Spring Security Azure AD redirect url issue

0
votes

When I try running in localhost, it works fine. But when I try running the same behind a load balancer, it gives the following error:

AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: '<clien-id>'.

I have registered the application at AzureAD with the load balancer URL. But when I send my request, the redirect URL is still localhost as shown below.

https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=XXX&...**redirect_uri=localhost:8080/login/oauth2/code/azure**&nonce=...

I want my application to insert the load balancer URL as the value of redirect_url (instead of localhost).

I tried the solutions suggested below and still not successful:

Redirect URL for Spring OAuth2 app on Azure with Active Directory: Invalid Redirect URI Parameter

Spring Boot using Azure OAuth2 - reply URL does not match error

Thanks in advance.

1
spring-securityoauth-2.0azure-active-directoryspring-security-oauth2
Does this help you? stackoverflow.com/questions/67056387/…Carl Zhao
Thanks Carl. I decoded and that's what I pasted below. I need some way where this can be customized in my Java Spring boot application.SRaj
You need to change the redirect_uri in both Azure portal and your code. If the two URLs are not the same, the error will occur.Pamela Peng
Yes I checked may times, but it seems OK. Still trying..ThanksSRaj

1 Answers

1
votes

When you use a load balancer/proxy, you need to add some extra configuration to make it possible to resolve the redirect URL correctly.

A load balancer usually applies the standard RFC7239 "Forwarded Headers" like X-Forwarded-Proto and X-Forwarded-Host. In that case, the redirect url should be correctly computed after applying the following two configurations. (Example for the Tomcat scenario)

server.forward-headers-strategy=NATIVE

"If the proxy adds the commonly used X-Forwarded-For and X-Forwarded-Proto headers, setting server.forward-headers-strategy to NATIVE is enough to support those."

server.tomcat.redirect-context-root=false

If you are using Tomcat and terminating SSL at the proxy, server.tomcat.redirect-context-root should be set to false. This allows the X-Forwarded-Proto header to be honored before any redirects are performed.

The above configuration works if you use a placeholder for the base URL in your client configuration in Spring Security, for example {baseUrl}/login/oauth2/code/{registrationId}. In this way, the {baseUrl} placeholder is dynamically resolved by Spring Security differently depending on whether it's behind a load balancer or not (https://your-lb-url.com vs http://localhost:8080).

More info in the official documentation: