Azure AD sign-in to Gov Cloud (GCC HIGH) tenant.

[smccutchen]

Attempted Debugging

• I have read the debugging page

Searched GitHub Issues

• I have searched GitHub for the issue.

Describe the Scenario

I am attempting to setup Azure AD authentication in Bookstack, targeting a GCC High (Gov Cloud) tenant.

There is a key difference for Azure Gov Cloud customers when accessing the API... specifically we must access ".us" endpoints instead of the commercial ".com" endpoints.

So the URL "https://login.microsoftonline.com" is really "https://login.microsoftonline.us" for GCC High customers.

In Bookstack, there appears to be no way to define which Azure cloud environment to authenticate against, and when registering a new user or attempting to login to an existing one I receive the following error:

Client error: POST https://login.microsoftonline.com/%7Bc546c644-76a8-7be7-bece-26daa0c55af9%6D/oauth2/v2.0/token` resulted in a 400 Bad Request response: {"error":"invalid_request","error_description":"AADSTS900432: Confidential Client is not supported in Cross Cloud request (truncated...)`

It appears that Bookstack always attempts to authenticate against the public Azure cloud, and I have seen no override settings in the documentation that would allow me to redirect these requests to the Azure Gov cloud.

Exact BookStack Version

22.02.1

Log Content

Logs

`[2022-02-28 16:27:29] production.ERROR: Client error: `POST https://login.microsoftonline.com/%7Bc546c644-76a8-7be7-bece-26daa0c55af9%7D/oauth2/v2.0/token` resulted in a `400 Bad Request` response:
{"error":"invalid_request","error_description":"AADSTS900432: Confidential Client is not supported in Cross Cloud reques (truncated...)
 {"exception":"[object] (GuzzleHttp\\Exception\\ClientException(code: 400): Client error: `POST https://login.microsoftonline.com/%7Bc206c644-76a8-4be4-bece-52daa0c99af9%7D/oauth2/v2.0/token` resulted in a `400 Bad Request` response:
{\"error\":\"invalid_request\",\"error_description\":\"AADSTS900432: Confidential Client is not supported in Cross Cloud reques (truncated...)
 at /var/www/Bookstack/vendor/guzzlehttp/guzzle/src/Exception/RequestException.php:113)
[stacktrace]
#0 /var/www/Bookstack/vendor/guzzlehttp/guzzle/src/Middleware.php(69): GuzzleHttp\\Exception\\RequestException::create()#1 /var/www/Bookstack/vendor/guzzlehttp/promises/src/Promise.php(204): GuzzleHttp\\Middleware::GuzzleHttp\\{closure}()
#2 /var/www/Bookstack/vendor/guzzlehttp/promises/src/Promise.php(153): GuzzleHttp\\Promise\\Promise::callHandler()
#3 /var/www/Bookstack/vendor/guzzlehttp/promises/src/TaskQueue.php(48): GuzzleHttp\\Promise\\Promise::GuzzleHttp\\Promise\\{closure}()
#4 /var/www/Bookstack/vendor/guzzlehttp/promises/src/Promise.php(248): GuzzleHttp\\Promise\\TaskQueue->run()
#5 /var/www/Bookstack/vendor/guzzlehttp/promises/src/Promise.php(224): GuzzleHttp\\Promise\\Promise->invokeWaitFn()
#6 /var/www/Bookstack/vendor/guzzlehttp/promises/src/Promise.php(269): GuzzleHttp\\Promise\\Promise->waitIfPending()
#7 /var/www/Bookstack/vendor/guzzlehttp/promises/src/Promise.php(226): GuzzleHttp\\Promise\\Promise->invokeWaitList()
#8 /var/www/Bookstack/vendor/guzzlehttp/promises/src/Promise.php(62): GuzzleHttp\\Promise\\Promise->waitIfPending()
#9 /var/www/Bookstack/vendor/guzzlehttp/guzzle/src/Client.php(187): GuzzleHttp\\Promise\\Promise->wait()
#10 /var/www/Bookstack/vendor/guzzlehttp/guzzle/src/ClientTrait.php(95): GuzzleHttp\\Client->request()
#11 /var/www/Bookstack/vendor/socialiteproviders/microsoft-azure/Provider.php(103): GuzzleHttp\\Client->post()
#12 /var/www/Bookstack/vendor/socialiteproviders/manager/src/OAuth2/AbstractProvider.php(52): SocialiteProviders\\Azure\\Provider->getAccessTokenResponse()
#13 /var/www/Bookstack/app/Auth/Access/SocialAuthService.php(124): SocialiteProviders\\Manager\\OAuth2\\AbstractProvider->user()
#14 /var/www/Bookstack/app/Http/Controllers/Auth/SocialController.php(87): BookStack\\Auth\\Access\\SocialAuthService->getSocialUser()
#15 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Routing/Controller.php(54): BookStack\\Http\\Controllers\\Auth\\SocialController->callback()
#16 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Routing/ControllerDispatcher.php(45): Illuminate\\Routing\\Controller->callAction()
#17 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Routing/Route.php(262): Illuminate\\Routing\\ControllerDispatcher->dispatch()
#18 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Routing/Route.php(205): Illuminate\\Routing\\Route->runController()
#19 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Routing/Router.php(721): Illuminate\\Routing\\Route->run()
#20 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(128): Illuminate\\Routing\\Router->Illuminate\\Routing\\{closure}()
#21 /var/www/Bookstack/app/Http/Middleware/Localization.php(82): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#22 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): BookStack\\Http\\Middleware\\Localization->handle()
#23 /var/www/Bookstack/app/Http/Middleware/RunThemeActions.php(26): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#24 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): BookStack\\Http\\Middleware\\RunThemeActions->handle()
#25 /var/www/Bookstack/app/Http/Middleware/CheckEmailConfirmed.php(47): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#26 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): BookStack\\Http\\Middleware\\CheckEmailConfirmed->handle()
#27 /var/www/Bookstack/app/Http/Middleware/PreventAuthenticatedResponseCaching.php(21): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#28 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): BookStack\\Http\\Middleware\\PreventAuthenticatedResponseCaching->handle()
#29 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php(78): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#30 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\\Foundation\\Http\\Middleware\\VerifyCsrfToken->handle()
#31 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/View/Middleware/ShareErrorsFromSession.php(49): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#32 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\\View\\Middleware\\ShareErrorsFromSession->handle()
#33 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Session/Middleware/StartSession.php(121): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#34 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Session/Middleware/StartSession.php(64): Illuminate\\Session\\Middleware\\StartSession->handleStatefulRequest()
#35 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\\Session\\Middleware\\StartSession->handle()
#36 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Cookie/Middleware/AddQueuedCookiesToResponse.php(37): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#37 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\\Cookie\\Middleware\\AddQueuedCookiesToResponse->handle()
#38 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Cookie/Middleware/EncryptCookies.php(67): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#39 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\\Cookie\\Middleware\\EncryptCookies->handle()
#40 /var/www/Bookstack/app/Http/Middleware/ApplyCspRules.php(36): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#41 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): BookStack\\Http\\Middleware\\ApplyCspRules->handle()
#42 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(103): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#43 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Routing/Router.php(723): Illuminate\\Pipeline\\Pipeline->then()
#44 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Routing/Router.php(698): Illuminate\\Routing\\Router->runRouteWithinStack()
#45 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Routing/Router.php(662): Illuminate\\Routing\\Router->runRoute()
#46 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Routing/Router.php(651): Illuminate\\Routing\\Router->dispatchToRoute()
#47 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(167): Illuminate\\Routing\\Router->dispatch()
#48 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(128): Illuminate\\Foundation\\Http\\Kernel->Illuminate\\Foundation\\Http\\{closure}()
#49 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Http/Middleware/TrustProxies.php(39): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#50 /var/www/Bookstack/app/Http/Middleware/TrustProxies.php(41): Illuminate\\Http\\Middleware\\TrustProxies->handle()
#51 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): BookStack\\Http\\Middleware\\TrustProxies->handle()
#52 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php(21): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#53 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TrimStrings.php(40): Illuminate\\Foundation\\Http\\Middleware\\TransformsRequest->handle()
#54 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\\Foundation\\Http\\Middleware\\TrimStrings->handle()
#55 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/ValidatePostSize.php(27): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#56 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\\Foundation\\Http\\Middleware\\ValidatePostSize->handle()
#57 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/PreventRequestsDuringMaintenance.php(86): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#58 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\\Foundation\\Http\\Middleware\\PreventRequestsDuringMaintenance->handle()
#59 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(103): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#60 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(142): Illuminate\\Pipeline\\Pipeline->then()
#61 /var/www/Bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(111): Illuminate\\Foundation\\Http\\Kernel->sendRequestThroughRouter()
#62 /var/www/Bookstack/public/index.php(53): Illuminate\\Foundation\\Http\\Kernel->handle()
#63 {main}`

