Reputation: 231
Azure AD redirect URI changes from https to http
Overview
I have an app registered at Azure AD portal. The redirect mechanism has been working great in development, but there is a strange conversion going on Oauth redirect URIs.
Client application is built with Django framework and using MSAL for Python library.
Problem specifically
Suppose I have redirect URI specified as follows in the Azure AD app registration: https://myapp.com/auth/redirect
I get an error AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: '<application ID>'
Diving into the requests sent, I can see, that the redirect URI gets somehow manipulated somewhere in the process.
(Note the conversion from https -> http)
...redirect_uri=http%3A%2F%2Fmyapp.com%2Fauth%2Fredirect&scope=User.Read.basic....
But the Azure AD actually doesn't even accept URL's with plain http.
I have tried to produce the same error with just localhost, (since localhost URL is exception to the rule, that only https URL's are allowed) and with redirect URL http://localhost:8000/auth/redirect the authentication process works and with https://localhost:8000/auth/redirect it produces the same result described above.
Upvotes: 4
Views: 3846
Answers (2)
Reputation: 231
The actual problem came out was...
The error was related more to Django internals in combination with the MSAL library.
Azure AD MSAL library for Python uses reverse(redirect_uri) method internally to build the redirect uri somewhere inside and since Django requests use HTTP internally, the redirect uri, that gets added to the request, is the HTTP one.
Solution
Adding SECURE_SSL_REDIRECT = True to settings.py fixed the problem.
Although the ordinary ./manage.py runserver command does not support HTTPS, so
pip install werkzeug django-extensions pyOpenSSL- Add
django_extensionsunder setting.pyINSTALLED_APPS - Run server with
./manage.py runserver_plus --cert /tmp/cert localhost:8000
When the program runs in a web server with front proxy, add this line as well, to not change the original request returned by backend:
In settings.py -> SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
Upvotes: 7
Reputation: 7473
This error can typically be caused by 2 different configuration issues.
(1) accessing the page from a different address than what you’ve configured for your app.
(2) you have made a mistake in the configuration itself. In both of these cases, it’s typically fairly easy to fix the issue.
It seems the error occurs with the configuration in your issue.
Please notice the redirect_uri parameter if requesting /token endpoint for access token, the redirect_uri needs to be same as one of the Redirect URIs (navigate to your app -> Authentication) in the portal. If using C#, you also need to set it in the configuration.
Upvotes: 0
Related Questions
- How to set redirect_uri protocol to HTTPS in Azure Web Apps
- Redirect URL changes from https to http after users authenticated with azure active directory in azure aks
- Microsoft auth doesn't redirect after successful login
- Redirect URL does not match on azure
- AzureAD middleware breaking because of HTTP/HTTPS redirectUri issue
- Cannot set HTTP URI in redirect URI on Azure AD Web App
- Azure AD Authentication redirect_uri not using https on linux-hosted (Cloud Foundry) ASP.NET Core 2.2 application
- Django Azure ad AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application
- OWIN and Azure AD HTTPS to HTTP Redirect Loop
- redirect_uri containing query string does not match configured redirect URL's