Azure AD Login failed.

[thanax2n]

Overview

I configured my django app with django-auth-adfs using Azure AD (free account) follow all step in this docs. When I ran django app at http://localhost:8000 and login with free Microsoft account (....@outlook.com) then it prompted to consent to using this app. Immediately after accept consent it redirected to a Login Failed page like this Figure 1

Logs

Django version 4.0.6, using settings 'config.settings'
Starting development server at http://localhost:8000/ 
Quit the server with CTRL-BREAK.
[14/Jul/2022 14:39:44] "GET / HTTP/1.1" 302 0
DEBUG 2022-07-14 14:39:44,804 django_auth_adfs Loading django_auth_adfs ID Provider configuration.
INFO 2022-07-14 14:39:44,805 django_auth_adfs Trying to get OpenID Connect config from https://login.microsoftonline.com/0075566f-4303-4cd3-838d-fad7b1e7482e/.well-known/openid-configuration?appid=5c93d001-4338-4920-b98c-948036c7238b
DEBUG 2022-07-14 14:39:45,414 django_auth_adfs Loading public key from certificate: MIIDBTCCAe2gAwIBAgIQN33ROaIJ6bJBWDCxtmJEbjANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTIwMTIyMTIwNTAxN1oXDTI1MTIyMDIwNTAxN1owLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKGiy0/YZHEo9rRn2bI27u189Sq7NKhInFz5hLCSjgUB2rmf5ETNR3RJIDiW1M51LKROsTrjkl45cxK6gcVwLuEgr3L1TgmBtr/Rt/riKyxeXbLQ9LGBwaNVaJrSscxfdFbJa5J+qzUIFBiFoL7kE8ZtbkZJWBTxHEyEcNC52JJ8ydOhgvZYykete8AAVa2TZAbg4ECo9+6nMsaGsSBncRHJlRWVycq8Q4HV4faMEZmZ+iyCZRo2fZufXpn7sJwZ7CEBuw4qycHvUl6y153sUUFqsswnZGGjqpKSq7I7sVI9vjB199RarHaSSbDgL2FxjmASiUY4RqxnTjVa2XVHUwUCAwEAAaMhMB8wHQYDVR0OBBYEFI5mN5ftHloEDVNoIa8sQs7kJAeTMA0GCSqGSIb3DQEBCwUAA4IBAQBnaGnojxNgnV4+TCPZ9br4ox1nRn9tzY8b5pwKTW2McJTe0yEvrHyaItK8KbmeKJOBvASf+QwHkp+F2BAXzRiTl4Z+gNFQULPzsQWpmKlz6fIWhc7ksgpTkMK6AaTbwWYTfmpKnQw/KJm/6rboLDWYyKFpQcStu67RZ+aRvQz68Ev2ga5JsXlcOJ3gP/lE5WC1S0rjfabzdMOGP8qZQhXk4wBOgtFBaisDnbjV5pcIrjRPlhoCxvKgC/290nZ9/DLBH3TbHk8xwHXeBAnAjyAqOZij92uksAv7ZLq4MODcnQshVINXwsYshG1pQqOLwMertNaY5WtrubMRku44Dw7R
DEBUG 2022-07-14 14:39:45,428 django_auth_adfs Loading public key from certificate: MIIDBTCCAe2gAwIBAgIQWPB1ofOpA7FFlOBk5iPaNTANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTIxMDIwNzE3MDAzOVoXDTI2MDIwNjE3MDAzOVowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALH7FzF1rjvnZ4i2iBC2tz8qs/WP61n3/wFawgJxUnTx2vP/z5pG7f8qvumd7taOII0aSlp648SIfMw59WdUUtup5CnDYOcX1sUdivAj20m2PIDK6f+KWZ+7YKxJqCzJMH4GGlQvuDIhRKNT9oHfZgnYCCAmjXmJBtWyD052qqrkzOSn0/e9TKbjlTnTNcrIno3XDQ7xG+79vOD2GZMNopsKogWNxUdLFRu44ClKLRb4Xe00eVrANtBkv+mSJFFJS1Gxv611hpdGI2S0v1H+KvB26O7vuzGhZ/AevRemGhXQ5V5vwNEqXnVRVkBRszLKeN/+rxM436xQyVQGJMG+sVECAwEAAaMhMB8wHQYDVR0OBBYEFLlRBSxxgmNPObCFrl+hSsbcvRkcMA0GCSqGSIb3DQEBCwUAA4IBAQB+UQFTNs6BUY3AIGkS2ZRuZgJsNEr/ZEM4aCs2domd2Oqj7+5iWsnPh5CugFnI4nd+ZLgKVHSD6acQ27we+eNY6gxfpQCY1fiN/uKOOsA0If8IbPdBEhtPerRgPJFXLHaYVqD8UYDo5KNCcoB4Kh8nvCWRGPUUHPRqp7AnAcVrcbiXA/bmMCnFWuNNahcaAKiJTxYlKDaDIiPN35yECYbDj0PBWJUxobrvj5I275jbikkp8QSLYnSU/v7dMDUbxSLfZ7zsTuaF2Qx+L62PsYTwLzIFX3M8EMSQ6h68TupFTi5n0M2yIXQgoRoNEDWNJZ/aZMY/gqT02GQGBWrh+/vJ
