AADSTS50011 HTTP and HTTPS

[cballesteros-sistrol]

I am having problems with the redirect URI when trying to log in.
I have the application running in AWS, in an ECS container, which communicates through port 80 (HTTP) with an AWS Network Load Balancer, as you can see in this diagram:

As indicated in the documentation and in numerous comments in the repository Issues, I configured the following parameters in my application:
USE_X_FORWARDED_HOST = True
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

However, I still have the same problem when trying to log in:
AADSTS50011: The redirect URI 'http://app.domain.com/oauth2/callback' specified in the request does not match the redirect URIs configured for the application '11111111-1111-11111-1111-1111111111'.

Could it be because I am using a Network Load Balancer (level 4) instead of an App Load Balancer?
Could it be that I have the application deployed on a subdomain?

Is there any way to set the redirect_uri in a static way to solve this?

to add more information, I am using these versions of Django and the library:
django-auth-adfs==1.13.0
django==4.1.12

Thanks in advance

Upvote & Fund

• We're using Polar.sh so you can upvote and help fund this issue.
• We receive the funding once the issue is completed & confirmed by you.
• Thank you in advance for helping prioritize & fund our backlog.

[JonasKs]

#243 suggests adding

USE_X_FORWARDED_HOST = True
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

[cballesteros-sistrol]

#243 suggests adding

USE_X_FORWARDED_HOST = True
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

Hello, thank you for your quick response.
As I mentioned in the description, I have set those variables as explained in that conversation...

[JonasKs]

Ah, sorry, read it in a rush.

Please see docs if you haven't.

Not sure how this works with a L4 LB,but are you able to set the header value as described here?

[cballesteros-sistrol]

Hello,

No, I have not been able to set the headers in any way... I think I have tried everything discussed in the various issues in the repository related to the topic (except those that include Nginx, since we do not have Nginx in the Stack).

I have a doubt, intuition tells me that it would be simpler if you could set the REDIR_URI and if not, that it would be automatically caculated. Why this configuration was deprecated?

[tim-schilling]

Why this configuration was deprecated?

It was deprecated 6 years ago. According to the comments, it's because it simplified the settings configuration and would rely on LOGIN_REDIRECT_URL. You can see how the redirects happen here.

Is there a reason you can't change the django_auth_adfs:callback url to match what you have in your AD settings?

[cballesteros-sistrol]

Hi, thanks for your reply :)

I have been several days studying the library code, and changing the LOGIN_REDIRECT_URL has not solved our problem.

I have managed to make a "fix" that works, but it is too crafty, as I had to overwrite several methods of both config and views as well as the authentication backend.

The problem has always been the same, the request made to Azure, both to obtain the Authoritation Token and the Access Token, is done with a redirect_uri with http:// by method:

 def redirect_uri(self, request):
       self.load_config()
       return request.build_absolute_uri(reverse("django_auth_adfs:callback"))

My fix, basically what it does is not to call that method if a configuration variable is configured with the redirect_uri.