Ghostwriter uses false redirect URL for SSO

[RaphaelSchein]

Hey,
I have Ghostwriter installed behind a Sophos Firewall, this is published via a function of the firewall called Webserverprotection, a kind of WAF.

If I now want to use SSO via Azure, I get the problem that Ghostwriter uses its private IP address as the redirect URL and not the specified NGINX_HOST.

That's why I get the following error message:
AADSTS50011: The redirect URI 'https://172.24.xx.xxx/accounts/microsoft/login/callback/' specified in the request does not match the redirect URIs configured for the application 'redacted'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.

I am grateful for any kind of help.

[chrismaddalena]

The URL you visit must be configured with Azure as the trusted origin. Whatever you have configured with Azure is what you should visit in your browser. For example, if you have ghostwriter.yourdomain.com configured for SSO, you want to visit ghostwriter.yourdomain.com to login. If you visit the IP the domain points to, you'll see an error like this.

The NGINX_HOST is an internal value for things like the GraphQL container talking to the Django container. It won't affect or come into play with your SSO configuration.

[RaphaelSchein]

Hello,
thank you for your answer.

The problem is that even after i added the URL with IP Address to the trusted origins Azure redirects me to the URL with the IP not to the url with the domain name.

The IP is a private IP behind the reverse Proxy so i get an connection error after authenticating with azure.

When i only configure 'https://example.com/accounts/microsoft/login/callback/' in Azure i get the message untrusted origin and it shows me the follwing URL, to what it trys to connect me to: 'https://172.24.xx.xxx/accounts/microsoft/login/callback/'

I need to change the URL that Ghostwriter sends to Azure as Callback URL from 'https://172.24.xx.xxx/accounts/microsoft/login/callback/' to 'https://example.com/accounts/microsoft/login/callback/' in Ghostwriter

[chrismaddalena]

That URL looks correct. The redirect URL in Azure should match this: https:///accounts/microsoft/login/callback/

If you set the URL and see something different in the response, you may need to re-build the FastAPI app. It may be easier to start from scratch, so FastAPI has the correct URL that matches the one you use to connect to Ghostwriter.

An IP address should work (technically), but we have found that there are still complaints about untrusted redirects if DNS is unhappy. That's why I recommend using a domain name.

[RaphaelSchein]

Hey,

i have now deployed a new VM and install Ghostwriter from Scratch.

after install i ran the following Commands:

./ghostwriter-cli-linux trustorigin ghostwriter.example.com
./ghostwriter-cli-linux config set allowhost YYY.YYY.YYY.106 (The Private IP of the VM) 
./ghostwriter-cli-linux config set allowhost ghostwriter.example.com (This Domain points to the public IP of the Reverse Proxy, it has the IP YYY.YYY.YYY.254 the Reverseproxy is also the Router for that Network). 

I created this is the Content of 1-azure-conf.py

# Provider(s) configuration
SOCIALACCOUNT_PROVIDERS = {
    "microsoft": {
        "APP": {
            "client_id": "REDACTED",
            "secret": "REDACTED",
        },
        "EMAIL_AUTHENTICATION": True,
        "VERIFIED_EMAIL": True
    },
}
# Extend the installed apps with the SSO app for your provider(s)
SSO_PROVIDERS = ["allauth.socialaccount.providers.microsoft"]
INSTALLED_APPS = INSTALLED_APPS + SSO_PROVIDERS

After that i rebuild the containers.

When trying to Login with Microsoft it get the following Error Message:

AADSTS50011: The redirect URI 'https://YYY.YYY.YYY.106/accounts/microsoft/login/callback/' specified in the request does not match the redirect URIs configured for the application 'REDACTED. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.

When trying to add that URI to the allowed Origin, i get no error Message from Microsoft but i am redirected to the link with the private IP, which is not reachable from my system.

What option must i set in Ghostwriter that Ghostwriter uses the Domainname ghostwriter.example.com instead of the private IP ?

[chrismaddalena]

Hey @RaphaelSchein, I missed your reply. Ghostwriter does not have any control over the redirect URL that Microsoft sees. This is a rough step-by-step of what happens:

1. You visit Ghostwriter in your browser by visiting https://address
2. When you select to use SSO, your browser passes https://address on to Microsoft
3. Microsoft authenticates you and then goes to redirect you back to https://address/accounts/microsoft/login/callback/ to complete the process

You'll see that error if Microsoft does not have https://address configured as a trusted redirect URI. If you are visiting a domain name and Microsoft sees the IP address, you may have an issue with your DNS or web proxy.

[github-actions]

This issue has been labeled as stale because it has been open for 30 days with no activity.

[github-actions]

This issue is closed because it has been inactive for 14 days since being labeled stale. Feel free to re-open the issue with a comment. If this needs further discussion (e.g., a feature request), it might be better to open a topic under the Discussions tab.