OAuth2 Azure Sign in URL?

Hello I am having some issues with enabling Oauth third party provider (azureAD) on Koa.3 release.

I have configured both AzureAD and openedx as the documentation suggests but I keep getting the error.

“The reply URL specified in the request does not match the reply URLs configured for the application:”

Having checked the documentation it indicates that the configured urls should be

/auth/complete/azuread-oauth2/
/sign in

now upon submission of login (using Multifact Authentication ) I get the returned data

Sign in to your account/auth/complete/azuread-oauth2/&state=ID&response_type=code&scope=openid+profile+user_impersonation&msafed=0
So it appears to be going to the sign on url but not the reply url which cannot be /sign in with the space

is there anyone who could offer some clarification of how this might need to be configured ?

Thank you all in advance.

Dennis Bates

1 Like

The formatting in your post is not working, so it’s a little hard to tell what’s going on. For future reference, if you put `backticks` around it, it will be escaped like this:

https://login.microsoftonline.com/common/oauth2/authorize?client_id=34&redirect_uri=https:///auth/complete/azuread-oauth2/&state=ID&response_type=code&scope=openid+profile+user_impersonation&msafed=0

The docs say <LMS URI>/auth/complete/azuread-oauth2/ but it looks like you left out the protocol and domain part, putting in only the path. Make sure you configured a full URL that starts with https://.

It should look like: https://name-of-your-site.tld/auth/complete/azuread-oauth2/

P.S. I’m not sure why the docs say to use a “sign in” URL with ..../sign in. That seems wrong but I suspect that it doesn’t really matter what value you put for that.

Thanks for the response braden

the format of the login configurations are actually

https://my-site-name.ac.uk/auth/complete/azuread-oauth2/
they are configured correctly for formatting as the project is a beta for a university I don’t want to publish it yet.

the response returned for the connection is

https://login.microsoftonline.com/common/oauth2/authorize?client_id=34&redirect_uri=https://fullsitename.ac.uk/auth/complete/azuread-oauth2/&state=ID&response_type=code&scope=openid+profile+user_impersonation&msafed=

It all looks right and I previously had this working with juniper its just since the move to Koa that this has become an issue.

I’m aware of a pull request that was merged around this issue SSO auth completion a couple of weeks ago so this is the latest build that should include that fix.

Fix redirection on SSO auth complete. by waheedahmed · Pull Request #27139 · edx/edx-platform (github.com)

Hmm, ok. Well if it says “The reply URL specified in the request does not match the reply URLs configured for the application:” then we should try to figure out the actual URL being used, and how it’s different from the configured URL.

So you have configured it as https://my-site-name.ac.uk/auth/complete/azuread-oauth2/

And you said “the response returned for the connection is” … https://fullsitename.ac.uk/auth/complete/azuread-oauth2/

Those look like they match.


I just checked on edX.org, and I get a URL like this:

https://login.microsoftonline.com/common/oauth2/authorize?client_id=5ea2d1b0-1234-1234-1234-1be8f40a6210&redirect_uri=https://courses.edx.org/auth/complete/azuread-oauth2/&state=zYxwvuTsrqPoodjQq2I3sf0WjOqo88xG&response_type=code&scope=openid+profile+user_impersonation&msafed=0

One other thing that stands out to me is the “client ID” - on edX.org it is a UUID but in your example it is “34”. Is “34” the actual value you’re using (which seems wrong), or did you remove the actual value for security reasons?

@braden Thanks very much for the reply

the clientID is the uuid of the application making the request and your right I did remove the id for security reasons. but it does match
interestingly this is the request url

https://login.microsoftonline.com/common/oauth2/authorize?client_id=330170cd-66f5-4db7-9748-1a1a6e9ae3c4&redirect_uri=https://adept.durham.ac.uk/auth/complete/azuread-oauth2/&state=kYkYmtffQh2jGC7y2L0Z1By7ItePjygF&response_type=code&scope=openid+profile+user_impersonation&msafed=0

and this is the reply back in the location it looks like the redirect back has the %2f for the / hmm…

https://login.microsoftonline.com/common/oauth2/authorize?client_id=330170cd-66f5-4db7-9748-1a1a6e9ae3c4&redirect_uri=https%3a%2f%2fadept.durham.ac.uk%2fauth%2fcomplete%2fazuread-oauth2%2f&state=kYkYmtffQh2jGC7y2L0Z1By7ItePjygF&response_type=code&scope=openid+profile+user_impersonation&msafed=0

Hmm. I’m not sure if that’s significant or not. If you manually go “fix” the URL to remove the % endcoding, and then go to that fixed URL, does it let you sign in?

