search

pnp / cli-microsoft365

Manage Microsoft 365 and SharePoint Framework projects on any platform
https://aka.ms/cli-m365
MIT License
926 stars 326 forks source link

Bug report: Browser login error: The redirect URI specified in the request does not match the redirect URIs configured for the application #6399

Open daviewales opened 1 month ago

daviewales commented 1 month ago

Priority

(Medium) I'm annoyed but I'll live

Skip to the end for a workaround.

Description

I've setup a new Entra App Registration as described in the docs.

I've then run m365 setup, and configured it to use interactive login.

When I run m365 login, my browser opens a tab at https://login.microsoftonline.com, but I get an error stating that the redirect URI specified in the request does not match the redirect URI configured for the application.

Steps to reproduce

I have confirmed that all the app registration configuration settings exactly match the description in the documentation: https://pnp.github.io/cli-microsoft365/user-guide/using-own-identity/#configure-authentication-settings

The platform is Mobile and Desktop Applications.

The redirect URI is set to: https://login.microsoftonline.com/common/oauth2/nativeclient

And Allow Public Client flows is set to 'Yes'.

I have tried selecting a bunch of different options in m365 setup, but I always end up in the same place, with the non-matching redirect URI error above.

Expected results

I expect the login to succeed.

Actual results

Error:

AADSTS50011: The redirect URI 'http://localhost:58946' specified in the request does not match the redirect URIs configured for the application 'abc-123-example'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.

Diagnostics

m365 login --authType browser --debug
Executing command login with options {"options":{"output":"json","debug":true,"verbose":false,"authType":"browser","cloud":"Public"}}
Executing command as 'user@example.com', appId: abc-123-example, tenantId: xyz-456-example
Logging out from Microsoft 365...
Signing in to Microsoft 365...
No token found for resource https://graph.microsoft.com.
[Wed, 02 Oct 2024 01:49:15 GMT] : [] : @azure/msal-node@2.13.1 : Info - getTokenCache called
[Wed, 02 Oct 2024 01:49:15 GMT] : [] : @azure/msal-common@14.14.2 : Info - CacheManager:getIdToken - Returning ID token
Retrieving new access token using interactive browser session...
Redirect URL:
https://login.microsoftonline.com/xyz-456-example/oauth2/authorize?response_type=code&client_id=abc-123-example&redirect_uri=http://localhost:59779&state=123456&resource=https://graph.microsoft.com&prompt=select_account

To sign in, use the web browser that just has been opened. Please sign-in there.

CLI for Microsoft 365 version

v9.0.0

nodejs version

bun.sh: 1.1.20

Operating system (environment)

Windows

Shell

PowerShell

cli doctor

{
  "os": {
    "platform": "win32",
    "version": "Windows 11 Pro",
    "release": "10.0.22631"
  },
  "cliVersion": "9.0.0",
  "nodeVersion": "v22.3.0",
  "cliAadAppId": "7228c4a0-e110-4966-9886-ba018d4aab45",
  "cliAadAppTenant": "single",
  "authMode": "deviceCode",
  "cliEnvironment": "",
  "cliConfig": {
    "autoOpenLinksInBrowser": false,
    "copyDeviceCodeToClipboard": false,
    "output": "json",
    "printErrorsAsPlainText": false,
    "prompt": false,
    "showHelpOnFailure": false,
    "showSpinner": false,
    "helpMode": "options",
    "authType": "browser",
    "clientId": "7228c4a0-e110-4966-9886-ba018d4aab45",
    "tenantId": "5722662b-7985-4a0d-8868-deee2e111dcd",
    "clientSecret": "",
    "clientCertificateFile": "",
    "clientCertificateBase64Encoded": "",
    "errorOutput": "stdout"
  },
  "roles": [],
  "scopes": {
    "https://graph.microsoft.com": [
      "User.Read",
      "profile",
      "openid",
      "email"
    ]
  }
}

Additional Info

Workaround

I can successfully login if I force it to use deviceCode login rather than browser login. This works:

m365 login --authType deviceCode

This doesn't work (and is also the default when using m365 login):

m365 login --authType browser
milanholemans commented 1 month ago

Hi @daviewales, sorry to hear that CLI is not working properly for you. Just to fully understand the issue, is this what you did?

  1. Create Entra application registration by hand
  2. Run m365 cli setup, choose for existing app registration & interactive scripting
  3. Run m365 login

This results in an error?

daviewales commented 1 month ago

Yes, that's exactly right. I can get it to work if I use --authType deviceCode. But I get the error if I use the default browser login.