DEBUG 2022-07-14 14:39:45,433 django_auth_adfs Loading public key from certificate: MIIDBTCCAe2gAwIBAgIQff8yrFO3CINPHUTT76tUsTANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTIxMTAyNDE3NDU1NloXDTI2MTAyNDE3NDU1NlowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMq979bhE6xX09e87zostNcPJzvtbeu3JomS2catiEg3bXvXcPiMQke5T1dsHs3MyEYHFpmIBZ7JNo+ptdB+LSs3KmTNCSfzYoGNvaRYpsZS+/6lzAdT6KxSXZQCr6eUoI0k8C6145K9QKlsG6cxtsmVDTdxhPBr5k3qOMsHkGzQnfsjv2aaM8dCd+MBwRDLmsPmXwlJO5nSirIPhHBOGb9F4JfcD9jKSj8dFfIC2s8XulEPUoczbq7kjp3KS2CTf6EOGin+abTqda7Hw2NiCvX67ZkUyjnUPjBJknYxi//PCEHLwrO46lc+d1yqF0ZVwfLTCBjnIPiAnq+ssXtorSECAwEAAaMhMB8wHQYDVR0OBBYEFDiZG6s5d9RvorpqbVdS2/MD8ZKhMA0GCSqGSIb3DQEBCwUAA4IBAQAQAPuqqKj2AgfC9ayx+qUu0vjzKYdZ6T+3ssJDOGwB1cLMXMTUVgFwj8bsX1ahDUJdzKpWtNj7bno+Ug85IyU7k89U0Ygr55zWU5h4wnnRrCu9QKvudUPnbiXoVuHPwcK8w1fdXZQB5Qq/kKzhNGY57cG1bwj3R/aIdCp+BjgFppOKjJpK7FKS8G2v70eIiCLMapK9lLEeQOxIvzctTsXy9EZ7wtaIiYky4ZSituphToJUkakHaQ6evbn82lTg6WZz1tmSmYnPqRdAff7aiQ1Sw9HpuzlZY/piTVqvd6AfKZqyxu/FhENE0Odv/0hlHzI15jKQWL1Ljc0Nm3y1skut
DEBUG 2022-07-14 14:39:45,439 django_auth_adfs Loading public key from certificate: MIIDBTCCAe2gAwIBAgIQHsetP+i8i6VIAmjmfVGv6jANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTIyMDEzMDIzMDYxNFoXDTI3MDEzMDIzMDYxNFowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALKb0HF1qmKzHL3KkJn0jGJ21AvFNN2HLZ18iyAXtePDs4Qa4HQDpj3zHyYv7VFvC/bL1RqZOahunTdJ+uvXERyqlOdhpxtLZcmF5sxQtYcx1YEM/Xob3uLZSe7sPd+lyFDgDscd19tM3ace4JuMx8eI9mQZV7JAI+lN2naR0DbsFBOpJp4CVkfnXlpRIoDKUbL1FUNjuYdPkUqvFq/8e7ndyuhk7a8wEWps/bpNiF2rSmHZ4+Sa5Noy2Op1rfhrcZQP5fV8CKzpekqmv6ThiKUtNSSncSr6QQvVXUvKFwfuz+ai5LJr+7avkm24jnnNHL1O1j+71Eb9dOFeBYiP6qECAwEAAaMhMB8wHQYDVR0OBBYEFGzVFjAbYpU/2en4ry4LMLUHJ3GjMA0GCSqGSIb3DQEBCwUAA4IBAQBU0YdNVfdByvpwsPfwNdD8m1PLeeCKmLHQnWRI5600yEHuoUvoAJd5dwe1ZU1bHHRRKWN7AktUzofP3yF61xtizhEbyPjHK1tnR+iPEviWxVvK37HtfEPzuh1Vqp08bqY15McYUtf77l2HXTpak+UWYRYJBi++2umIDKY5UMqU+LEZnvaXybLUKN3xG4iy2q1Ab8syGFaUP7J3nCtVrR7ip39BnvSTTZZNo/OC7fYXJ2X4sN1/2ZhR5EtnAgwi2RvlZl0aWPrczArUCxDBCbsKPL/Up/kID1ir1VO4LT09ryfv2nx3y6l0YvuL7ePz4nGYCWHcbMVcUrQUXquZ3XtI
DEBUG 2022-07-14 14:39:45,446 django_auth_adfs Loading public key from certificate: MIIDBTCCAe2gAwIBAgIQH4FlYNA+UJlF0G3vy9ZrhTANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTIyMDUyMjIwMDI0OVoXDTI3MDUyMjIwMDI0OVowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMBDDCbY/cjEHfEEulZ5ud/CuRjdT6/yN9fy1JffjgmLvvfw6w7zxo1YkCvZDogowX8qqAC/qQXnJ/fl12kvguMWU59WUcPvhhC2m7qNLvlOq90yo+NsRQxD/v0eUaThrIaAveZayolObXroZ+HwTN130dhgdHVTHKczd4ePtDjLwSv/2a/bZEAlPys102zQo8gO8m7W6/NzRfZNyo6U8jsmNkvqrxW2PgKKjIS/UafK9hwY/767K+kV+hnokscY2xMwxQNlSHEim0h72zQRHltioy15M+kBti4ys+V7GC6epL//pPZT0Acv1ewouGZIQDfuo9UtSnKufGi26dMAzSkCAwEAAaMhMB8wHQYDVR0OBBYEFLFr+sjUQ+IdzGh3eaDkzue2qkTZMA0GCSqGSIb3DQEBCwUAA4IBAQCiVN2A6ErzBinGYafC7vFv5u1QD6nbvY32A8KycJwKWy1sa83CbLFbFi92SGkKyPZqMzVyQcF5aaRZpkPGqjhzM+iEfsR2RIf+/noZBlR/esINfBhk4oBruj7SY+kPjYzV03NeY0cfO4JEf6kXpCqRCgp9VDRM44GD8mUV/ooN+XZVFIWs5Gai8FGZX9H8ZSgkIKbxMbVOhisMqNhhp5U3fT7VPsl94rilJ8gKXP/KBbpldrfmOAdVDgUC+MHw3sSXSt+VnorB4DU4mUQLcMriQmbXdQc8d1HUZYZEkcKaSgbygHLtByOJF44XUsBotsTfZ4i/zVjnYcjgUQmwmAWD
INFO 2022-07-14 14:39:45,450 django_auth_adfs django_auth_adfs loaded settings from ADFS server.
INFO 2022-07-14 14:39:45,451 django_auth_adfs operating mode:         openid_connect
INFO 2022-07-14 14:39:45,452 django_auth_adfs authorization endpoint: https://login.microsoftonline.com/0075566f-4303-4cd3-838d-fad7b1e7482e/oauth2/authorize
INFO 2022-07-14 14:39:45,453 django_auth_adfs token endpoint:         https://login.microsoftonline.com/0075566f-4303-4cd3-838d-fad7b1e7482e/oauth2/token
INFO 2022-07-14 14:39:45,454 django_auth_adfs end session endpoint:   https://login.microsoftonline.com/0075566f-4303-4cd3-838d-fad7b1e7482e/oauth2/logout
