question

RobertLitchfield-3143 avatar image
1 Vote"
RobertLitchfield-3143 asked shashishailaj commented

Using MSAL/MSGraph behind a reverse proxy

I'm trying to host a Flask web application behind an IIS reverse proxy and access MS Graph using MSAL. I have the reverse proxy working (woot!), but when I try to use MS Graph/MSAL it sees the original URL as the redirect_uri, not the reverse proxy URL.

I get the following error:
Sorry, but we’re having trouble signing you in.
AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application:

The Microsoft response URL is:

 https://login.microsoftonline.com/<not showing>/oauth2/v2.0/authorize?client_id=<not showing>&response_type=code&redirect_uri=http%3A%2F%2Fsrvedmwebapp01.universe.local%3A9000%2FgetAToken
    
 It should have &redirect_uri=https://scms.twose.ca/getAToken.

I used the amazing examples at https://github.com/Azure-Samples/ms-identity-python-webapp to get this to work without a reverse proxy in the past. (Thanks MS)


azure-ad-msal
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I attempted to change the URL in the response, however, that caused another error...so that didn't work.

AADSTS500112: The reply address 'http://srvedmwebapp01.universe.local:9000/getAToken' does not match the reply address 'https://scms.twose.ca/getAToken' provided when requesting Authorization code.

1 Vote 1 ·

1 Answer

RobertLitchfield-3143 avatar image
2 Votes"
RobertLitchfield-3143 answered shashishailaj commented

Working with another coder on GitHub, the solution was found (https://github.com/Azure-Samples/ms-identity-python-webapp/issues/51)

The app must make use of a custom proxy fix as follows, and remove the one from Werkzeug.

 class CustomProxyFix(object):
     def __init__(self, app):
         self.app = app
    
     def __call__(self, environ, start_response):
         environ['HTTP_HOST'] = 'example.org'
         environ['wsgi.url_scheme'] = 'https'
         return self.app(environ, start_response)
    
 app.wsgi_app = CustomProxyFix(app.wsgi_app)

This issue can now be considered solved.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.