search

davidjrh / dnn.azureadprovider

The DNN Azure Active Directory Provider is an Authentication provider for DNN Platform (formerly DotNetNuke) that uses Azure Active Directory OAuth2 authentication to authenticate users.
MIT License
35 stars 21 forks source link

Error on Login AADSTS50011: The reply url specified in the request does not match the reply urls configured #15

Closed ddonaldsondss closed 4 years ago

ddonaldsondss commented 6 years ago

Hello,

I'm working on a DotNetNuke 9.01 Site and I worked with my IT Department on configuring the add-on based on the instructions provided. The problem is that I'm unable to login via Azure as I get the error listed in the title. I'm unable to find where to find the replyUrls section in the code for the site. Can you illuminate how to resolve this issue?

Sincerely, David B. "Red" Donaldson.

swalker1595 commented 6 years ago

Check that the reply URL in the Azure App Registration is configured correctly.

According to Microsoft,

Sign into portal.azure.com with an account that's an administrator on your tenant. Navigate to Azure Active Directory in the left side bar > App registrations > Your app > All settings > Reply URLS.

The reply URL Value should be Http://yourwebsite/Login

ddonaldsondss commented 6 years ago

Hello,

We get a redirect_uri of http://{mysite}/Login, but it just redirects back to the Login page without logging us in. Should there be a different location to redirect to? Is there a file within the site that I can look for to determine what the reply url value is listed as?

Sincerely, David B. "Red" Donaldson.

swalker1595 commented 6 years ago

Login with the super user account (the one not linked to azure ad) and check the users tab to see if there is any unauthorized accounts that are related to yours.

REF: https://github.com/davidjrh/dnn.azureadprovider/issues/10

ddonaldsondss commented 6 years ago

I just checked the user's tab and I did find 2 unauthorized users. I authorized them, but I'm still experiencing the same issue as before. Is there a config file within the site that needs to be edited?

swalker1595 commented 6 years ago

Was this ever resolved?

ddonaldsondss commented 6 years ago

Unfortunately not, no. It looks like the replyurl in azure is different than the one in the DNN application. I’m planning on reaching out to DNN support for more information.

Sent from my iPhone

On May 17, 2018, at 6:22 PM, shanewalker1595 notifications@github.com<mailto:notifications@github.com> wrote:

Was this ever resolved?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/davidjrh/dnn.azureadprovider/issues/15#issuecomment-390032664, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AkWc4w449r64La8Y04Y-T-7z9DtUxmQAks5tzfgogaJpZM4TgqOy.

swalker1595 commented 6 years ago

Thinking back on it now, I think I remember a situation where users would be sent to Azure to sign in, enter their credentials and be forward back to the Login page, but only if they needed authorization. I probably just overlooked it because in our environment we only have a handful of users and they are all authorized now and everything works. Is this the problem you have too?

almost like https://github.com/davidjrh/dnn.azureadprovider/blob/master/DotNetNuke.Authentication.Azure/Login.ascx.cs#L70 never executes.

ddonaldsondss commented 6 years ago

Not quite, as in my case, when I click on “Sign in with Azure,” it brings up the following error: [cid:image005.png@01D3EE1C.16D85E50]

Sincerely, David B. “Red” Donaldson | Programmer Analyst I OFFICE: 561.284.7345 CELL: 561.847.0251 EMAIL: ddonaldson@dssinc.commailto:ddonaldson@dssinc.com 12575 U.S. HIGHWAY 1 | SUITE 200 | JUNO BEACH, FL 33408 [cid:image001.png@01D31FFF.7F1265B0]https://www.dssinc.com/ [cid:image002.png@01D31FFF.7F1265B0] https://twitter.com/DSSHealthIT [cid:image003.png@01D31FFF.7F1265B0] https://www.linkedin.com/company/dss-inc [cid:image004.png@01D31FFF.7F1265B0] https://www.dssinc.com/blog/ PRIVILEGE AND CONFIDENTIALITY NOTICE: The contents of this e-mail transmission, and any documents, files or previous e-mail messages attached to it are intended solely for the party or parties addressed; and may contain proprietary or private communication that is legally privileged and may constitute inside or non-public information under international, federal or state securities laws. If you are not the intended recipient of this e-mail message or if this e-mail message has been addressed to you in error, any review, use, dissemination, distribution, saving or copying of this e-mail is STRICTLY PROHIBITED. Do not disclose the contents or take any action in reliance upon the information contained in this e-mail transmission. Please notify the sender immediately of the error by return e-mail and/or phone and please delete this message from your system. You may call DSS, Inc.’s corporate office in Juno Beach, Florida, U.S.A. at (+1) (561) 284-7000 if you need additional assistance. Thank you in advance for your cooperation.

