OpenID Connect issue with Azure AD: implicit vs code authorization flow #6345
Comments
|
That actually seems questionable. Authorization Code Flow should always be used for hosted servers, like Gitea. Implicit Flow is designed for things like public javascript apps. I'd wager there is probably some mis-set setting in Azure or so as you really don't want to be using the implicit flow for a hosted server (just as you really exceptionally don't want to use authorization code flow for a SPA). |
|
Thanks for those insights, I don't know that much about the OpenID format. I will get in contact with Msft support and discuss this issue, will update with a solution. |
|
I think this should be improved in Gitea as oauth should return token/flow that has been requested |
|
@OvermindDL1 was correct, there was a configuration missing on Azure AD side. The docs are a mess about this. If anyone ever comes across this issue again, you need to configure the AD application on Azure side to
|
|
Good afternoon, I'm having the same issue. I followed @anoff answer and I still have the same problem. I followed this link for the setup: https://blog.anoff.io/2019-03-23-configure-azure-ad-for-gitea/ I'm using Gitea 1.8 with MySQL on openSUSE Leap 42.1 and I have 2FA enabled in my Azure account. |
|
Hey @Mr-Reca, did you create a
Did you also set the correct tenant for the OpenID URL? Maybe you can share your config (w/o secret) and error messages you receive. |
|
Hey @anoff Where can I check if my app is The only thing is that Azure forced me to use https. I created a certificate using When I log in, I do the MFA and then the browser shows me the error The reply URL is the next one: The OpenID URL is the next one: Do you want the config and some log files in case I missed something? Thank you so much, |
|
Let's discuss the details offsite, Twitter DM https://twitter.com/an0xff or
email offenhaeuser@gmail.com a screenshot of your gitea oauth setup
…On Thu, May 2, 2019, 22:09 Mr-Reca ***@***.***> wrote:
Hey @anoff <https://github.com/anoff>
Where can I check if my app is native or not? I've just followed your
blog. I check the *Authentication* settings (*Default client type*) and I
also checked the secrets, keys & IDs.
The only thing is that Azure forced me to use https. I created a
certificate using gitea cert --host <hostname>.<domain> and I change the
config file.
When I log in, I do the MFA and then the browser shows me the error AADSTS50011:
The reply url specified in the request does not match the reply urls
configured for the application: <client_id>.
The reply URL is the next one:
https://<hostname>.<domain>:3000/user/oauth2/<app_name>/callback
The OpenID URL is the next one:
https://login.microsoftonline.com/
<tenant>/v2.0/.well-known/openid-configuration
Do you want the config and some log files in case I missed something?
Thank you so much,
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#6345 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABWPZWWEHUL4RXQ2JSRV2DTPTNDBNANCNFSM4G7BBJXQ>
.
|
|
If you're using Azure App Proxy make sure you add the root url as a Reply URI in addition to the OpenID URI. This fixes the "not match the reply urls" error |
[x]):Description
I want to use Azure Active Directory as an OAUTH2.0 provider via the OpenID Connect feature. Gitea contacts the AD correctly and the workflow on AD side executes correctly but then the callback fails.
According to microsoft docs
response_type | Must include id_token for OpenID Connect sign-inbut Gitea sendsresponse_type: codeas shown in the screenshot.I did some research on the matter and it seems that Msft is following the implicit flow whereas Gitea uses the Authorization Code Flow.
What are your thoughts on the matter? Is this something that should be changed in the OpenID Connect adapter of Gitea or rather add an Azure AD OAUTH provider directly?
The text was updated successfully, but these errors were encountered: