Redirect URL for Spring OAuth2 app on Azure with Active Directory: Invalid Redirect URI Parameter

4
votes

I am following the following two tutorials of the Azure documentation: https://docs.microsoft.com/en-us/azure/java/spring-framework/deploy-spring-boot-java-app-with-maven-plugin which shows how to deploy a simple Spring Boot application to Azure and https://docs.microsoft.com/en-us/azure/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-active-directory to set up and use an active directory as OAuth2 server with a Spring Security OAuth2 Client. Basically I just add the OAuth2 dependencies to Maven, a WebSecurityConfig class as shown in the second document and additionally also the azure.activedirectoy and spring.security properties.

When the application is just run from my local computer the login and redirection works fine. But when the application is deployed to Azure, I get an application error saying: Invalid Redirect URI Parameter. I think I have set the redirect-uri correctly as

https://{baseHost}{basePort}{basePath}/login/oauth2/code/azure

in the application properties as well as in the application registration with my Active Directory.

As far as I can see the authorization request uses the right parameters:

response_type: code
client_id: 4b5fbcfd-c35f-4bab-bc45-374c7e1dead8
scope: openid https://graph.microsoft.com/user.read
state: yMvo62R-6vgjETSGr_mnh4iIMZimVnFYZRyiGFaOPtE=
redirect_uri: https://myappname.azurewebsites.net/login/oauth2/code/azure
nonce: FUXJ5GoJ2NuNVx2ORU70YCqnJkEj8FRYHEJYMutEQzo

So, what could the Invalid Redirect URI Parameter be, and how can I change this?

2
javaazurespring-bootazure-active-directoryspring-security-oauth2
Just to ensure, you have already added your actual Azure web app url myappname.azurewebsites.net/login/oauth2/code/azure as the reply url in your Azure ad app?Bhushan
yes, as redirect-uri: 'https://{baseHost}{basePort}{basePath}/login/oauth2/code/azure' in the application.yaml, and also in the app registration in the Active Directory: "replyUrlsWithType": [ { "url": "myappname.azurewebsites.net/login/oauth2/code/azure", "type": "Web" } ]Gregor
In addition I had an error with the id-token which is described here: github.com/microsoft/azure-spring-boot/issues/288. The solution was, as described in this issue, to set oauth2AllowIdTokenImplicitFlow to true.Gregor

2 Answers

3
votes

I followed these two tutorials, it works fine on local environment, on Azure webapp, I encountered redirect url mismatch error.

The cause is that the redirect_uri is always started with http. After adding server.forward-headers-strategy=native in applications.properties, it works. (I am using spring boot 2.2)

Here is the pom.xml for your reference.

<?xml version="1.0" encoding="UTF-8"?>

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">  
  <modelVersion>4.0.0</modelVersion>  
  <parent> 
    <groupId>org.springframework.boot</groupId>  
    <artifactId>spring-boot-starter-parent</artifactId>  
    <version>2.2.4.RELEASE</version>  
    <relativePath/>  
    <!-- lookup parent from repository --> 
  </parent>  
  <groupId>com.example.ad</groupId>  
  <artifactId>ad</artifactId>  
  <version>0.0.1-SNAPSHOT</version>  
  <name>ad</name>  
  <description>Demo project for Spring Boot</description>  
  <properties> 
    <java.version>1.8</java.version>  
    <azure.version>2.2.0</azure.version> 
  </properties>  
  <dependencies> 
    <dependency> 
      <groupId>org.springframework.boot</groupId>  
      <artifactId>spring-boot-starter-security</artifactId> 
    </dependency>  
    <dependency> 
      <groupId>org.springframework.boot</groupId>  
      <artifactId>spring-boot-starter-web</artifactId> 
    </dependency>  
    <dependency> 
      <groupId>com.microsoft.azure</groupId>  
      <artifactId>azure-active-directory-spring-boot-starter</artifactId> 
    </dependency>  
    <dependency> 
      <groupId>org.springframework.boot</groupId>  
      <artifactId>spring-boot-starter-test</artifactId>  
      <scope>test</scope>  
      <exclusions> 
        <exclusion> 
          <groupId>org.junit.vintage</groupId>  
          <artifactId>junit-vintage-engine</artifactId> 
        </exclusion> 
      </exclusions> 
    </dependency>  
    <dependency> 
      <groupId>org.springframework.security</groupId>  
      <artifactId>spring-security-test</artifactId>  
      <scope>test</scope> 
    </dependency>  
    <dependency> 
      <groupId>org.springframework.security</groupId>  
      <artifactId>spring-security-oauth2-client</artifactId> 
    </dependency>  
    <dependency> 
      <groupId>org.springframework.security</groupId>  
      <artifactId>spring-security-oauth2-jose</artifactId> 
    </dependency> 
  </dependencies>  
  <dependencyManagement> 
    <dependencies> 
      <dependency> 
        <groupId>com.microsoft.azure</groupId>  
        <artifactId>azure-spring-boot-bom</artifactId>  
        <version>${azure.version}</version>  
        <type>pom</type>  
        <scope>import</scope> 
      </dependency> 
    </dependencies> 
  </dependencyManagement>  
  <build> 
    <plugins> 
      <plugin> 
        <groupId>org.springframework.boot</groupId>  
        <artifactId>spring-boot-maven-plugin</artifactId> 
      </plugin>  
      <plugin> 
        <groupId>com.microsoft.azure</groupId>  
        <artifactId>azure-webapp-maven-plugin</artifactId>  
        <version>1.9.0</version>  
        <configuration>
          <schemaVersion>V2</schemaVersion>
          <resourceGroup>ad-1582615028467-rg</resourceGroup>
          <appName>ad-1582615028467</appName>
          <pricingTier>P1v2</pricingTier>
          <region>westeurope</region>
          <runtime>
            <os>linux</os>
            <javaVersion>jre8</javaVersion>
            <webContainer>jre8</webContainer>
          </runtime>
            <appSettings>
                <property>
                    <name>JAVA_OPTS</name>
                    <value>-Dserver.port=80</value>
                </property>
            </appSettings>
          <deployment>
            <resources>
              <resource>
                <directory>${project.basedir}/target</directory>
                <includes>
                  <include>*.jar</include>
                </includes>
              </resource>
            </resources>
          </deployment>
        </configuration>
      </plugin> 
    </plugins> 
  </build> 
</project>
1
votes

What eventually worked for me, was the following application.yml.

server:
  forward-headers-strategy: FRAMEWORK
  port: 8080
  error:
    include-message: "always" ## You want to be able to supply meaningful error resolution hints to end users.
  servlet:
    context-path: /myappcontextpath