Azure AD SSO error - Not found. Authentication passthru

[mpurusottamc]

Environment

• Ruby [ruby 2.7.7p221 (2022-11-24 revision 168ec2b1e5) [arm64-darwin22]]
• Rails [Rails 6.1.3.1]
• Devise [4.8.1]

Current behavior

I am trying to setup Azure AD SSO for my Rails app. I have followed all the steps from this documentation.

When I click on the Login link, I see an error:

URL - http://localhost:3000/users/auth/microsoft?prompt=select_account

Message - Not found. Authentication passthru.

I tried with and without the tenant_id to use the common flow. That did not work either.

Expected behavior

I am expecting a redirection to Azure AD for authentication and login after the authentication process.

[carlosantoniodasilva]

I can't one 100% follow that documentation (it was provided by the community), but I'm guessing that in step 5, where it explains to create the following link:

<%= link_to "Login", user_microsoft_omniauth_authorize_path(prompt: 'select_account'), class: 'navbar-link'  %>

That should now be a POST request on omniauth v2+, which Devise v4.8+ supports. Please see https://github.com/heartcombo/devise/pull/5327 and https://github.com/heartcombo/devise/wiki/OmniAuth:-Overview for more info, and let us know if that doesn't work.

Update: I'll keep it open so we can update the docs in case that's the issue here.

[mpurusottamc]

Thanks @carlosantoniodasilva.

It seems there was some sort cache issue. Today, it started working even without any additional changes. Unsure what was causing the behavior.

[mpurusottamc]

I had an additional gem in the Gemfile. Once I removed it, AD SSO started working for me.

gem "omniauth-rails_csrf_protection", "~>0.1.2"

[carlosantoniodasilva]

@mpurusottamc gotcha, I'm glad it's working now. :+1:

I'd recommend taking a look into the overview and PR links I posted above nonetheless, as that omniauth csrf gem is aimed at adding some extra protection for the integration, in combination to using POST requests with the omniauth links/buttons.

[mpurusottamc]

@carlosantoniodasilva Makes sense from a security perspective. I will bring the gem back and will try to find what's the root cause of the issue.

[melvinotieno]

Was a fix for this found? I'm getting the same error for Google login

[carlosantoniodasilva]

@melvinotieno have you looked into what I mentioned about those links/buttons having to be POST requests, as documented in the latest omniauth guides? That could be your case.

I tweaked the Azure wiki to use a POST button_to and mention the OmniAuth Overview in a couple of places, as I think that should be the starting place for everyone. Let us know if you still run into any issues with those changes.

[melvinotieno]

@carlosantoniodasilva yes I did look into them. So even after adding method: :post on the link_to, I was still getting the same issue. So I changed from link_to to button_to and also added data: { turbo: false } for it to work. Without data: { turbo: false } it wouldn't work.

Thank you

[carlosantoniodasilva]

@melvinotieno ah yeah, those links/buttons don't work with Turbo, we had to disable them in the default shared views as well. I keep forgetting that Turbo is yet another element at play here. Anyway, glad it's working for you now, I'll update the wiki to mention Turbo and disabling it for those links/buttons. Thanks!

[melvinotieno]

@carlosantoniodasilva Thanks as well. I think the issue is for most people when generating the devise views, the default implementation that they get is link_to, but as from the link you have shared, I see that that has been changed. I did see somewhere though that devise will have turbo support out of the box in the next release, so looking forward to that.

[carlosantoniodasilva]

@melvinotieno ah right, that changed in the main branch to better support Turbo (and rails-ujs) indeed. Hoping to do a new release soon. (in the meantime, you're welcome to try the main branch if you'd like too.)

[melvinotieno]

@carlosantoniodasilva Yes, will definitely give it a try