I'm trying to configure a valid redirectUri for all of my swagger clients, It cost me a lot of work, cause I have to configure a redirectUri for local environment and one redirectUri for each environment.
I try to add something like * / * or http://* and this is not working.
Any Idea?
Thanks
in #identityserver4 you can add many redirect URLs but domain name and subdomain will be used and port will be ignored:
https://for.example.com
https://for.example.com:888
https://for.example.com:999
are the same.
Related
I've been struggling to find a solution for this issue. Basically I have web application that allows users to sign in with their azure active directory using OpenIdConnect. Everything works perfectly fine on my local. However, when deployed to azure aks, somehow the redirect url changes from https to http when user is authenticated. This causes an exception in azure ad:
AADSTS50011: The redirect URI 'http://example.abc.com/signin-oidc' specified in the request does not match the redirect URIs configured for the application 'c853f6fe-5f4a-436e-b329-ff6da9ab89ab'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.
I defined the redirect URI in the application as https://example.abc.com/signin-oidc and no wonder that it does not match. However, I'm struggling to find out why it's happening and how I can resolve it. I'm using .NET 6 and AKS client version 1.22.
Any help would be greatly appreciated. Thank you
AADSTS50011: The redirect URI 'http://example.abc.com/signin-oidc' specified in the request does not match the redirect URIs configured for the application 'c853f6fe-5f4a-436e-b329-ff6da9ab89ab'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.
The above error occurs usually when redirect Url in the authentication are not configured in Azure AD like.
Accessing Website from a different address than what you have defined for your application causes an error.
please check if you have made a mistake in the configuration itself.
From your case :
Please make sure you set ssl redirects url to True
Note:
By default controller redirects HTTP clients to 443 port -https ,if it has TLS is enabled
In ingress routing yaml file if it is set to false, try to set it or modify it to true
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/use-regex: "true"
Also as you said you are using .net make sure you have set headers to true.
Please check that header size in 32k in annotations.
nginx.ingress.kubernetes.io/proxy-buffer-size: "32k"
Reference:
Error AADSTS50011 - The reply URL specified in the request does not match the reply URLs configured for the application . - Active Directory | Microsoft Docs
I finally figured out the solution for myself. Thanks to the answer in other SOF
Since I'm using .NET 6, all I have to do is
Set the ASPNETCORE_FORWARDEDHEADERS_ENABLED = true AND
Add these two lines suggested from #Venkatesan to my ingress yml
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/use-regex: "true"
Everything works perfectly after that.
Thank you everyone.
On configured AKS there is docker container with application that is using AAD authentication.
Based on this article there is also configured ingress. API is working well.
When I add to Azure Active Directory application registration reply URL with https prefix I receive error "The reply url specified in the request does not match the reply urls configured for the application". And I see that in browser address line redirect_uri is starting with http.
When I add reply URL that is starting with http, then I receive "Exception: Correlation failed".
What I have tried: Add to ingress.yaml setting ingress.kubernetes.io/force-ssl-redirect: "true"
May be there is some way to force ingress run https instead of http, or there might be some AAD redirect configuration? Any ideas?
UPDATE 2: Probably http redirect is because of ADAL.
PS: Was able to find similar topic without an answer
UPDATE3:
I have decided not to use nginx as ingress. Instead I am using now Load balancer. Soon it would be possible to use Azure Application Gateway Ingress Controller
Have you tried this?
By default the controller redirects HTTP clients to the HTTPS port 443 using a 308 Permanent Redirect response if TLS is enabled for that Ingress.
This can be disabled globally using ssl-redirect: "false" in the NGINX config map, or per-Ingress with the nginx.ingress.kubernetes.io/ssl-redirect: "false" annotation in the particular resource.
More information on this on the Ingress documentation link.
You have to make a decision whether to use HTTPS or not. If this is just the start of a development cycle, start without it and get auth to work - but implement HTTPS as soon as possible.
AAD supports both http and https, but of course, the reply urls must be added to the application registration respectively.
As #mihail-stancescu says, ssl-redirect must be set to false, if you choose not to use HTTPS. In addition to this, you also have to ensure that your app does not make the redirect from HTTP to HTTPS.
Using curl with -L -k and -v options will give you a lot of information on what is actually happening with your requests.
When the http/https thing is solved, you have to remove any rewrite annotations you have in your ingress. (e.g. ingress.kubernetes.io/rewrite-target: / should be removed).
Now, if your ingress path to the service in question is e.g. /myservice, then the reply-url should also have that part of the path added ([host]/myservice/signin-oidc) - both in the AAD application registration and in the configuration of your app. (The path in the config should not contain the host)
If you are using https, then you must also have a proper certificate. You can use the free LetsEncrypt (https://letsencrypt.org/) in conjunction with KubeLego (https://github.com/jetstack/kube-lego), where you can find some nice examples on how to implement it.
I am trying to create a Google Client ID to login with Gmail. While trying to create the login, I got below error.
As per the error, it is not ending with back slash. But still I am getting back slash error.
Am I missing anything?
It is clearly mentioned there
For use with requests from a browser. This is the origin URI of the client application. It can't contain a wildcard (http://*.example.com) or a path (http://example.com/subdir). If you're using a nonstandard port, you must include it in the origin URI.
If you want to add a new redirect URl, you need to add it in the text area "AUTHORIZED REDIRECT URI".
But in case of javascript origins, it is not for redirect uri, it contains origins where your app is allowed to access the Google APIs.(Origins cannot contain a wildcard or a path)
It requires your site address.
I myself use youtube api, have a look at this
But when i add the site address only, then error is vanished. Because, javascript origins contains origins where your app is allowed to access the Google APIs. I.e; Your site address.
Even we can mention the port as well. Path to sub directories is not allowed.
So, since your application is hosted on localhost with port 1234, just add this to your javascript origins:
http://localhost:1234
I have two accounts, from one account i created the app(Account 1) and in the second, i installed the managed app. In my primary account(Account 1), i am able to run the app but in all other accounts where i installed the app, i am getting this error: Failed to execute ‘postMessage’ on ‘DOMWindow’: The target origin provided (‘https://na34.salesforce.com’) does not match the recipient window’s origin (‘https://esisf.na34.visual.force.com’).
I know both of those url are different but i don't know how to make them same or fix this issue.
Please if anyone has any idea, please let me know how to fix this issue.
Thanks in advance
This sounds like a CORS issue. You're also using the MyDomain feature, so there's a "esisf" subdomain before the na34 server subdomain.
Try whitelisting both urls in your CORS setup
Use CORS
I have the following problem.
A reverse proxy is used to establish a secure (https) connection to a server in an internal network. So the address is https://<url>. If I am now on my login page (https://<url>/users/login) and hit "submit" the https is removed (by the loginRedirect) and it's trying to connect to the url via http. Of course that is running into an timeout but the users is logged in. If the user is then accessing a page directly it's working.
Once the users is on the page he can do everything that is necessary and the other links are showing up with https as expected.
How can I avoid that the loginRedirect is removing the https? One solution is to use simply $this->redirect('<url>'); instead of $this->redirect($this->Auth->redirect()); but then I would lose the handling of direct links if somebody is not logged in and tries to access a specific part of the page that requires authentication.
I just got help in the CakePHP lighthouse forum and I would like to share the solution with you. It was actually pretty easy. In a reverse proxy scenario you have to edit the bootstrap.php (in the config folder) and add the following base URL:
define('FULL_BASE_URL','https://your base url');