Cannot connect to Office365 using the Azure Portal (AADSTS50011: The reply URL specified in the request does not match the reply URLs)

[oanat]

Steps to reproduce:

• install the Office365 app on a local XWiki (I tested 11.9)
• configure OAuth on the Azure Portal for localhost:
  ** register XWiki app:

** click on "Authentication">"Switch to the old experience"

** add the Redirect URI:

** add Permissions:

** Go to "Certificates and Secrets" and generate a New Client Secret

• update http://localhost:8080/xwiki/bin/admin/XWiki/XWikiPreferences?editor=globaladmin&section=office365 with the tenant (e.g. yourorg.onmicrosoft.com or the full ID), application (client) ID and secret
• Create a page and add the {{office365 /}} macro
• login with the Office365 credentials

Result:
AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'a01b7f50-a47d-4ead-8c42-b707d9b37b56'.

[polx]

@oanat : It seems to me that the message is just indicating the redirect-URL is incorrect. Remember that the redirect URL is calculated in a possibly slightly different method that the browser. Using the network inspector allows you to read the parameters of the URLs to where the browser was sent.

[polx]

First, I noticed that there's more install instructions to include: Under authentication, some implicit grant flows need to be activated (ID-tokens).
I then emptied the set of possible web-sites from the authentication, then added again the web application with my xwiki URL.
I then could embed by URL.

We definitely have a weak documentation and probably a bug at MS.

[polx]

So, I could reproduce the bug and solved it by removing the part
+ "?state=${state}"
from the line 189 of /xwiki/bin/edit/Office365/Groovy?editor=wiki&force=1 (this needs superadmin).

I'll note that my installation procedure is as follows:

• Azure AD: Register applications : Add application
  • web-app: insert your URL <....>/xwiki/bin/view/Office365/OAuth
• back to Authentication: implicit grant: allow id-tokens
• certificate and secrets: create secret and copy somewhere secure (it won't be shown anymore)
• API permissions: it's enough to add: MS Graph: Delegated Permission: Files.ReadWrite, Sites.ReadWrite.All, User.Read: search and check checkboxes

Could you test this before I make a release or should I cut an RC?
I should also test as another user as the main user on the office tenancy.

I don't feel very confident with this app yet and the debug flag is on per default and seems to be horribly verbose to the user (but not to the admin!).

thanks

paul

[oanat]

@polx Thanks for the investigation. A release for RC would be best as we would have to test on some private environments as well.

[polx]

Hello @oanat ,
1.5-RC1 is released and should be accessible to you to test.
Please confirm.
paul

[oanat]

Great, thanks @polx !

[oanat]

@polx Looks better. I don't have any file inside my free Office365 account to test, however I can use the macro and search without any errors:

[oanat]

I managed to make the search and all other features work with the 1.5-RC1 version of the app and my Azure configuration. The search did not seems to work when I was testing on localhost (so HTTP which is permitted by the Azure Portal). The search results were displayed correctly when I switched to a HTTPS wiki.