Hello I am having some issues with enabling Oauth third party provider (azureAD) on Koa.3 release.
I have configured both AzureAD and openedx as the documentation suggests but I keep getting the error.
“The reply URL specified in the request does not match the reply URLs configured for the application:”
Having checked the documentation it indicates that the configured urls should be
/auth/complete/azuread-oauth2/
/sign in
now upon submission of login (using Multifact Authentication ) I get the returned data
Sign in to your account/auth/complete/azuread-oauth2/&state=ID&response_type=code&scope=openid+profile+user_impersonation&msafed=0
So it appears to be going to the sign on url but not the reply url which cannot be /sign in with the space
is there anyone who could offer some clarification of how this might need to be configured ?
The formatting in your post is not working, so it’s a little hard to tell what’s going on. For future reference, if you put `backticks` around it, it will be escaped like this:
The docs say <LMS URI>/auth/complete/azuread-oauth2/ but it looks like you left out the protocol and domain part, putting in only the path. Make sure you configured a full URL that starts with https://.
It should look like: https://name-of-your-site.tld/auth/complete/azuread-oauth2/
P.S. I’m not sure why the docs say to use a “sign in” URL with ..../sign in. That seems wrong but I suspect that it doesn’t really matter what value you put for that.
It all looks right and I previously had this working with juniper its just since the move to Koa that this has become an issue.
I’m aware of a pull request that was merged around this issue SSO auth completion a couple of weeks ago so this is the latest build that should include that fix.
Hmm, ok. Well if it says “The reply URL specified in the request does not match the reply URLs configured for the application:” then we should try to figure out the actual URL being used, and how it’s different from the configured URL.
So you have configured it as https://my-site-name.ac.uk/auth/complete/azuread-oauth2/
And you said “the response returned for the connection is” … https://fullsitename.ac.uk/auth/complete/azuread-oauth2/
Those look like they match.
I just checked on edX.org, and I get a URL like this:
One other thing that stands out to me is the “client ID” - on edX.org it is a UUID but in your example it is “34”. Is “34” the actual value you’re using (which seems wrong), or did you remove the actual value for security reasons?
the clientID is the uuid of the application making the request and your right I did remove the id for security reasons. but it does match
interestingly this is the request url
Hmm. I’m not sure if that’s significant or not. If you manually go “fix” the URL to remove the % endcoding, and then go to that fixed URL, does it let you sign in?
Also, I should have asked: if you try this in an incognito window, does the error you see happen before you get prompted to log in on the Microsoft site or after? (i.e. you go to your Open edX instance, click login, click “Microsoft” - do you see the error at this point, or later?)
@braden I want to thank you I finally resolved the issue yesterday some of your hints helped a lot. It was a combination of a number of factors mostly to do with the azure end of authentication.
If people are interested in the new Azure AD settings its actually about 2-3 pages of settings with one strange one that needs to be done in Open EDX.
Thanks for your reply @dbates, Right now Microsoft Azure is successfully authenticated and redirected to the login page again that’s my issue its not redirecting to dashboard
I mean when Microsoft Azure successfully authenticates and redirects to my site/login why does it not redirect to the site/dashboard, I’ll share a screenshot after successful login in to Azure it is coming like this
It is not like that, The user tries to log in with an Azure account and needs to be redirected to the dashboard automatically but for me, it redirects to the login page and throws an error like not login and your request could not be completed.
I understand what your saying and I guess I didn’t have that the same issue as you.
I have seen that message with users who registered both with the edx platform with an email like 123@xyz.com and have an azure account 123@xyz.com
the workflow for the login would be to try to login them in with edx first if it finds that account then it says oh thats an edx account lets login… yea your in or that didn’t work
if not then it tries to look at other auth mechanisms and says hey that account is from a trusted platform like azure and then creates the account and logs them in. if it sees two accounts that look the same then it has an issue. and I have seen that message with users who have done that kind of thing registering then trying to log into an account with the same login i.e. email via a third party oauth app.
Hi @dbates, right now the SSO login issue has been fixed but I am facing new problems when a new user logs in through SSO, it gets logged into the dashboard. If the user logs out and tries to log in again we get an error like " * Missing needed parameter state" The API of Azure getting called 3 times and first time with parameter and 2 and 3 times getting as empty - https://site-url/auth/complete/azuread-oauth2/?
yeah that will happen if the session isn’t fully shut down and it continues to read a login via another session
say for instance your logged into outlook on the web and openedx at the same time log out of edx but keep the browser window open for outlook and it gets confused
you can sort this by closing the browser… or clearing sessions…