INFO 2022-07-14 14:39:45,455 django_auth_adfs issuer:                 https://sts.windows.net/0075566f-4303-4cd3-838d-fad7b1e7482e/
[14/Jul/2022 14:39:45] "GET /oauth2/login?next=/ HTTP/1.1" 302 0
DEBUG 2022-07-14 14:39:46,526 django_auth_adfs Received authorization code: 0.AVUAb1Z1AAND00yDjfrXsedILgHQk1w4QyBJuYyUgDbHI4uIAJI.AgABAAIAAAD--DLA3VO7QrddgJg7WevrAgDs_wQA9P8mCNLW92uFf8JGlfQ2oqb7R80vzVgB1BwTuexgFBhn9JWsYAKK9QWBNAWjIGczu9yYf5R8lk-cSdPYC00qvnrwwP-3of7wvkQHMc1FUfVwSnQF_iIxxUB6_FjziAsjsmHZ7kdhpaayOhryS-cLlmSKAlowaeWAwpT3sa4YZ_YqmXXxsyhi56zYSZhXc8RGYoOpdpje0wTt4RBFtImXdstY_jtfo1B1lOfEqayXvxCBNzuiprK9djV4Mfs9tKTzO3e6C1NPmuXgae7Bovu4Fzgh43EXl6MfPVMKGddY8qS8PwDykekT6P1JgQeMafV0AQIgNJ1CuXhVkLfN-gGYKwm0YpwTH-ej6bsJAe-2ifaIR6ziBgdUzjkyggSOWDe__757g_BJI26r516fOSR1gtbBagis6_BIkX1gCPCAEngux0lUjW39M2QPWc1xmQpCTK0aZN9y08RtCnPVmY7t3yZL2iiHIWh-Fak1VVtZQ7ySuwOStdPQ1o6i9MZNyXphJxpNqcQkAaun91Lw5OoSUW8RJRF3OKUl2MPpH5ZdBqU8Z6QGH6xgYP88XTRXzfFMT776ay4ORyzDC3L0mA6yDm_FqoZIObyJGRsj5gHsO2FVDWFnYUWu6YUQ5SCcY3h0Dtxk60CtNZtAHL1VjUoskqyclJ1rNvQqdUU6OEcDMROsKJHMDfVB3Tsck9DIEbOzJ7i6p2-c595QzU8BcW-Mzhl8GfGSurKnzFUuK6bU0M02fPzrmjiS0W4to4idQaxs2j-YIMzVFSem3-00qoVw0TE2L8bh5STDH08y-TpqzWiD3OjYGYo7m4gdhzFmMoljJ8BfasoxILfiJquSAsG92dWTv8eDVBC_Hxr0O1Q3hmjNSorGfp8m8ce16k_ok9HkBD3MkYWV_3CoLcMpvbe3EnJY6dkGiUsQ0vCo7IBOommw56tmZ6b_Z4pj1YdJy4EU-NlMEiwHCf_IFd5pQOAwZcCmOGlBtK9FoSbOCjrWlA8x5acBZrjFOPAJeVYvGpNvwKMF08zdI4MAnczeZ1mXKc-qWywrqYbNCU6cNqFE1bdt9qqP85cGHL9bawv4y4r_iwyZsxv33HTibEeCUzHX4CmMI-5mum1ZF73g1qXO5B3fzhYLwksu0nh6-7Ns0tlZI1nTN7R_DoDCYeBLtOd4pOgdIJpz2jY5fO8  
DEBUG 2022-07-14 14:39:46,528 django_auth_adfs Getting access token at: https://login.microsoftonline.com/0075566f-4303-4cd3-838d-fad7b1e7482e/oauth2/token
INFO 2022-07-14 14:39:47,013 django_auth_adfs Invalid issuer
Unauthorized: /oauth2/callback
[14/Jul/2022 14:39:47] "GET /oauth2/callback?code=0.AVUAb1Z1AAND00yDjfrXsedILgHQk1w4QyBJuYyUgDbHI4uIAJI.AgABAAIAAAD--DLA3VO7QrddgJg7WevrAgDs_wQA9P8mCNLW92uFf8JGlfQ2oqb7R80vzVgB1BwTuexgFBhn9JWsYAKK9QWBNAWjIGczu9yYf5R8lk-cSdPYC00qvnrwwP-3of7wvkQHMc1FUfVwSnQF_iIxxUB6_FjziAsjsmHZ7kdhpaayOhryS-cLlmSKAlowaeWAwpT3sa4YZ_YqmXXxsyhi56zYSZhXc8RGYoOpdpje0wTt4RBFtImXdstY_jtfo1B1lOfEqayXvxCBNzuiprK9djV4Mfs9tKTzO3e6C1NPmuXgae7Bovu4Fzgh43EXl6MfPVMKGddY8qS8PwDykekT6P1JgQeMafV0AQIgNJ1CuXhVkLfN-gGYKwm0YpwTH-ej6bsJAe-2ifaIR6ziBgdUzjkyggSOWDe__757g_BJI26r516fOSR1gtbBagis6_BIkX1gCPCAEngux0lUjW39M2QPWc1xmQpCTK0aZN9y08RtCnPVmY7t3yZL2iiHIWh-Fak1VVtZQ7ySuwOStdPQ1o6i9MZNyXphJxpNqcQkAaun91Lw5OoSUW8RJRF3OKUl2MPpH5ZdBqU8Z6QGH6xgYP88XTRXzfFMT776ay4ORyzDC3L0mA6yDm_FqoZIObyJGRsj5gHsO2FVDWFnYUWu6YUQ5SCcY3h0Dtxk60CtNZtAHL1VjUoskqyclJ1rNvQqdUU6OEcDMROsKJHMDfVB3Tsck9DIEbOzJ7i6p2-c595QzU8BcW-Mzhl8GfGSurKnzFUuK6bU0M02fPzrmjiS0W4to4idQaxs2j-YIMzVFSem3-00qoVw0TE2L8bh5STDH08y-TpqzWiD3OjYGYo7m4gdhzFmMoljJ8BfasoxILfiJquSAsG92dWTv8eDVBC_Hxr0O1Q3hmjNSorGfp8m8ce16k_ok9HkBD3MkYWV_3CoLcMpvbe3EnJY6dkGiUsQ0vCo7IBOommw56tmZ6b_Z4pj1YdJy4EU-NlMEiwHCf_IFd5pQOAwZcCmOGlBtK9FoSbOCjrWlA8x5acBZrjFOPAJeVYvGpNvwKMF08zdI4MAnczeZ1mXKc-qWywrqYbNCU6cNqFE1bdt9qqP85cGHL9bawv4y4r_iwyZsxv33HTibEeCUzHX4CmMI-5mum1ZF73g1qXO5B3fzhYLwksu0nh6-7Ns0tlZI1nTN7R_DoDCYeBLtOd4pOgdIJpz2jY5fO8&state=Lw%3d%3d&session_state=cc9bdee6-8039-495a-861a-f43ea8c9120b HTTP/1.1" 401 646
[14/Jul/2022 14:39:48] "GET /favicon.ico HTTP/1.1" 302 0
[14/Jul/2022 14:39:48] "GET /oauth2/login?next=/favicon.ico HTTP/1.1" 302 0

