Using MSAL/MSGraph behind a reverse proxy

Robert Litchfield 116 Reputation points
2020-10-29T17:27:31.427+00:00

I'm trying to host a Flask web application behind an IIS reverse proxy and access MS Graph using MSAL. I have the reverse proxy working (woot!), but when I try to use MS Graph/MSAL it sees the original URL as the redirect_uri, not the reverse proxy URL.

I get the following error:
Sorry, but we’re having trouble signing you in.
AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application:

The Microsoft response URL is:

https://login.microsoftonline.com/<not showing>/oauth2/v2.0/authorize?client_id=<not showing>&response_type=code&redirect_uri=http%3A%2F%2Fsrvedmwebapp01.universe.local%3A9000%2FgetAToken

It should have &redirect_uri=https://scms.twose.ca/getAToken.

I used the amazing examples at https://github.com/Azure-Samples/ms-identity-python-webapp to get this to work without a reverse proxy in the past. (Thanks MS)

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,676 questions
1 vote

Accepted answer
  1. Robert Litchfield 116 Reputation points
    2020-10-29T20:17:12.067+00:00

    Working with another coder on GitHub, the solution was found (https://github.com/Azure-Samples/ms-identity-python-webapp/issues/51)

    The app must make use of a custom proxy fix as follows, and remove the one from Werkzeug.

    class CustomProxyFix(object):
        def __init__(self, app):
            self.app = app
    
        def __call__(self, environ, start_response):
            environ['HTTP_HOST'] = 'example.org'
            environ['wsgi.url_scheme'] = 'https'
            return self.app(environ, start_response)
    
    app.wsgi_app = CustomProxyFix(app.wsgi_app)
    

    This issue can now be considered solved.

    No comments

0 additional answers

Sort by: Most helpful