Why does Azure Active Directory OAuth work for me and no one else?

Question

I am developing a Python/Flask application and I want to use OAuth for signing in. My employer uses Azure Active Directory so I am trying to integrate with it as an OAuth provider.

I am not an Azure tenant administrator.

I created an App Registration and set up my code following Microsoft's documentation, but I am the only person who can successfully sign in to the app.

I am constructing my authorization URL like this (I have the correct tenant name, client id, and redirect URI in my code):

import urllib.parse
import uuid

authorization_endpoint = 'https://login.microsoft.com/my-tenant.onmicrosoft.com/oauth2/authorize'
query = {
    'client_id': 'my-client-id',
    'nonce': uuid.uuid4(),
    'redirect_uri': 'https://my-app.example.com/authorize',
    'response_mode': 'form_post',
    'response_type': 'id_token',
    'scope': 'openid',
    'state': uuid.uuid4()
}
authorization_url = f'{authorization_endpoint}?{urllib.parse.urlencode(query)}'

When I personally test signing in to the app, everything works fine. But when anyone else tries, they visit the authorization URL, sign in with their credentials, and then get a page with this error:

AADSTS165000: Invalid Request: The request tokens do not match the user context. Do not copy the user context values (cookies; form fields; headers) between different requests or user sessions; always maintain the ALL of the supplied values across a complete single user flow. Failure Reasons:[Token values do not match;]

Why does it work for me and for no one else?

Answer 1

The authorization endpoint is wrong. It should be https://login.microsoftonline.com/... instead of https://login.microsoft.com/....