In my project’s settings.py

from pathlib import Path

# Build paths inside the project like this: BASE_DIR / 'subdir'.
BASE_DIR = Path(__file__).resolve().parent.parent

# Quick-start development settings - unsuitable for production
# See https://docs.djangoproject.com/en/4.0/howto/deployment/checklist/

# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = 'django-insecure-z$+3$(r@^@n@s+hkusv-mva1-7pdq(z1ki3!vk0q7%#$^fjg9m'

# SECURITY WARNING: don't run with debug turned on in production!
DEBUG = True

ALLOWED_HOSTS = []

AUTHENTICATION_BACKENDS = [
    'django_auth_adfs.backend.AdfsAuthCodeBackend',
    'django_auth_adfs.backend.AdfsAccessTokenBackend',
]

# Application definition

INSTALLED_APPS = [
    'django.contrib.admin',
    'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.messages',
    'django.contrib.staticfiles',

    'django_auth_adfs',
]

TENANT_ID = 'MY_TENANT_ID'
CLIENT_ID = 'MY_CLIENT_ID'
CLIENT_SECRET = 'MY_CLIENT_SECRET'

AUTH_ADFS = {
    'AUDIENCE': CLIENT_ID,
    'CLIENT_ID': CLIENT_ID,
    'CLIENT_SECRET': CLIENT_SECRET,
    'CLAIM_MAPPING': {'first_name': 'first_name',
                      'last_name': 'family_name',
                      'email': 'upn'},
    'GROUPS_CLAIM': 'roles',
    'MIRROR_GROUPS': True,
    'USERNAME_CLAIM': 'upn',
    'TENANT_ID': TENANT_ID,
    'RELYING_PARTY_ID': CLIENT_ID,
}

# Configure django to redirect users to the right URL for login
LOGIN_URL = "django_auth_adfs:login"
LOGIN_REDIRECT_URL = "/"

MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
    'django_auth_adfs.middleware.LoginRequiredMiddleware',
]

# You can point login failures to a custom Django function based view for customization of the UI
CUSTOM_FAILED_RESPONSE_VIEW = 'dot.path.to.custom.views.login_failed'

ROOT_URLCONF = 'config.urls'

TEMPLATES = [
    {
        'BACKEND': 'django.template.backends.django.DjangoTemplates',
        'DIRS': [Path.joinpath(BASE_DIR, 'config/templates')],
        'APP_DIRS': True,
        'OPTIONS': {
            'context_processors': [
                'django.template.context_processors.debug',
                'django.template.context_processors.request',
                'django.contrib.auth.context_processors.auth',
                'django.contrib.messages.context_processors.messages',
            ],
        },
    },
]

