Using MSAL/MSGraph behind a reverse proxy

Question

I'm trying to host a Flask web application behind an IIS reverse proxy and access MS Graph using MSAL. I have the reverse proxy working (woot!), but when I try to use MS Graph/MSAL it sees the original URL as the redirect_uri, not the reverse proxy URL.

I get the following error:
Sorry, but we’re having trouble signing you in.
AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application:

The Microsoft response URL is:

https://login.microsoftonline.com/<not showing>/oauth2/v2.0/authorize?client_id=<not showing>&response_type=code&redirect_uri=http%3A%2F%2Fsrvedmwebapp01.universe.local%3A9000%2FgetAToken

It should have &redirect_uri=https://scms.twose.ca/getAToken.

I used the amazing examples at https://github.com/Azure-Samples/ms-identity-python-webapp to get this to work without a reverse proxy in the past. (Thanks MS)

Answer 1

Working with another coder on GitHub, the solution was found (https://github.com/Azure-Samples/ms-identity-python-webapp/issues/51)

The app must make use of a custom proxy fix as follows, and remove the one from Werkzeug.

class CustomProxyFix(object):
    def __init__(self, app):
        self.app = app

    def __call__(self, environ, start_response):
        environ['HTTP_HOST'] = 'example.org'
        environ['wsgi.url_scheme'] = 'https'
        return self.app(environ, start_response)

app.wsgi_app = CustomProxyFix(app.wsgi_app)

This issue can now be considered solved.