Spring Boot using Azure OAuth2 - reply URL does not match error

0
votes

I have Spring Boot web application that I attempting to secure with Azure OAuth2. This application is based on the Azure SDK sample azure-spring-boot-sample-active-directory-webapp.

I build and deploy the application to Azure as a Web App. I am challenged for my MS Credentials, I give my consent to share my information. I get the following error:

AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: '**client id**'.

I am sure the issue is around the Registered Application's redirect urls. I register the urls the sample tells me to register, but I still get the error. I have deleted the Azure AD registered app and started over, no change in behavior.

I see this error with Edge and Chrome.

Environment

  • Spring Boot Parent : 2.3.8.RELEASE
  • Azure Starter AD : 3.1.0
  • OS : Linux
  • Java : Java 11
  • Web server stack: Java SE

Active Directory App Registration

  • Supported Account Types : Accounts in this organizational directory only (Single Tenant)
  • Authentication : Web : redirect url : https://myapp.azurewebsites.net/login/oauth2/code/azure
  • Authentication : Web : redirect url : https://myapp.azurewebsites.net/login/oauth2/code/arm
  • Created Secret
  • API Permission : Azure Service Management : user_impersonation
  • API Permission : Microsoft Graph : Directory.AccessAsUser.All (Granted for Default Directory)
  • API Permission : Microsoft Graph : User.Read (Granted for Default Directory)
  • API Permission : Office 365 Management APIs : ActivityFeed.Read (Granted for Default Directory)
  • API Permission : Office 365 Management APIs : ActivityFeed.ReadDlp (Granted for Default Directory)
  • API Permission : Office 365 Management APIs : ServiceHealth.Read (Granted for Default Directory)

application.yaml

azure:
  activedirectory:
    authorization-clients:
      arm:
        on-demand: true
        scopes: https://management.core.windows.net/user_impersonation
      graph:
        scopes:
          - https://graph.microsoft.com/User.Read
          - https://graph.microsoft.com/Directory.Read.All
      office:
        scopes:
          - https://manage.office.com/ActivityFeed.Read
          - https://manage.office.com/ActivityFeed.ReadDlp
          - https://manage.office.com/ServiceHealth.Read
    client-id: my-client-id
    client-secret: my-client-secret
    tenant-id: my-tenant-id
    user-group:
      allowed-groups: group1, group2
    post-logout-redirect-uri: https://myapp.azurewebsites.net/

pom.xml

<?xml version="1.0" encoding="UTF-8"?>

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.3.8.RELEASE</version>
        <relativePath/>
        <!-- lookup parent from repository -->
    </parent>
    <groupId>mygroup</groupId>
    <artifactId>adoauthdemo</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>adoauthdemo</name>
    <description>Demonstration of integrating a spring boot application with Azure AD OAuth</description>
    <properties>
        <java.version>11</java.version>
    </properties>
    <dependencies>
        <dependency>
            <groupId>com.azure.spring</groupId>
            <artifactId>azure-spring-boot-starter-active-directory</artifactId>
            <version>3.1.0</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-oauth2-client</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-thymeleaf</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-devtools</artifactId>
            <scope>runtime</scope>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-configuration-processor</artifactId>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>org.projectlombok</groupId>
            <artifactId>lombok</artifactId>
            <optional>true</optional>
        </dependency>
    </dependencies>
    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
                <configuration>
                    <excludes>
                        <exclude>
                            <groupId>org.springframework.boot</groupId>
                            <artifactId>spring-boot-configuration-processor</artifactId>
                        </exclude>
                        <exclude>
                            <groupId>org.projectlombok</groupId>
                            <artifactId>lombok</artifactId>
                        </exclude>
                    </excludes>
                </configuration>
            </plugin>
            <plugin>
                <groupId>com.microsoft.azure</groupId>
                <artifactId>azure-webapp-maven-plugin</artifactId>
                <version>1.12.0</version>
                <configuration>
                    <authType>azure_cli</authType>
                    <resourceGroup>adoauthdemo-rg</resourceGroup>
                    <appName>adoauthdemo</appName>
                    <pricingTier>B1</pricingTier>
                    <region>eastus</region>
                    <deployment>
                        <resources>
                            <resource>
                                <directory>${project.basedir}/target</directory>
                                <includes>
                                    <include>*.jar</include>
                                </includes>
                            </resource>
                        </resources>
                    </deployment>
                    <runtime>
                        <os>Linux</os>
                        <javaVersion>Java 11</javaVersion>
                        <webContainer>Java SE</webContainer>
                    </runtime>
                </configuration>
            </plugin>
        </plugins>
    </build>
</project>
1
azurespring-bootoauth-2.0azure-active-directory

1 Answers

0
votes

I had to add the following to my application.yaml.

server:
  forward-headers-strategy: native

By way of explanation

I turned on debugging on my application and I finally saw what was causing my issue:

Redirecting to 'https://login.microsoftonline.com/**tenant id**/oauth2/v2.0/authorize?response_type=code&client_id=**client id**&scope=https://manage.office.com/ServiceHealth.Read%20openid%20profile%20offline_access%20https://graph.microsoft.com/User.Read%20https://graph.microsoft.com/Directory.AccessAsUser.All%20https://graph.microsoft.com/Directory.Read.All%20https://manage.office.com/ActivityFeed.ReadDlp%20https://manage.office.com/ActivityFeed.Read&state=rccivv5nfrx270lpF_y4hHGDP-hhfUSSKI0mmokkNNA%3D&redirect_uri=http://myapp.azurewebsites.net/login/oauth2/code/azure&nonce=fVQX_yumChDneZJvE1pLljs81thZtpBk8do5h1XClGs'

The important part is the redirect_uri parameter: http://myapp.azurewebsites.net/login/oauth2/code/azure

My Spring Boot app was using http instead of https.

Now I found an article that addresses this issue where they fixed this same issue as I indicated above.