WSGI_APPLICATION = 'config.wsgi.application'

# Database
# https://docs.djangoproject.com/en/4.0/ref/settings/#databases

DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.sqlite3',
        'NAME': BASE_DIR / 'db.sqlite3',
    }
}

# Password validation
# https://docs.djangoproject.com/en/4.0/ref/settings/#auth-password-validators

AUTH_PASSWORD_VALIDATORS = [
    {
        'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
    },
]

# Internationalization
# https://docs.djangoproject.com/en/4.0/topics/i18n/

LANGUAGE_CODE = 'en-us'

TIME_ZONE = 'UTC'

USE_I18N = True

USE_TZ = True

# Static files (CSS, JavaScript, Images)
# https://docs.djangoproject.com/en/4.0/howto/static-files/

STATIC_URL = 'static/'

# Default primary key field type
# https://docs.djangoproject.com/en/4.0/ref/settings/#default-auto-field

DEFAULT_AUTO_FIELD = 'django.db.models.BigAutoField'

LOGGING = {
    'version': 1,
    'disable_existing_loggers': False,
    'formatters': {
        'verbose': {
            'format': '%(levelname)s %(asctime)s %(name)s %(message)s'
        },
    },
    'handlers': {
        'console': {
            'class': 'logging.StreamHandler',
            'formatter': 'verbose'
        },
    },
    'loggers': {
        'django_auth_adfs': {
            'handlers': ['console'],
            'level': 'DEBUG',
        },
    },
}

In my project’s urls.py

from django.contrib import admin
from django.urls import path, include
from . import views

urlpatterns = [
    path('', views.index, name='index'),
    path('admin/', admin.site.urls),
    path('oauth2/', include('django_auth_adfs.urls')),
]

Setting in Azure AD (Backend)

Manifest (Backend)

{
    "id": "24a3b159-773f-45b3-be53-e47ff6db9946",
    "acceptMappedClaims": null,
    "accessTokenAcceptedVersion": 2,
    "addIns": [],
    "allowPublicClient": null,
    "appId": "5c93d001-4338-4920-b98c-948036c7238b",
    "appRoles": [],
    "oauth2AllowUrlPathMatching": false,
    "createdDateTime": "2022-07-13T08:25:40Z",
    "description": null,
    "certification": null,
    "disabledByMicrosoftStatus": null,
    "groupMembershipClaims": null,
    "identifierUris": [
        "api://5c93d001-4338-4920-b98c-948036c7238b"
    ],
    "informationalUrls": {
        "termsOfService": null,
        "support": null,
        "privacy": null,
        "marketing": null
    },
    "keyCredentials": [],
    "knownClientApplications": [],
    "logoUrl": null,
    "logoutUrl": null,
    "name": "django-auth-adfs-test-api",
    "notes": null,
    "oauth2AllowIdTokenImplicitFlow": false,
    "oauth2AllowImplicitFlow": false,
    "oauth2Permissions": [
        {
            "adminConsentDescription": "read",
            "adminConsentDisplayName": "read",
            "id": "9ca4b352-1cbf-419e-9424-f0814389bfca",
            "isEnabled": true,
            "lang": null,
            "origin": "Application",
            "type": "User",
            "userConsentDescription": null,
            "userConsentDisplayName": null,
            "value": "read"
        }
    ],
    "oauth2RequirePostResponse": false,
    "optionalClaims": null,
    "orgRestrictions": [],
    "parentalControlSettings": {
        "countriesBlockedForMinors": [],
        "legalAgeGroupRule": "Allow"
    },
    "passwordCredentials": [
        {
            "customKeyIdentifier": null,
            "endDate": "2023-07-13T08:27:00.842Z",
            "keyId": "979770b6-dd5d-4d0a-a4b5-753dbaa6dba5",
            "startDate": "2022-07-13T08:27:00.842Z",
            "value": null,
            "createdOn": "2022-07-13T08:27:25.4658525Z",
            "hint": "OZ2",
            "displayName": "1 Years"
        }
    ],
    "preAuthorizedApplications": [
        {
            "appId": "f8a9213c-6865-43f5-bb80-fd9efd4e6002",
            "permissionIds": [
                "9ca4b352-1cbf-419e-9424-f0814389bfca"
            ]
        }
    ],
    "publisherDomain": "thanananluaoutlook.onmicrosoft.com",
    "replyUrlsWithType": [
        {
            "url": "http://localhost:8000/oauth2/callback",
            "type": "Web"
        }
    ],
    "requiredResourceAccess": [
        {
            "resourceAppId": "00000003-0000-0000-c000-000000000000",
            "resourceAccess": [
                {
                    "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
                    "type": "Scope"
                }
            ]
        }
    ],
    "samlMetadataUrl": null,
    "signInUrl": null,
    "signInAudience": "AzureADandPersonalMicrosoftAccount",
    "tags": [],
    "tokenEncryptionKeyId": null
}

Setting in Azure AD (Frontend)

Manifest (Frontend)

{
    "id": "8bd00fb5-b7e4-4127-b621-b32e81c5af71",
    "acceptMappedClaims": null,
    "accessTokenAcceptedVersion": 2,
    "addIns": [],
    "allowPublicClient": null,
    "appId": "f8a9213c-6865-43f5-bb80-fd9efd4e6002",
    "appRoles": [],
    "oauth2AllowUrlPathMatching": false,
    "createdDateTime": "2022-07-13T08:31:30Z",
    "description": null,
    "certification": null,
    "disabledByMicrosoftStatus": null,
    "groupMembershipClaims": null,
    "identifierUris": [],
    "informationalUrls": {
        "termsOfService": null,
        "support": null,
        "privacy": null,
        "marketing": null
    },
    "keyCredentials": [],
    "knownClientApplications": [],
    "logoUrl": null,
    "logoutUrl": null,
    "name": "django-auth-adfs-test-ui",
    "notes": null,
    "oauth2AllowIdTokenImplicitFlow": false,
    "oauth2AllowImplicitFlow": false,
    "oauth2Permissions": [],
    "oauth2RequirePostResponse": false,
    "optionalClaims": null,
    "orgRestrictions": [],
    "parentalControlSettings": {
        "countriesBlockedForMinors": [],
        "legalAgeGroupRule": "Allow"
    },
    "passwordCredentials": [],
    "preAuthorizedApplications": [],
    "publisherDomain": "thanananluaoutlook.onmicrosoft.com",
    "replyUrlsWithType": [
        {
            "url": "http://localhost:3000",
            "type": "Spa"
        }
    ],
    "requiredResourceAccess": [
        {
            "resourceAppId": "5c93d001-4338-4920-b98c-948036c7238b",
            "resourceAccess": [
                {
                    "id": "9ca4b352-1cbf-419e-9424-f0814389bfca",
                    "type": "Scope"
                }
            ]
        },
        {
            "resourceAppId": "00000003-0000-0000-c000-000000000000",
            "resourceAccess": [
                {
                    "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
                    "type": "Scope"
                }
            ]
        }
    ],
    "samlMetadataUrl": null,
    "signInUrl": null,
    "signInAudience": "AzureADandPersonalMicrosoftAccount",
    "tags": [],
    "tokenEncryptionKeyId": null
}

[JonasKs]

Hi,

I'm on vacation, so won't be able to help much right now, but please remove your access token from the log output.

You've configured the azure app to use v2 tokens, so your issuer is https://login.microsoftonline.com/0075566f-4303-4cd3-838d-fad7b1e7482e/v2.0.

Please set the token to the correct version in the settings: https://github.com/snok/django-auth-adfs/blob/master/django_auth_adfs/config.py#L80

https://django-auth-adfs.readthedocs.io/en/latest/settings_ref.html#version

[thanax2n]

@JonasKs Thank you for your help. You can help me anytime you like. I can wait for your help. I would like to inform you about the progress I added version in the settings.py

Then I logout and login again with same free Microsoft account (....@outlook.com)

