OAuth2 Azure Sign in URL?

Hello I am having some issues with enabling Oauth third party provider (azureAD) on Koa.3 release.

I have configured both AzureAD and openedx as the documentation suggests but I keep getting the error.

“The reply URL specified in the request does not match the reply URLs configured for the application:”

Having checked the documentation it indicates that the configured urls should be

/auth/complete/azuread-oauth2/
/sign in

now upon submission of login (using Multifact Authentication ) I get the returned data

Sign in to your account/auth/complete/azuread-oauth2/&state=ID&response_type=code&scope=openid+profile+user_impersonation&msafed=0
So it appears to be going to the sign on url but not the reply url which cannot be /sign in with the space

is there anyone who could offer some clarification of how this might need to be configured ?

Thank you all in advance.

Dennis Bates

The formatting in your post is not working, so it’s a little hard to tell what’s going on. For future reference, if you put `backticks` around it, it will be escaped like this:

https://login.microsoftonline.com/common/oauth2/authorize?client_id=34&redirect_uri=https:///auth/complete/azuread-oauth2/&state=ID&response_type=code&scope=openid+profile+user_impersonation&msafed=0

The docs say <LMS URI>/auth/complete/azuread-oauth2/ but it looks like you left out the protocol and domain part, putting in only the path. Make sure you configured a full URL that starts with https://.

It should look like: https://name-of-your-site.tld/auth/complete/azuread-oauth2/

P.S. I’m not sure why the docs say to use a “sign in” URL with ..../sign in. That seems wrong but I suspect that it doesn’t really matter what value you put for that.

Thanks for the response braden

the format of the login configurations are actually

https://my-site-name.ac.uk/auth/complete/azuread-oauth2/
they are configured correctly for formatting as the project is a beta for a university I don’t want to publish it yet.

the response returned for the connection is

https://login.microsoftonline.com/common/oauth2/authorize?client_id=34&redirect_uri=https://fullsitename.ac.uk/auth/complete/azuread-oauth2/&state=ID&response_type=code&scope=openid+profile+user_impersonation&msafed=

It all looks right and I previously had this working with juniper its just since the move to Koa that this has become an issue.

I’m aware of a pull request that was merged around this issue SSO auth completion a couple of weeks ago so this is the latest build that should include that fix.

Fix redirection on SSO auth complete. by waheedahmed · Pull Request #27139 · edx/edx-platform (github.com)

Hmm, ok. Well if it says “The reply URL specified in the request does not match the reply URLs configured for the application:” then we should try to figure out the actual URL being used, and how it’s different from the configured URL.

So you have configured it as https://my-site-name.ac.uk/auth/complete/azuread-oauth2/

And you said “the response returned for the connection is” … https://fullsitename.ac.uk/auth/complete/azuread-oauth2/

Those look like they match.


I just checked on edX.org, and I get a URL like this:

https://login.microsoftonline.com/common/oauth2/authorize?client_id=5ea2d1b0-1234-1234-1234-1be8f40a6210&redirect_uri=https://courses.edx.org/auth/complete/azuread-oauth2/&state=zYxwvuTsrqPoodjQq2I3sf0WjOqo88xG&response_type=code&scope=openid+profile+user_impersonation&msafed=0

One other thing that stands out to me is the “client ID” - on edX.org it is a UUID but in your example it is “34”. Is “34” the actual value you’re using (which seems wrong), or did you remove the actual value for security reasons?

@braden Thanks very much for the reply

the clientID is the uuid of the application making the request and your right I did remove the id for security reasons. but it does match
interestingly this is the request url

https://login.microsoftonline.com/common/oauth2/authorize?client_id=330170cd-66f5-4db7-9748-1a1a6e9ae3c4&redirect_uri=https://adept.durham.ac.uk/auth/complete/azuread-oauth2/&state=kYkYmtffQh2jGC7y2L0Z1By7ItePjygF&response_type=code&scope=openid+profile+user_impersonation&msafed=0

and this is the reply back in the location it looks like the redirect back has the %2f for the / hmm…

https://login.microsoftonline.com/common/oauth2/authorize?client_id=330170cd-66f5-4db7-9748-1a1a6e9ae3c4&redirect_uri=https%3a%2f%2fadept.durham.ac.uk%2fauth%2fcomplete%2fazuread-oauth2%2f&state=kYkYmtffQh2jGC7y2L0Z1By7ItePjygF&response_type=code&scope=openid+profile+user_impersonation&msafed=0

Hmm. I’m not sure if that’s significant or not. If you manually go “fix” the URL to remove the % endcoding, and then go to that fixed URL, does it let you sign in?

Also, I should have asked: if you try this in an incognito window, does the error you see happen before you get prompted to log in on the Microsoft site or after? (i.e. you go to your Open edX instance, click login, click “Microsoft” - do you see the error at this point, or later?)

@braden I want to thank you I finally resolved the issue yesterday some of your hints helped a lot. It was a combination of a number of factors mostly to do with the azure end of authentication.

If people are interested in the new Azure AD settings its actually about 2-3 pages of settings with one strange one that needs to be done in Open EDX.

Glad to hear that @dbates . Is there anything that you think should be fixed or mentioned in the docs ? We can propose edits to them here if needed.