AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application:

[faresde]

i have this probem after entring my password , i have this returning page with this message AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'XXXXXXXXXXXXXXXXXXXXXXXX'

[navyasric]

@faresde You will get this error if the Redirect URL registered in your app registration on Azure Portal does not match the URL set by this sample. Please make sure the URL matches by following the steps in the Readme here: https://github.com/Azure-Samples/ms-identity-python-webapp#register-the-python-webapp-python-webapp

[faresde]

@navyasric i have followed exatly the steps. in my azure account i have set Redirect URIs as: http://localhost:5000/getAToken and at app_config.py for REDIRECT_PATH = "/getAToken". i want to know if the_Tenant_Name_Here is different from Tenant_Id? Thanks for your help!

[lune94]

On my side, it is working fine on localhost. I deployed the code into a webapp and set up the URI redirect with the web app DNS and it is not working. I checked the network. After login it keeps me redirect to the HTTP url instead of HTTPS url. In the app registration we can only put HTTPS url and my web app is set to https only. In the AAD log I can see failed connections which means all credentials are set successfully. Any ideas ? Regards

[rfeng-adi]

I'm having exacatly the same problem as @faresde. Followed the instruction in README.md and getting AADSTS50011 error.

[lune94]

the sample code needs to be updated so that the it uses https protocol

[santhoshbomma9]

This change should probably fix the issue. I have env parameter for using http/https where required.

[lune94]

Thank you, can you put the entire function definition please ?

[rayluo]

@faresde The Enter_the_Tenant_Name_Here should accept either a tenant name (such as microsoft.onmicrosoft.com or its tenant id in a guid form). To rule out any other reasons, were you able to run this sample on your localhost (like other folks did in this conversation thread)? If not, what port was you using?

@lune94 @rfeng-adi @santhoshbomma9 This sample created the redirect_uri in this way which, according to Flask API documentation:

The default behavior uses the same scheme as the current request

So, it is supposed to work for HTTPS, as long as your app was deployed to use https. How did you access the "/index" page of your deployment? Was it http://your.domain.com or httpS://your.domain.com?

CC @navyasric @abhidnya13 @henrik-me : This thread kind of becomes an faq. Perhaps we can try some (different?) deployment options to see if we can reproduce the issue.

[lune94]

Hey @rayluo The web app is configured to use HTTPS only

When I reach https://webappNAME.azurewebsites.com I got :

https://webappNAME.azurewebsites.com 302 http://webappNAME.azurewebsites.com/login 301 https://webappNAME.azurewebsites.com/login 200

I click on sign in I validate my credential The network indicates ; Request URL: https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize?client_id=CLIENT_ID&response_type=code&redirect_uri=http%3A%2F%2FwebappNAME.azurewebsites.net%2FgetAToken&scope=User.ReadBasic.All+offline_access+openid+profile&state=XXX

It is working fine on localhost since it is http

[rayluo]

@lune94 Thanks for your quick response and effort on testing!

Would you mind to have one more quick test on adding such a function into your existing app in your existing HTTPS environment?

@app.route('/test')
def test():
    return url_for("test", _external=True)

And see whether the result contains https://...? If not, we might want to create an issue in Flask repo and ask for input from the community there.

Ideally we would want to rely on that "automatically choosing between http and https" behavior, so that our sample can work in both scenarios.

[lune94]

Hey Here are my tests : 1)Calling /test in https https://webappNAME.azurewebsites.com/test 200

2)Calling /test in http http://webappNAME.azurewebsites.com/test 301 https://webappNAME.azurewebsites.com/test 200

3) I added a link /test on the login page Test On the page https://webappNAME.azurewebsites.net/login I click on the Test link and got https://webappNAME.azurewebsites.com/test 200

[rayluo]

Thanks @lune94 again. I also borrowed your test environment to test it. ;-)

So this Flask url_for() behavior is not what their document said:

The default behavior uses the same scheme as the current request

This is presumably because in a production web service setup, we will have:

Browser -----HTTPS----> Reverse proxy -----HTTP----> Flask

So flask is not able to detect it is actually serving https traffic.

Digging deeper from Flask's documentation on Proxy, this adjustment would probably work:

from werkzeug.middleware.proxy_fix import ProxyFix
app.wsgi_app = ProxyFix(app.wsgi_app, x_proto=1, x_host=1)

If you can add these 2 lines into your app and test to see it work, let me know, and then I'll apply this change here.

[lune94]

It is working ! Thank you very much @rayluo ! You can make the change. Could you add a sample using AAD group ? Like only members of app_reader group can access /test url