it redirected to a No authorization code was provided. page

Logs

Django version 4.0.6, using settings 'config.settings'
Starting development server at http://localhost:8000/ 
Quit the server with CTRL-BREAK.
[14/Jul/2022 15:47:17] "GET / HTTP/1.1" 302 0
DEBUG 2022-07-14 15:47:17,118 django_auth_adfs Loading django_auth_adfs ID Provider configuration.
INFO 2022-07-14 15:47:17,119 django_auth_adfs Trying to get OpenID Connect config from https://login.microsoftonline.com/0075566f-4303-4cd3-838d-fad7b1e7482e/v2.0/.well-known/openid-configuration?appid=5c93d001-4338-4920-b98c-948036c7238b
DEBUG 2022-07-14 15:47:17,883 django_auth_adfs Loading public key from certificate: MIIDBTCCAe2gAwIBAgIQN33ROaIJ6bJBWDCxtmJEbjANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTIwMTIyMTIwNTAxN1oXDTI1MTIyMDIwNTAxN1owLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKGiy0/YZHEo9rRn2bI27u189Sq7NKhInFz5hLCSjgUB2rmf5ETNR3RJIDiW1M51LKROsTrjkl45cxK6gcVwLuEgr3L1TgmBtr/Rt/riKyxeXbLQ9LGBwaNVaJrSscxfdFbJa5J+qzUIFBiFoL7kE8ZtbkZJWBTxHEyEcNC52JJ8ydOhgvZYykete8AAVa2TZAbg4ECo9+6nMsaGsSBncRHJlRWVycq8Q4HV4faMEZmZ+iyCZRo2fZufXpn7sJwZ7CEBuw4qycHvUl6y153sUUFqsswnZGGjqpKSq7I7sVI9vjB199RarHaSSbDgL2FxjmASiUY4RqxnTjVa2XVHUwUCAwEAAaMhMB8wHQYDVR0OBBYEFI5mN5ftHloEDVNoIa8sQs7kJAeTMA0GCSqGSIb3DQEBCwUAA4IBAQBnaGnojxNgnV4+TCPZ9br4ox1nRn9tzY8b5pwKTW2McJTe0yEvrHyaItK8KbmeKJOBvASf+QwHkp+F2BAXzRiTl4Z+gNFQULPzsQWpmKlz6fIWhc7ksgpTkMK6AaTbwWYTfmpKnQw/KJm/6rboLDWYyKFpQcStu67RZ+aRvQz68Ev2ga5JsXlcOJ3gP/lE5WC1S0rjfabzdMOGP8qZQhXk4wBOgtFBaisDnbjV5pcIrjRPlhoCxvKgC/290nZ9/DLBH3TbHk8xwHXeBAnAjyAqOZij92uksAv7ZLq4MODcnQshVINXwsYshG1pQqOLwMertNaY5WtrubMRku44Dw7R
DEBUG 2022-07-14 15:47:17,887 django_auth_adfs Loading public key from certificate: MIIDBTCCAe2gAwIBAgIQWPB1ofOpA7FFlOBk5iPaNTANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTIxMDIwNzE3MDAzOVoXDTI2MDIwNjE3MDAzOVowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALH7FzF1rjvnZ4i2iBC2tz8qs/WP61n3/wFawgJxUnTx2vP/z5pG7f8qvumd7taOII0aSlp648SIfMw59WdUUtup5CnDYOcX1sUdivAj20m2PIDK6f+KWZ+7YKxJqCzJMH4GGlQvuDIhRKNT9oHfZgnYCCAmjXmJBtWyD052qqrkzOSn0/e9TKbjlTnTNcrIno3XDQ7xG+79vOD2GZMNopsKogWNxUdLFRu44ClKLRb4Xe00eVrANtBkv+mSJFFJS1Gxv611hpdGI2S0v1H+KvB26O7vuzGhZ/AevRemGhXQ5V5vwNEqXnVRVkBRszLKeN/+rxM436xQyVQGJMG+sVECAwEAAaMhMB8wHQYDVR0OBBYEFLlRBSxxgmNPObCFrl+hSsbcvRkcMA0GCSqGSIb3DQEBCwUAA4IBAQB+UQFTNs6BUY3AIGkS2ZRuZgJsNEr/ZEM4aCs2domd2Oqj7+5iWsnPh5CugFnI4nd+ZLgKVHSD6acQ27we+eNY6gxfpQCY1fiN/uKOOsA0If8IbPdBEhtPerRgPJFXLHaYVqD8UYDo5KNCcoB4Kh8nvCWRGPUUHPRqp7AnAcVrcbiXA/bmMCnFWuNNahcaAKiJTxYlKDaDIiPN35yECYbDj0PBWJUxobrvj5I275jbikkp8QSLYnSU/v7dMDUbxSLfZ7zsTuaF2Qx+L62PsYTwLzIFX3M8EMSQ6h68TupFTi5n0M2yIXQgoRoNEDWNJZ/aZMY/gqT02GQGBWrh+/vJ
DEBUG 2022-07-14 15:47:17,890 django_auth_adfs Loading public key from certificate: MIIDBTCCAe2gAwIBAgIQff8yrFO3CINPHUTT76tUsTANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTIxMTAyNDE3NDU1NloXDTI2MTAyNDE3NDU1NlowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMq979bhE6xX09e87zostNcPJzvtbeu3JomS2catiEg3bXvXcPiMQke5T1dsHs3MyEYHFpmIBZ7JNo+ptdB+LSs3KmTNCSfzYoGNvaRYpsZS+/6lzAdT6KxSXZQCr6eUoI0k8C6145K9QKlsG6cxtsmVDTdxhPBr5k3qOMsHkGzQnfsjv2aaM8dCd+MBwRDLmsPmXwlJO5nSirIPhHBOGb9F4JfcD9jKSj8dFfIC2s8XulEPUoczbq7kjp3KS2CTf6EOGin+abTqda7Hw2NiCvX67ZkUyjnUPjBJknYxi//PCEHLwrO46lc+d1yqF0ZVwfLTCBjnIPiAnq+ssXtorSECAwEAAaMhMB8wHQYDVR0OBBYEFDiZG6s5d9RvorpqbVdS2/MD8ZKhMA0GCSqGSIb3DQEBCwUAA4IBAQAQAPuqqKj2AgfC9ayx+qUu0vjzKYdZ6T+3ssJDOGwB1cLMXMTUVgFwj8bsX1ahDUJdzKpWtNj7bno+Ug85IyU7k89U0Ygr55zWU5h4wnnRrCu9QKvudUPnbiXoVuHPwcK8w1fdXZQB5Qq/kKzhNGY57cG1bwj3R/aIdCp+BjgFppOKjJpK7FKS8G2v70eIiCLMapK9lLEeQOxIvzctTsXy9EZ7wtaIiYky4ZSituphToJUkakHaQ6evbn82lTg6WZz1tmSmYnPqRdAff7aiQ1Sw9HpuzlZY/piTVqvd6AfKZqyxu/FhENE0Odv/0hlHzI15jKQWL1Ljc0Nm3y1skut
