Auth works with HTTP redirect URL but not HTTPS (Active directory/Microsoft Entra ID )

John, Luke | He/His 0 Reputation points
2023-11-14T09:49:26.2233333+00:00

My issue is around connecting a Java Springboot API to an Azure A.D. account (in our DEV environment). Im trying to implement single sign on, authenticating a user with an A.D. account via the standard web-page prompt.

I can successfully enter my microsoft credentials and get through the full authentication process using my local machine via http, but I am getting 'invalid credential' errors when trying this using the DEV version of my API via http__s__.

Here's an example of this type of error:[Image

](https://filestore.community.support.microsoft.com/api/images/92fbcb98-f6e1-4ed9-8ac4-3b474d42db2c?upload=true&fud_access=wJJIheezUklbAN2ppeDns8cDNpYs3nCYjgitr%2bfFBh2dqlqMuW7np3F6Utp%2fKMltnRRYFtVjOMO5tpbpW9UyRAwvLeec5emAPixgq9ta07Dgnp2aq5eJbnfd%2fU3qhn5498QChOTHl3NpYS7xR7zASsaF20jo4ICSz2XTm%2b3GDR4XitSm7nHRR843ku7uXQ4oF6innoBxMaSe9UfrAdMi7owFKjdP9m1UP2W5KAtfQLP9WL5cw1xX4%2btxarbr%2bJz5hIe%2fcu%2fjVrzEZWIj%2bu9ndx9jGjL2%2bVFixwy%2bMVWdyC5wfdQT2JWJIpA%2fxvmNz%2bCnLeXKzZYHlLgMkAbCvlqA1YQ76gSf9AQH48JmVgR1R9cr9zox3L0FG9BNlw8P9Qw7wL%2fSxc1i7oSQmkpDoQtjZ%2fajqh5CckJgPKAeeJ6oIgs%3d"filestore.community.support.microsoft.com")

Can anyone think of what needs to be different when changing from http to https?

Tech stack:
-Active directory, Oauth2 (using authorisation flow), and spring security.
-maven spring dependencies such as 'spring-cloud-azure-starter-active-directory' (latest version - 5.6.0)

-Spring boot starter web v3.1.3
-Java 17
-Running inside a docker container inside kubernetes pods inside AWS.

What ive already tried:
-Making sure the client id, client secret and tenant id are being pulled into the application correctly (from AWS secrets)
-Made sure that the app registration details and the redirect URL's are correct in A. Active Directory

-Tried different combinations and versions of the spring maven plugins, such as 'spring-cloud-azure-starter-active-directory'
-Adding an SSL cert to my project

Windows for business Windows Client for IT Pros Directory services Active Directory
Microsoft Security Microsoft Entra Microsoft Entra ID
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2023-11-17T00:36:30.01+00:00

    @John, Luke | He/His ,

    You mentioned that you are already using the azure-spring-boot-starter-active-directory. You need to make sure that you have added the azure.activedirectory.redirect-uri-template property in the format required for your version 5.6 and that the BASE_URI is updated to the URI that you have set in the application registration (https://yourapp.com)

    application.yml:

    spring:
      cloud:
        azure:
          active-directory:
            redirect-uri-template: ${REDIRECT-URI-TEMPLATE}
    
    spring:
      cloud:
        azure:
          active-directory:
            b2c:
              authenticate-additional-parameters:
                domain_hint: xxxxxxxxx         # optional
                login_hint: xxxxxxxxx          # optional
                prompt: [login,none,consent]   # optional
              base-uri: ${BASE_URI}
              credential:
                client-id: ${WEBAPP_AZURE_CLIENT_ID}
                client-secret: ${WEBAPP_AZURE_CLIENT_SECRET}
              login-flow: ${LOGIN_USER_FLOW_KEY}               # default to sign-up-or-sign-in, will look up the user-flows map with provided key.
              logout-success-url: ${LOGOUT_SUCCESS_URL}
              user-flows:
                ${YOUR_USER_FLOW_KEY}: ${USER_FLOW_NAME}
              user-name-attribute-name: ${USER_NAME_ATTRIBUTE_NAME}
    

    You need to follow all of the steps for customizing the redirect-uri , make sure that all references to that URL match, and then make sure that there aren't any differences (extra slash or space, etc).

    You can double-check all of the dependencies on this page to make sure you aren't missing anything. https://microsoft.github.io/spring-cloud-azure/current/reference/html/index.html#configure-redirect-uri-template

    redirect-uri

    Otherwise if you are using your own web server like spring boot, you typically need to add custom logic or let the app service do the authentication by using the App Service EasyAuth feature. https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization

    See related discussion:

    https://stackoverflow.com/questions/58921642/how-to-set-redirect-uri-for-spring-boot-app-on-app-service-using-azure-ad

    Let me know if this helps and if you still run into this issue.

    If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar questions.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.