I've got Azure ServiceFabric web-app (AspNetCore 3) hosted over reverse proxy (NGinx). The app use AzureAD (in company) authentication. I've Registered App for the AD and setup Redirect Urls. After publishing the APP and configuring DNS and reverse proxy I tried to authorize to my app but failed with error
AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: '...-...-...-...-...'.
I snifed the request and found that it redirects to the internal IP but not domain name
https://login.microsoftonline.com/aeb55839-c47b-4fea-8d95-912f673fa7ac/oauth2/v2.0/authorize?client_id=.....&redirect_uri=http%3A%2F%2F10.2.0.5%3A44321%2Fsignin-oidc...
It seems that I've looked everywhere but I cannot stil found where I can specify redirect url manually (only CallbackPath).
Does anyone solve the issue?
Update 1.
Add screenshot from Azure Portal
Update 2
Mannually add http://10.2.0.5:44321/signin-oidc to the Redirect Url, get a new exception
AADSTS500117: The reply uri specified in the request isn't using a secure scheme.
I wonder whether I have to make my ASF cluster secured to allow AD Authorization? It seems to me strange due to I want to secure traffic to reverse proxy only.
This error will occur when there is a mismatch of redirect URI being sent in the request to AAD while fetching the token and the one registered with the Application Registration Object in AAD portal.
In App Registration blade of AAD and look for the redirect URI section present under "Authentication" section of the registered application and update the redirection
URL. Please refer to the screenshot below:
update:-
The Reply url you are using in your code is http://10.2.0.5:44321/signin-oidc which is different from reply url defined in Azure AD i.e., https://dev-adm.project-llc.ru/signin-oidc. Please update the reply url in code or in AAD.
Related
I'm developing an app based on the Docusign C# Quickstart.
Its working fine on my development PC (Win 11) in Visual Studio 2019 using IIS Express.
However, when I publish it to IIS (v10) on my development PC it runs and I can authenticate with Docusign just fine (once I got the proper redirect URI registered: https://localhost/ds/callback) but the step that actually sends the envelope is returning the following error in the browser:
This page isn't working right now.
Local host can't handle this request
http error 500
Any help is appreciated. I logged a support ticket with Docusign, but still waiting for a response.
Quickstart is just an app to show you how to use DocuSign APIs.
The redirect after signing is back to localhost, and your app, once ready to be deployed to server, has to be set with a proper URL, at which point you'll need to update the redirect URI to the one based on your server.
The 500 error is coming from your app, not from DocuSign. You need to figure out why your app cannot handle the URL that is set for redirect after signing by DocuSign.
The base API address demo.docusign.net/restapi is used to reach the development/ test platform. The na4.docusign.net/restapi address is one of DocuSign's (many) production platforms.
Remember that, once you have passed the Go-Live process, you have two Client IDs (integration keys) one for the test platform, one for all of the production platforms. Each has its own settings.
Added
The error
This page isn't working right now.
Local host can't handle this request http error 500
Is from IIS. Use IIS logging to see the URL request that is coming in that can't be handled.
To see if it is the redirect from the initial OAuth Authorization Code grant URL, examine the initial URL redirect to account.docusign.com (prod URL).
The redirect contained as a query parameter in the initial OAuth redirect must:
Be correct for your instance of IIS.
Be allowed by your setting for the client ID (integration key) in DocuSign
1, Be properly handled by your IIS and its app.
I am trying to secure the Azure functions using Azure Active Directory following the note.
When the link https://xxxfunction1.azurewebsites.net/api/function1 is entered, the browser redirects to AAD:
https://login.microsoftonline.com/[tenent]/oauth2/authorize?response_type=id_token&redirect_uri=https%3A%2F%2Fxxxfunction1.azurewebsites.net%2F.auth%2Flogin%2Faad%2Fcallback&client_id=[client_id]&scope=openid+profile+email&response_mode=form_post&nonce=[nonce]state=redir%3D%252Fapi%252Ffunction1
and the error returns:
AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application
The platform configurations in the AAD client:
The Authentication & Authorization in Azure function xxxfuntion1 is configured to AzureAD client xxxfunction1app:
The same error with Advanced mode:
Any idea why it says the error on the reply URL please?
Your error is very simple. Your redirect_uri is decoded as: https://xxxfunction1.azurewebsites.net/.auth/login/aad/callback, but you configure the redirect_uri in the AAD client as:https://xxxfunction1.azurewebsites.net/.auth/login/aad/callcack, so the response url does not match error, you only need to change callcack to callback.
Make sure that the URL matches exactly and double-check that the Application ID and tenant ID are matching. It might be trying to resolve to a different application or tenant.
The identifier URI should be: https://xxxfunction1.azurewebsites.net
Please go to Azure Portal > Azure Active Directory > App Registration > All Applications > Search with the App ID 6419ae-xxxx-xxxx-xxxx > Under Authentication blade of the application update the Redirect URI to ttps://xxxfunction1.azurewebsites.net/api/function1
when going to the custom AWS Cognito UI Page:
https://<your_domain>/login?response_type=code&client_id=<your_app_client_id>
am getting the following error:
An error was encountered with the requested page.
View error
invalid_request
O-Auth options need to be check as shown in the following picture
from https://aws.amazon.com/blogs/aws/launch-amazon-cognito-user-pools-general-availability-app-integration-and-federation/
You need the following in the App client Settings of your user pool:
Enable Cognito User Pool as "Identity Provider".
Allowed "OAuth Scopes" should have openid enabled.
In my case, it appears there was some issue with verifying the phone number. So switched back to email.
This document is good for checking everything.
https://aws.amazon.com/blogs/aws/launch-amazon-cognito-user-pools-general-availability-app-integration-and-federation/
Unless the SMS Sending setup is not complete, do not choose the Email or Phone option. Email or phone actually falls back to phone number only. Read the warning messages.
TLDR: If you use an AWS User Pool with Cognito App Client and have an Application Load Balancer that is exposed via a custom DNS entry (e.g. custom-domain.com, which has to be secured via SSL), use this custom domain for the Cognito App Client's callback URL (i.e. https://custom-domain.com/oauth2/idpresponse) instead if the random DNS name created by AWS.
I had the same error and this issue solved it for me. I used a User Pool with a Cognito App Client and as callback URL I first used the DNS name that AWS created for it (<load balancer name>-<random number>.<region>.elb.amazonaws.com, i.e. "callbackUrl": "https://<load balancer name>-<random number>.<region>.elb.amazonaws.com/oauth2/idpresponse). I also created a DNS record for a custom domain to expose the load balancer to the internet and secured it via SSL. As a result, the certificate was not valid for the URL created by AWS, but only my custom domain. The Cognito App Client was thus trying to access the URL with the invalid SSL certificate and returned the error.
We have an on-prem asp.net core app that leverage AAD for authentication, the app is setup to run in both:
http://domainserver/app
&
https://domainserver/app
In Azure AD the reply url for the application is setup as
http://domainserver/app/signin-oidc & https://domainserver/app/signin-oidc
When using http url, the sign-in process works fine, however in https mode, we get the following error:
AADSTS50011: The reply address ‘https://domainserver/app/signin-oidc’
does not match the reply addresses configured for the application:
appguid . More details: not specified
The reply https url is setup in AAD for the App exactly as it appears in the error message, so I’m not sure why it says it’s not matching.
One reason I can think of is that the SSL certificate used for https is a local domain signed certificate, and somehow it’s causing the error. But I’m not sure if that’s the case since AAD is just responsible to redirect back to the specified url, should not really care or know about the validity of the SSL.
Here is the image showing the setting url, the redirect url and the error message url matches exactly. You just have to trust me the part that's blocked out are also the same. :)
Anyone got any ideas why this happens?
Protocol matters. Azure AD will treat http://website.com and https://website.com as different reply URLs. However Azure can only let your put in multiple Reply URLs in a same domain. There is a case solution may be helpful to you:
Issue: Using the Azure AD authentication option to sign into the Skype for Business (SfB) Web SDK and you are seeing an AAD error page . The error page should have this message:
"AADSTS50011: The reply address 'https://...' does not match the reply
addresses configured for the application <...>"
Solution:
You need to configure the main domain name where you're hosting your app as a reply URL in the AAD registration for your app and pass it as the redirect_uri when redirecting to AAD to allow the user to sign in.
You should be using code like this to redirect the user to enter her credentials to sign into Azure AD:
var href = 'https://login.microsoftonline.com/common/oauth2/authorize?response_type=token&client_id=';
href += client_id + '&resource=https://webdir.online.lync.com&redirect_uri=' + window.location.href;
window.location.href = href;
Note In the code above that we are using window.location.href as the value of the redirect_uri query parameter in forming the URL of the AAD endpoint where the user will sign in. This parameter tells AAD to redirect the client browser and the access token obtained by signing into AAD back to the page we're currently on - the main app page. However, AAD will only redirect the access token to URLs that are specified as Reply URLs in the app registration in AAD.
Follow these steps to check your configured Reply URLs and add additional ones:
Sign into portal.azure.com with an account that's an administrator on your tenant.
Navigate to Azure Active Directory in the left side bar > App registrations > Your app > All settings > Reply URLS.
Type the domain name where you're hosting your app and click Save.
This solution is from this document.
Update
According to your screenshot, your Reply URI is different:
https://domainserver/app/signin-oidc
is not in your Reply URL list,
in your Reply URL list is
https://domainserver/app/signin-odic
Go to change them as same URL .
I am using Keycloak authentication to authenticate an angular app and so far I have managed to redirect my login to Keycloak server. But when redirected instead of the login page I am getting a 500 error page with the message Invalid parameter: redirect_uri
When you created the client in Keycloak you set the required 'Valid Redirect URIs' field. Most likely the pattern you entered there doesn't match the redirect uri you are sending from your client. If you use ports numbers, they have to match too!.
If this is not the problem, check what your Keycloak server is logging and add those details here to your question.
this is occurred due to base url and valid redirect url are different. So I have added same URL on both the text box.Now its working fine.