search

snok / django-auth-adfs

A Django authentication backend for Microsoft ADFS and AzureAD
http://django-auth-adfs.readthedocs.io/
BSD 2-Clause "Simplified" License
270 stars 100 forks source link

AADSTS50011 HTTP and HTTPS #327

Open cballesteros-sistrol opened 9 months ago

cballesteros-sistrol commented 9 months ago

I am having problems with the redirect URI when trying to log in. I have the application running in AWS, in an ECS container, which communicates through port 80 (HTTP) with an AWS Network Load Balancer, as you can see in this diagram: image

As indicated in the documentation and in numerous comments in the repository Issues, I configured the following parameters in my application: USE_X_FORWARDED_HOST = True SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

However, I still have the same problem when trying to log in: AADSTS50011: The redirect URI 'http://app.domain.com/oauth2/callback' specified in the request does not match the redirect URIs configured for the application '11111111-1111-11111-1111-1111111111'.

Could it be because I am using a Network Load Balancer (level 4) instead of an App Load Balancer? Could it be that I have the application deployed on a subdomain?

Is there any way to set the redirect_uri in a static way to solve this?

to add more information, I am using these versions of Django and the library: django-auth-adfs==1.13.0 django==4.1.12

Thanks in advance

Upvote & Fund

Fund with Polar

JonasKs commented 9 months ago

243 suggests adding

USE_X_FORWARDED_HOST = True
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
cballesteros-sistrol commented 9 months ago

243 suggests adding

USE_X_FORWARDED_HOST = True
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

Hello, thank you for your quick response. As I mentioned in the description, I have set those variables as explained in that conversation...

JonasKs commented 9 months ago

Ah, sorry, read it in a rush.

Please see docs if you haven't.

Not sure how this works with a L4 LB,but are you able to set the header value as described here?

cballesteros-sistrol commented 9 months ago

Hello,

No, I have not been able to set the headers in any way... I think I have tried everything discussed in the various issues in the repository related to the topic (except those that include Nginx, since we do not have Nginx in the Stack).

I have a doubt, intuition tells me that it would be simpler if you could set the REDIR_URI and if not, that it would be automatically caculated. Why this configuration was deprecated?

tim-schilling commented 9 months ago

Why this configuration was deprecated?

It was deprecated 6 years ago. According to the comments, it's because it simplified the settings configuration and would rely on LOGIN_REDIRECT_URL. You can see how the redirects happen here.

Is there a reason you can't change the django_auth_adfs:callback url to match what you have in your AD settings?

cballesteros-sistrol commented 9 months ago

Hi, thanks for your reply :)

I have been several days studying the library code, and changing the LOGIN_REDIRECT_URL has not solved our problem.

I have managed to make a "fix" that works, but it is too crafty, as I had to overwrite several methods of both config and views as well as the authentication backend.

The problem has always been the same, the request made to Azure, both to obtain the Authoritation Token and the Access Token, is done with a redirect_uri with http:// by method:

 def redirect_uri(self, request):
       self.load_config()
       return request.build_absolute_uri(reverse("django_auth_adfs:callback"))

My fix, basically what it does is not to call that method if a configuration variable is configured with the redirect_uri.

alex-atkins commented 1 month ago

Any updates on this? I have almost the exact same issue. One piece to add, I did not have this problem when deployed with gunicorn and wsgi, but I'm testing gunicorn with asgi / uvicorn and this issue appeared. Only change made was this switch.