PHP Version

8.1

Hosting Environment

Ubuntu 18.04 in AWS, behind SSL load balancer.

[smccutchen]

Note that the Azure cloud tenant URLs for Graph and Base tenant are both hard-coded in the file @ /var/www/Bookstack/vendor/socialiteproviders/microsoft-azure/Provider.php.

[ssddanbrown]

Hi @smccutchen,
Customization of the base URL is not something that's currently supported, so I guess this may be more of a feature request to add support.

To be honest I try not to expand support of our auth systems unless significant need/desire, especially to suit scenarios that I won't be able to really test myself. We do provide some methods of extension though.

First though, just to understand your requirement, are you intending to use Azure as the primary method of authentication within your instance or is it simply going to be a supporting/secondary option?

[smccutchen]

Azure AD signup/signin will be our primary (only) method of authentication.

I was able to get a successful registration by modifying the file @ /var/www/Bookstack/vendor/socialiteproviders/microsoft-azure/Provider.php to use the appropriate .us URLs for gov cloud tenants.

I suppose that hard-coded fix is good enough for me (I should be able to template out the change through our deployment automation to survive through Bookstack version upgrades), but at least now you're aware of the issue! A better fix in the future would be to simply allow the admin to override the endpoint URLs in the .env file (like "AZURE_APP_BASE_URL" and "AZURE_APP_GRAPH_URL" or something similar).

Thanks for the quick reply.

[ssddanbrown]

@smccutchen Cool, The reason I asked is because you may be better suited to use our OIDC integration which would act as a primary authentication system (Replace the default email/password to avoid confusion).
Since it's abstract, there's nothing in our OIDC system tied to a specific Azure endpoint so should work for your use-case without editing files.

If you did want to keep the current setup (Azure via social provider option), it should be possible to achieve your override without editing core app files (and thus potentially causing issues on upgrade) via our logical theme system:
https://github.com/BookStackApp/BookStack/blob/development/dev/docs/logical-theme-system.md#custom-socialite-service-example

[ssddanbrown]

Since the above was answered I'll therefore close this off.