From: shanewalker1595 [mailto:notifications@github.com] Sent: Thursday, May 17, 2018 7:53 PM To: davidjrh/dnn.azureadprovider dnn.azureadprovider@noreply.github.com Cc: David B. Donaldson ddonaldson@dssinc.com; Author author@noreply.github.com Subject: Re: [davidjrh/dnn.azureadprovider] Error on Login AADSTS50011: The reply url specified in the request does not match the reply urls configured (#15)

Thinking back on it now, I think I remember a situation where users would be sent to Azure to sign in, enter their credentials and be forward back to the Login page, but only if they needed authorization. I probably just overlooked it because in our environment we only have a handful of users and they are all authorized now and everything works. Is this the problem you have too?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/davidjrh/dnn.azureadprovider/issues/15#issuecomment-390049336, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AkWc41kfmwH1tGthtgMIreyb3AV283b-ks5tzg1SgaJpZM4TgqOy.

davidjrh commented 6 years ago

Hi @ddonaldsondss, there is no config file, all settings are on the tab. Can you reattach the error image? One of the causes of "AADSTS50011: The reply url specified in the request does not match the reply urls configured" can be that the Url on the Azure AD side is case sensitive, and that is one of the reasons I always uses lower case Urls.

ddonaldsondss commented 6 years ago

This is the login screen: image

This is the error message error

davidjrh commented 6 years ago

On the second screenshot, can you check in the URI the parameter "redirect_uri"? It must be exactly the same one you have setup on the Azure AD app.

davidjrh commented 4 years ago

Closing as old issue

maduranga001 commented 3 years ago

I can not see an answer to this question and still, I have this issue. Please, can you advise on this if anybody found an answer?

davidjrh commented 3 years ago

Can you check if you are using "http" or "https", and if the same protocol is specified in the returnURL list on the Azure AD application configuration? This is a common mistake I do until I redirect all the traffic to https to avoid it.

maduranga001 commented 3 years ago

Thank you for the reply. I used HTTPS always as I am using my website HTTPS. That was not an issue.

This is what I did and It worked for me. But I do not know if that is the exact solution. I created a new DNN login page and placed the long module on it. Then I selected it as the login page on 'Site Settings' I used the link as the return URL on the Azure AD app configurations.

Then it worked.

But still, one thing to clarify. It loads the profile data from the Azure AD account. But not all profile data. I can not find appropriate tokens that I use to map with DNN profile fields.

Ex: DNN Fileds - PhoneNumber, Photo, country, region, city etc. What are the Azure AD tokens to use in the 'Mapping -> User Mapping' in the module settings?

Appreciate your support. Thank you.

davidjrh commented 3 years ago

For the URL, note that AzureAD reply URL is case sensitive and DNN by default uses “/Login” (with capital “L”). Perhaps that was the issue?

Respect to the mappings, take a look to this blog post https://intelequia.com/blog/post/2048/using-custom-claim-mappings-on-dnn-azure-ad-module. I will try to update the module documentation putting all together in the repo Wiki.

maduranga001 commented 3 years ago

I tried with capital L as well. But somehow it didn't work either at that time. It might be the cache issue as well and now I am clearing the cache and AppPool too before I check any changes. Anyway, now it is fine now with the new login page.

Regarding the tokens - Yes, I saw this article before. I want to update the AAD profile fields to the DNN profile. Is this possible? Can't we use "USER PROFILE MAPPINGS" option for this? I can see the default values are the same on both. But how do we know the appropriate "AAD Claim " for the "DNN Profile Property "? Do we need to build a custom "AAD Claim"/token for this manually?

Please, advise. Thank you!

davidjrh commented 3 years ago

Regarding the tokens, yes, you have to setup the claims on the tokens in some way. In the next release all the "prefilled" mappings with the default installation will be removed to avoid confusion. It's a bit of pain the way to setup the claims on Azure AD, something I hope will be easier when 2.0 tokens go out of "Preview".