DEBUG 2022-07-14 15:47:17,894 django_auth_adfs Loading public key from certificate: MIIDBTCCAe2gAwIBAgIQHsetP+i8i6VIAmjmfVGv6jANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTIyMDEzMDIzMDYxNFoXDTI3MDEzMDIzMDYxNFowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALKb0HF1qmKzHL3KkJn0jGJ21AvFNN2HLZ18iyAXtePDs4Qa4HQDpj3zHyYv7VFvC/bL1RqZOahunTdJ+uvXERyqlOdhpxtLZcmF5sxQtYcx1YEM/Xob3uLZSe7sPd+lyFDgDscd19tM3ace4JuMx8eI9mQZV7JAI+lN2naR0DbsFBOpJp4CVkfnXlpRIoDKUbL1FUNjuYdPkUqvFq/8e7ndyuhk7a8wEWps/bpNiF2rSmHZ4+Sa5Noy2Op1rfhrcZQP5fV8CKzpekqmv6ThiKUtNSSncSr6QQvVXUvKFwfuz+ai5LJr+7avkm24jnnNHL1O1j+71Eb9dOFeBYiP6qECAwEAAaMhMB8wHQYDVR0OBBYEFGzVFjAbYpU/2en4ry4LMLUHJ3GjMA0GCSqGSIb3DQEBCwUAA4IBAQBU0YdNVfdByvpwsPfwNdD8m1PLeeCKmLHQnWRI5600yEHuoUvoAJd5dwe1ZU1bHHRRKWN7AktUzofP3yF61xtizhEbyPjHK1tnR+iPEviWxVvK37HtfEPzuh1Vqp08bqY15McYUtf77l2HXTpak+UWYRYJBi++2umIDKY5UMqU+LEZnvaXybLUKN3xG4iy2q1Ab8syGFaUP7J3nCtVrR7ip39BnvSTTZZNo/OC7fYXJ2X4sN1/2ZhR5EtnAgwi2RvlZl0aWPrczArUCxDBCbsKPL/Up/kID1ir1VO4LT09ryfv2nx3y6l0YvuL7ePz4nGYCWHcbMVcUrQUXquZ3XtI
DEBUG 2022-07-14 15:47:17,897 django_auth_adfs Loading public key from certificate: MIIDBTCCAe2gAwIBAgIQH4FlYNA+UJlF0G3vy9ZrhTANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTIyMDUyMjIwMDI0OVoXDTI3MDUyMjIwMDI0OVowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMBDDCbY/cjEHfEEulZ5ud/CuRjdT6/yN9fy1JffjgmLvvfw6w7zxo1YkCvZDogowX8qqAC/qQXnJ/fl12kvguMWU59WUcPvhhC2m7qNLvlOq90yo+NsRQxD/v0eUaThrIaAveZayolObXroZ+HwTN130dhgdHVTHKczd4ePtDjLwSv/2a/bZEAlPys102zQo8gO8m7W6/NzRfZNyo6U8jsmNkvqrxW2PgKKjIS/UafK9hwY/767K+kV+hnokscY2xMwxQNlSHEim0h72zQRHltioy15M+kBti4ys+V7GC6epL//pPZT0Acv1ewouGZIQDfuo9UtSnKufGi26dMAzSkCAwEAAaMhMB8wHQYDVR0OBBYEFLFr+sjUQ+IdzGh3eaDkzue2qkTZMA0GCSqGSIb3DQEBCwUAA4IBAQCiVN2A6ErzBinGYafC7vFv5u1QD6nbvY32A8KycJwKWy1sa83CbLFbFi92SGkKyPZqMzVyQcF5aaRZpkPGqjhzM+iEfsR2RIf+/noZBlR/esINfBhk4oBruj7SY+kPjYzV03NeY0cfO4JEf6kXpCqRCgp9VDRM44GD8mUV/ooN+XZVFIWs5Gai8FGZX9H8ZSgkIKbxMbVOhisMqNhhp5U3fT7VPsl94rilJ8gKXP/KBbpldrfmOAdVDgUC+MHw3sSXSt+VnorB4DU4mUQLcMriQmbXdQc8d1HUZYZEkcKaSgbygHLtByOJF44XUsBotsTfZ4i/zVjnYcjgUQmwmAWD
INFO 2022-07-14 15:47:17,901 django_auth_adfs django_auth_adfs loaded settings from ADFS server.
INFO 2022-07-14 15:47:17,902 django_auth_adfs operating mode:         openid_connect
INFO 2022-07-14 15:47:17,903 django_auth_adfs authorization endpoint: https://login.microsoftonline.com/0075566f-4303-4cd3-838d-fad7b1e7482e/oauth2/v2.0/authorize
INFO 2022-07-14 15:47:17,903 django_auth_adfs token endpoint:         https://login.microsoftonline.com/0075566f-4303-4cd3-838d-fad7b1e7482e/oauth2/v2.0/token
INFO 2022-07-14 15:47:17,904 django_auth_adfs end session endpoint:   https://login.microsoftonline.com/0075566f-4303-4cd3-838d-fad7b1e7482e/oauth2/v2.0/logout
INFO 2022-07-14 15:47:17,904 django_auth_adfs issuer:                 https://login.microsoftonline.com/0075566f-4303-4cd3-838d-fad7b1e7482e/v2.0
[14/Jul/2022 15:47:17] "GET /oauth2/login?next=/ HTTP/1.1" 302 0
Bad Request: /oauth2/callback
[14/Jul/2022 15:47:49] "GET /oauth2/callback?error=invalid_request&error_description=AADSTS90009%3a+Application+%275c93d001-4338-4920-b98c-948036c7238b%27(5c93d001-4338-4920-b98c-948036c7238b)+is+requesting+a+token+for+itself.+This+scenario+is+supported+only+if+resource+is+specified+using+the+GUID+based+App+Identifier.%0d%0aTrace+ID%3a+d6185ee6-a9cb-4e61-8d0c-8f556727d400%0d%0aCorrelation+ID%3a+3b0cf665-ed6c-4a2a-8d86-bebe25890c0e%0d%0aTimestamp%3a+2022-07-14+08%3a47%3a49Z&state=Lw%3d%3d HTTP/1.1" 400 668
[14/Jul/2022 15:47:50] "GET /favicon.ico HTTP/1.1" 302 0
[14/Jul/2022 15:47:50] "GET /oauth2/login?next=/favicon.ico HTTP/1.1" 302 0

please give me more detail about Where my access token that you want me to remove from the log output? (I am newbie in Django and English)

[JonasKs]

Token is starting with ey 😊 a long long string.

I'm not home, so I'll have to look later 😊

[thanax2n]

@JonasKs Thank you.

[sambuca231]

@thananan-l did you solve the issue? I'm facing the same error message. Thank you!

[JonasKs]

Please read the troubleshooting guide.

Also list your Azure settings (change parts of e.g. tenant/clientID to ***, do not post your client secret), your Django settings, a decoded token etc. It's literally impossible to help without any context. Spend time on explaining the issue and we might spend time on helping you.

[sondrelg]

Closing from lack of response. Feel free to reopen :slightly_smiling_face: