(
"xy-oauth", __name__, client_id="xy", login_url='/login',
token_url=IDM_BASE_URL + "token",
authorization_url=IDM_BASE_URL + "auth",
Use this to decorate view functions that require a user to be logged
in. If the user is not already logged in, they will be sent to the
Provider to log in, after which they will be returned.
.. versionadded:: 1.0
This was :func:`check` before.
def decorated(*args, **kwargs):
if not oauth_blueprint.session.authorized:
return view_func(*args, **kwargs)
for view_func in app.server.view_functions:
app.server.view_functions[view_func] = require_login(
I tracked my problem down to multiple gunicorn workers working on the same set of callbacks after a user interaction. I did not have flask sessions setup through a common database such as redis and some of the gunicorn workers were getting re-directed to my MS login page since they didn’t have a logged in user in THEIR session.
I was able to fix the issue by changing my flask session system to redis, now each user has a true single source session object to utilize to verify auth. I tracked down the issue by going through the network tab on Chrome’s developer tools. I couldn’t figure out why my login page was calling dash update components and it lead me down the path of discovery regarding sessions and gunicorn workers.