davidjrh/dnn.azureadprovider

Error on Login AADSTS50011: The reply url specified in the request does not match the reply urls configured

ddonaldsondss opened this issue · 18 comments

Hello,

I'm working on a DotNetNuke 9.01 Site and I worked with my IT Department on configuring the add-on based on the instructions provided. The problem is that I'm unable to login via Azure as I get the error listed in the title. I'm unable to find where to find the replyUrls section in the code for the site. Can you illuminate how to resolve this issue?

Sincerely,
David B. "Red" Donaldson.

Check that the reply URL in the Azure App Registration is configured correctly.

According to Microsoft,

Sign into portal.azure.com with an account that's an administrator on your tenant.
Navigate to Azure Active Directory in the left side bar > App registrations > Your app > All settings > Reply URLS.

The reply URL Value should be Http://yourwebsite/Login

Hello,

We get a redirect_uri of http://{mysite}/Login, but it just redirects back to the Login page without logging us in. Should there be a different location to redirect to? Is there a file within the site that I can look for to determine what the reply url value is listed as?

Sincerely,
David B. "Red" Donaldson.

Login with the super user account (the one not linked to azure ad) and check the users tab to see if there is any unauthorized accounts that are related to yours.

REF: #10

I just checked the user's tab and I did find 2 unauthorized users. I authorized them, but I'm still experiencing the same issue as before. Is there a config file within the site that needs to be edited?

Was this ever resolved?

Thinking back on it now, I think I remember a situation where users would be sent to Azure to sign in, enter their credentials and be forward back to the Login page, but only if they needed authorization. I probably just overlooked it because in our environment we only have a handful of users and they are all authorized now and everything works. Is this the problem you have too?

almost like https://github.com/davidjrh/dnn.azureadprovider/blob/master/DotNetNuke.Authentication.Azure/Login.ascx.cs#L70 never executes.

Hi @ddonaldsondss, there is no config file, all settings are on the tab. Can you reattach the error image? One of the causes of "AADSTS50011: The reply url specified in the request does not match the reply urls configured" can be that the Url on the Azure AD side is case sensitive, and that is one of the reasons I always uses lower case Urls.

This is the login screen:
image

This is the error message
error

On the second screenshot, can you check in the URI the parameter "redirect_uri"? It must be exactly the same one you have setup on the Azure AD app.

Closing as old issue

I can not see an answer to this question and still, I have this issue. Please, can you advise on this if anybody found an answer?

Can you check if you are using "http" or "https", and if the same protocol is specified in the returnURL list on the Azure AD application configuration? This is a common mistake I do until I redirect all the traffic to https to avoid it.

Thank you for the reply. I used HTTPS always as I am using my website HTTPS. That was not an issue.

This is what I did and It worked for me. But I do not know if that is the exact solution.
I created a new DNN login page and placed the long module on it. Then I selected it as the login page on 'Site Settings'
I used the link as the return URL on the Azure AD app configurations.

Then it worked.

But still, one thing to clarify. It loads the profile data from the Azure AD account. But not all profile data. I can not find appropriate tokens that I use to map with DNN profile fields.

Ex: DNN Fileds - PhoneNumber, Photo, country, region, city etc.
What are the Azure AD tokens to use in the 'Mapping -> User Mapping' in the module settings?

Appreciate your support. Thank you.

For the URL, note that AzureAD reply URL is case sensitive and DNN by default uses “/Login” (with capital “L”). Perhaps that was the issue?

Respect to the mappings, take a look to this blog post https://intelequia.com/blog/post/2048/using-custom-claim-mappings-on-dnn-azure-ad-module. I will try to update the module documentation putting all together in the repo Wiki.

I tried with capital L as well. But somehow it didn't work either at that time. It might be the cache issue as well and now I am clearing the cache and AppPool too before I check any changes. Anyway, now it is fine now with the new login page.

Regarding the tokens - Yes, I saw this article before. I want to update the AAD profile fields to the DNN profile. Is this possible?
Can't we use "USER PROFILE MAPPINGS" option for this? I can see the default values are the same on both. But how do we know the appropriate "AAD Claim " for the "DNN Profile Property "? Do we need to build a custom "AAD Claim"/token for this manually?

Please, advise.
Thank you!

Regarding the tokens, yes, you have to setup the claims on the tokens in some way. In the next release all the "prefilled" mappings with the default installation will be removed to avoid confusion. It's a bit of pain the way to setup the claims on Azure AD, something I hope will be easier when 2.0 tokens go out of "Preview".