Django Azure ad AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application

Question

I am trying to authenticate a user using azure active directory but I am getting `AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application I am using django-microsoft-auth library. I have referred to multiple StackOverflow question regarding this but none of them resolve my issue. None of them are Django specific

settings.py

"""

Django settings for mywebapp project.

Generated by 'django-admin startproject' using Django 2.1.4.

For more information on this file, see
https://docs.djangoproject.com/en/2.1/topics/settings/

For the full list of settings and their values, see
https://docs.djangoproject.com/en/2.1/ref/settings/
"""

import os

# Build paths inside the project like this: os.path.join(BASE_DIR, ...)
BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))


# Quick-start development settings - unsuitable for production
# See https://docs.djangoproject.com/en/2.1/howto/deployment/checklist/

# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = 'wi31*5al3v=&or_p354489830j)w_zr-)1^a$m*=@yo1l62nni'

# SECURITY WARNING: don't run with debug turned on in production!
DEBUG = True

ALLOWED_HOSTS = ["*"]

SITE_ID = 1

# Application definition

INSTALLED_APPS = [
    'django.contrib.sites',
    'django.contrib.admin',
    'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.messages',
    'django.contrib.staticfiles',
    'myapp',
    'microsoft_auth',
]

MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
]

ROOT_URLCONF = 'mywebapp.urls'

TEMPLATES = [
    {
        'BACKEND': 'django.template.backends.django.DjangoTemplates',
        'DIRS': [],
        'APP_DIRS': True,
        'OPTIONS': {
            'context_processors': [
                'django.template.context_processors.debug',
                'django.template.context_processors.request',
                'django.contrib.auth.context_processors.auth',
                'django.contrib.messages.context_processors.messages',
                'microsoft_auth.context_processors.microsoft',
            ],
        },
    },
]

WSGI_APPLICATION = 'mywebapp.wsgi.application'


# Database
# https://docs.djangoproject.com/en/2.1/ref/settings/#databases

DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.sqlite3',
        'NAME': os.path.join(BASE_DIR, 'db.sqlite3'),
    }
}

AUTHENTICATION_BACKENDS = [
    'microsoft_auth.backends.MicrosoftAuthenticationBackend',
    'django.contrib.auth.backends.ModelBackend' # if you also want to use Django's authentication
    # I recommend keeping this with at least one database superuser in case of unable to use others
]

# Password validation
# https://docs.djangoproject.com/en/2.1/ref/settings/#auth-password-validators

AUTH_PASSWORD_VALIDATORS = [
    {
        'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
    },
]


    # Internationalization
    # https://docs.djangoproject.com/en/2.1/topics/i18n/

LANGUAGE_CODE = 'en-us'

TIME_ZONE = 'UTC'

USE_I18N = True

USE_L10N = True

USE_TZ = True


# Static files (CSS, JavaScript, Images)
# https://docs.djangoproject.com/en/2.1/howto/static-files/

STATIC_URL = '/static/'


MICROSOFT_AUTH_CLIENT_ID ={clientid}
MICROSOFT_AUTH_CLIENT_SECRET = {Secret}

MICROSOFT_AUTH_LOGIN_TYPE = 'ma'

urls.py

urlpatterns = [
    path('microsoft/', include('microsoft_auth.urls', namespace='microsoft')),
    path('myapp/', include('myapp.urls')),
    path('admin/', admin.site.urls),
]

Answer 1

When you run the built-in server it runs by default on port 8000. So the call-back URL you would enter in Azure is http://localhost:8000/microsoft/auth-callback/

The problem is that Azure calls back but removes the colon and port number, so it calls your server back on http://localhost/microsoft/auth-callback/ which obviously will fail as your server listens on port 8000.

In this case you can just configure a iptables redirect rule to redirect traffic to localhost on port 80 to port 8000 like so (on Linux):

iptables -t nat -I OUTPUT --source 127.0.0.1 --destination 127.0.0.1 -p tcp --dport 80 -j REDIRECT --to-ports 8000

# iptables -nvL -t nat Chain PREROUTING (policy ACCEPT 295 packets, 66558 bytes) pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 295 packets, 66558 bytes) pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 145K packets, 8873K bytes) pkts bytes target prot opt in out source destination
211 12660 REDIRECT tcp -- * * 127.0.0.1 127.0.0.1 tcp dpt:80 redir ports 8000

Chain POSTROUTING (policy ACCEPT 145K packets, 8886K bytes) pkts bytes target prot opt in out source destination

Answer 2

Usually this issue occurs when the redirect url defined in azure portal doesn't match the redirect url in your authorize request. You can use fiddler to capture the authorize request url to find the redirect url in the request. Something like

https://login.microsoftonline.com/{tenant}/oauth2/authorize? client_id=6731de76-14a6-49ae-97bc-6eba6914391e &response_type=code &redirect_uri=http%3A%2F%2Flocalhost%3A12345 &response_mode=query &resource=https%3A%2F%2Fservice.contoso.com%2F &state=12345

Copy this redirect_uri and paste it to Azure portal.