Redirect URI changes from https to http
HiralBarot1512 opened this issue · 7 comments
I followed this tutorial https://django-auth-adfs.readthedocs.io/en/latest/azure_ad_config_guide.html#step-3-register-and-configure-an-azure-ad-frontend-application and everything is set as per that, but when i try to login i am seeing URI mismatch error and cause for that is i can see http instead of https in redirect_uri. I also tried passing
AUTH_ADFS = {
....
'REDIR_URI': 'https://abc.com'
...
}
but its not working even after this too. I tried setting up all these one by one but no luck.
SECURE_SSL_REDIRECT = True
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
USE_X_FORWARDED_HOST = True
USE_X_FORWARDED_PORT = True
Any help would be appreciated.
Thanks
Upvote & Fund
- We're using Polar.sh so you can upvote and help fund this issue.
- We receive the funding once the issue is completed & confirmed by you.
- Thank you in advance for helping prioritize & fund our backlog.
@HiralBarot1512 can you include the full error and the logs? It's also a good idea for you to debug the application and library to see why exactly that URI mismatch error is being raised. You can do so by dropping a breakpoint(), using an IDE's debugger or putting a number of print statements in the code.
@tim-schilling @HiralBarot1512 Any updates on this? I've been looking for a solution for a few days now without a way to fix the problem. It looks like the REDIR_URI setting is deprecated and no longer available. I see there's discussion of adding it back, but I don't see it in the main branch yet. One thing to note is I only experience this issue with asgi / uvicorn. No issue with wsgi.
Hi @alex-atkins, no there isn't. If you'd like to help move things along, can you please go through the flow and include the full error and logs as I asked Hiral to do here: #303 (comment)
If you can identify where and why things aren't lining up or create a minimal reproducible example, that can help move everyone forward.
@tim-schilling I have django-auth-adfs logs set to debug and there are not errors related to this. I don't see any gunicorn errors either. The only error is the one directly from Azure which, is the same reference in these other issues: #330 #327
I have all the recommended settings for django and nginx:
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True
CSRF_COOKIE_SECURE = True
CSRF_COOKIE_DOMAIN = SERVER_NAME
SECURE_SSL_REDIRECT = True
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
USE_X_FORWARDED_HOST = True
USE_X_FORWARDED_PORT = True
nginx.conf
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
proxy_set_header X-Forwarded-Host $http_x_forwarded_host;
proxy_set_header X-Forwarded-Port $http_x_forwarded_port;
proxy_pass http://django;
I'm open to debugging suggestions, but the issue only occurs when deployed to a server and not localhost, since localhost is http. This has made debugging rather difficult. The error from Azure's side is pretty clear, I only have https endpoints allowed and it's receiving an http redirect from my server. When django-auth-adfs sets the redirect_uri in the Repsonse Headers it is HTTP instead of HTTPS. For some reason the settings telling it to use HTTPS only are not being respected.
Azure Error:
AADSTS50011: The redirect URI 'http://mysite.com/oauth2/callback' specified in the request does not match the redirect URIs configured for the application
The redirect URI 'http://mysite.com/oauth2/callback' specified in the request
Have you confirmed that's in the payload that's being sent to Azure?
@tim-schilling Looks like this was a classic case of user error. I'd been doing something weird with how I was loading my environment settings and for some reason it worked on WSGI, but with ASGI it didn't. Essentially the SSL settings above were not actually being set. My apologies! Thank you all for making an awesome package 💯
Glad you found your solution! Thank you for the kind words and patience.
Closing the issue for staleness