Oauth SSO AzureREad

dbates · April 12, 2021, 8:06am

Hi I’m having an issue with Azure SSO thirdparty authentication

currently when configured it returns the following error

“The reply URL specified in the request does not match the reply URLs configured for the application:”

Checking the reply url that it calls results in this

https://login.microsoftonline.com/common/oauth2/authorize?client_id=<Correct Client ID>&redirect_uri=https://<CORRECT ENDPOINT URL>/auth/complete/azuread-oauth2/&state=kYkYmtffQh2jGC7y2L0Z1By7ItePjygF&response_type=code&scope=openid+profile+user_impersonation&msafed=0&sso_nonce=AwABAAAAAAACAOz_BAD0_2RBZtQrlGBD0-CKxSOmi6rz_zilLRv288v_K9VXZOAA8634KPAHdL88yQUo7c-jOXMeEPPa4I_vtx4IX1qtvP4gAA&client-request-id=98170e1e-9f0f-407b-9291-4dcd9b3c1794&mscrid=98170e1e-9f0f-407b-9291-4dcd9b3c1794

I have taken out the client ID of the authentication application in Azure and the Full url of the lms for paranoid reasons.

the lms logs show

2021-04-12 07:59:09,834 INFO 22 [tracking] [user None] [ip 81 .156.91.69] logger.py:42 - {"name": "/auth/login/azuread-oauth2/", "context": {" user_id": null, "path": "/auth/login/azuread-oauth2/", "course_id": "", "org_id" : ""}, "username": "", "session": "4b9b113bc720d502fe432b39b3b57989", "ip": "81. 156.91.69", "agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537. 36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 Edg/89.0.774.75", "hos t": "<LMS URL>", "referer": "https://<LMS URL>/login?next=%2F" , "accept_language": "en-GB,en;q=0.9,en-US;q=0.8", "event": "{\"GET\": {\"auth_e ntry\": [\"login\"], \"next\": [\"/\"]}, \"POST\": {}}", "time": "2021-04-12T07: 59:09.834163+00:00", "event_type": "/auth/login/azuread-oauth2/", "event_source" : "server", "page": null} lms_1 | [pid: 22|app: 0|req: 77/457] 172.18.0.13 () {54 vars in 1436 bytes} [Mon Apr 12 07:59:09 2021] GET /auth/login/azuread-oauth2/?auth_entry=log in&next=%2F => generated 0 bytes in 22 msecs (HTTP/1.0 302) 9 headers in 888 byt es (1 switches on core 0)

Has anyone done this since the introduction of Caddy as a SSL endpoint? My Current working theories are

the termination of The SSL at caddy is causing a reply url issue
or more likely
There is something in the code that has changed and the documentation of the urls to provide are really far out of wack and I just can’t figure it out.

any help would be appreciated.

regis · April 12, 2021, 11:04am

I never understand anything about SSO issues. For instance, here, I do not understand where the "reply URL specified in the request does not match the reply URLs configured for the application” error comes from? Is it from Open edX or Microsoft? Is this url expected? If not, what should be the correct value?
The LMS response has a 302 status code: is that expected? Where does it redirect to? What should it redirect to?

dbates · April 12, 2021, 11:21am

@regis thanks for the reply.

Well testing it with google and facebook SSO showed it worked first time so the 1. issue is out its nothing to do with Caddy as that should have caused the same or similar issues.

one of the strange thing I have seen in the logs is that it doesn’t seem to make a request back to the LMS or nginx after logging into azure. this is the same behaviour with SSO both with MFA and without. I do get those back from google and facebook.

from my understanding of redirects after oauth completion it should go to the /auth/complete/azureread-oauth2/ url then to dashboard or sign up depending flags set.

So, I’m going back to look at Azure Oauth2 in a much deeper way now. If I find anything that works or patches that need to be done I will pass them on to the group.

dbates · April 14, 2021, 1:05pm

Thank you I finally got it working from an azure standpoint its a lot more complicated now than it used to be.

in Azure AAD
click the application registration blade

add a new registration
give it a name
set it to the tenancy required Single is best
set the reply URL to https:///auth/complete/azureread-oauth2
I.e. https://learn.mysite.com/auth/complete/azureread-oauth2
register the app

go to the app in app registrations
in overview make note of the Application (client) ID this is okay as you can come back to it later

Click Authentication

add
https://(YOUR LMS URL>/auth/conmplete/azureread-oauth2/
as a seperate entry. its only got the / at the end but some browsers reported it back as different from the first so best to be careful.

Tick Access tokens (used for implicit flows)
and then make sure account in this organizational directory only ( doing a multi tennant or personal account means that approval has to be sought from every person using their microsoft account)

Allow public client flows = no
save

Certificates & secrets

Add a new client secret give it a name and an expiration date Write this DATE down in any calendar as you will need to change it at some point in time.

add it
make a copy of the value as you only see it now and cannot reveal it later.

Now go to API Permissions

this is where the biggest change is

add permissions
select microsoft graph
add delegated permissions

under openID add everything
email , offline_access , openid, profile

under user add the following
User.Read
User.ReadBasicAll

click add permissions
you will return to the permissions blade
Click Add admin consent for your domain
make sure all of them get admin consent

Now Return to Tutor edx

in the /admin page

go to third party Authentication

add a oauth application

this is pretty much the same as in the regular documentation just one strange point

in slug make this azureread-oauth2

no idea why but after that it started working.

you can do a test with the secret in the page but for security sake after you confirm its up and working change it to a setting as described in the edx documentation

system · July 13, 2021, 1:06pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.