Also, I should have asked: if you try this in an incognito window, does the error you see happen before you get prompted to log in on the Microsoft site or after? (i.e. you go to your Open edX instance, click login, click “Microsoft” - do you see the error at this point, or later?)

@braden I want to thank you I finally resolved the issue yesterday some of your hints helped a lot. It was a combination of a number of factors mostly to do with the azure end of authentication.

If people are interested in the new Azure AD settings its actually about 2-3 pages of settings with one strange one that needs to be done in Open EDX.

Glad to hear that @dbates . Is there anything that you think should be fixed or mentioned in the docs ? We can propose edits to them here if needed.

Hello, @dbates Similar problems that I’m having connecting to Azure AD—how did you resolve this?

Authentication settings

  1. In the edx Entra ID authentication app add the following urls in the authentication blade

  2. https://your url/

  3. https://your-url/login

  4. https://your-url/auth/complete/azureread-oauth2

  5. https://your-url/auth/complete/azureread-oauth2/

  6. In the implicit grant and hybrid flows tick the box for

  7. Access Tokens (used for implicit flows)

  8. In supported account times select

  9. Accounts in this organizational unit only

Certificates and secrets

Don’t use

Token Configuration

  1. Leave blank no entry

Api permissions

Add the following permissions

Microsoft Graph Delegated permissions

OPENID

Email

Offline access

Open id

Profile

USER

USER.read

User.ReadBasic.All

Expose an API

Leave blank

App Roles

Thanks for your reply @dbates, Right now Microsoft Azure is successfully authenticated and redirected to the login page again that’s my issue its not redirecting to dashboard

have you set the

Branding Settings
Under home page url Redirect Api
https://your-siteurl/login

I mean when Microsoft Azure successfully authenticates and redirects to my site/login why does it not redirect to the site/dashboard, I’ll share a screenshot after successful login in to Azure it is coming like this

are you trying to login with an account that has the same identifier i.e. email as an edx account and as a Microsoft Azure account?

thats the only time I normally see that error

It is not like that, The user tries to log in with an Azure account and needs to be redirected to the dashboard automatically but for me, it redirects to the login page and throws an error like not login and your request could not be completed.

I understand what your saying and I guess I didn’t have that the same issue as you.

I have seen that message with users who registered both with the edx platform with an email like 123@xyz.com and have an azure account 123@xyz.com

the workflow for the login would be to try to login them in with edx first if it finds that account then it says oh thats an edx account lets login… yea your in or that didn’t work

if not then it tries to look at other auth mechanisms and says hey that account is from a trusted platform like azure and then creates the account and logs them in. if it sees two accounts that look the same then it has an issue. and I have seen that message with users who have done that kind of thing registering then trying to log into an account with the same login i.e. email via a third party oauth app.

Hi @dbates, right now the SSO login issue has been fixed but I am facing new problems when a new user logs in through SSO, it gets logged into the dashboard. If the user logs out and tries to log in again we get an error like " * Missing needed parameter state" The API of Azure getting called 3 times and first time with parameter and 2 and 3 times getting as empty - https://site-url/auth/complete/azuread-oauth2/?

yeah that will happen if the session isn’t fully shut down and it continues to read a login via another session

say for instance your logged into outlook on the web and openedx at the same time log out of edx but keep the browser window open for outlook and it gets confused

you can sort this by closing the browser… or clearing sessions…

I tried clearing catch, closing browser everything but still, I can’t login via SSO only new users can login one time.

I’m sorry without access to your systems at this point in time I don’t have any further advice or things to check.

Thats really all the help I can give at this point in time