Django Azure 广告 AADSTS50011:请求中指定的回复 url 与为应用程序配置的回复 url 不匹配
Django Azure ad AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application
我正在尝试使用 azure active directory 对用户进行身份验证,但我得到了
`AADSTS50011:请求中指定的回复 url 与为应用程序配置的回复 url 不匹配
我正在使用 django-microsoft-auth 库。我已经提到了与此相关的多个 Whosebug 问题,但其中 none 解决了我的问题。
None 其中是 Django 特定的
settings.py
"""
Django settings for mywebapp project.
Generated by 'django-admin startproject' using Django 2.1.4.
For more information on this file, see
https://docs.djangoproject.com/en/2.1/topics/settings/
For the full list of settings and their values, see
https://docs.djangoproject.com/en/2.1/ref/settings/
"""
import os
# Build paths inside the project like this: os.path.join(BASE_DIR, ...)
BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
# Quick-start development settings - unsuitable for production
# See https://docs.djangoproject.com/en/2.1/howto/deployment/checklist/
# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = 'wi31*5al3v=&or_p354489830j)w_zr-)1^a$m*=@yo1l62nni'
# SECURITY WARNING: don't run with debug turned on in production!
DEBUG = True
ALLOWED_HOSTS = ["*"]
SITE_ID = 1
# Application definition
INSTALLED_APPS = [
'django.contrib.sites',
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'myapp',
'microsoft_auth',
]
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]
ROOT_URLCONF = 'mywebapp.urls'
TEMPLATES = [
{
'BACKEND': 'django.template.backends.django.DjangoTemplates',
'DIRS': [],
'APP_DIRS': True,
'OPTIONS': {
'context_processors': [
'django.template.context_processors.debug',
'django.template.context_processors.request',
'django.contrib.auth.context_processors.auth',
'django.contrib.messages.context_processors.messages',
'microsoft_auth.context_processors.microsoft',
],
},
},
]
WSGI_APPLICATION = 'mywebapp.wsgi.application'
# Database
# https://docs.djangoproject.com/en/2.1/ref/settings/#databases
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.sqlite3',
'NAME': os.path.join(BASE_DIR, 'db.sqlite3'),
}
}
AUTHENTICATION_BACKENDS = [
'microsoft_auth.backends.MicrosoftAuthenticationBackend',
'django.contrib.auth.backends.ModelBackend' # if you also want to use Django's authentication
# I recommend keeping this with at least one database superuser in case of unable to use others
]
# Password validation
# https://docs.djangoproject.com/en/2.1/ref/settings/#auth-password-validators
AUTH_PASSWORD_VALIDATORS = [
{
'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
},
]
# Internationalization
# https://docs.djangoproject.com/en/2.1/topics/i18n/
LANGUAGE_CODE = 'en-us'
TIME_ZONE = 'UTC'
USE_I18N = True
USE_L10N = True
USE_TZ = True
# Static files (CSS, JavaScript, Images)
# https://docs.djangoproject.com/en/2.1/howto/static-files/
STATIC_URL = '/static/'
MICROSOFT_AUTH_CLIENT_ID ={clientid}
MICROSOFT_AUTH_CLIENT_SECRET = {Secret}
MICROSOFT_AUTH_LOGIN_TYPE = 'ma'
urls.py
urlpatterns = [
path('microsoft/', include('microsoft_auth.urls', namespace='microsoft')),
path('myapp/', include('myapp.urls')),
path('admin/', admin.site.urls),
]
通常,当 Azure 门户中定义的重定向 url 与授权请求中的重定向 url 不匹配时,就会出现此问题。可以使用fiddler抓取授权请求url,找到请求中的重定向url。像
https://login.microsoftonline.com/{tenant}/oauth2/authorize? client_id=6731de76-14a6-49ae-97bc-6eba6914391e &response_type=code &redirect_uri=http%3A%2F%2Flocalhost%3A12345 &response_mode=query &resource=https%3A%2F%2Fservice.contoso.com%2F &state=12345
复制此 redirect_uri 并将其粘贴到 Azure 门户。
当你 运行 内置服务器时,它 运行 默认在端口 8000 上。所以你在 Azure 中输入的回调 URL 是 http://localhost:8000/microsoft/auth-callback/
问题是 Azure 回调但删除了冒号和端口号,因此它会在 http://localhost/microsoft/auth-callback/ 上回调您的服务器,这显然会失败,因为您的服务器在端口 8000 上侦听。
在这种情况下,您只需配置一个 iptables 重定向规则,将流量重定向到端口 80 上的本地主机到端口 8000,就像这样(在 Linux 上):
iptables -t nat -I OUTPUT --source 127.0.0.1 --destination 127.0.0.1 -p tcp --dport 80 -j REDIRECT --to-ports 8000
# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 295 packets, 66558 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 295 packets, 66558 bytes)
pkts bytes target prot opt in out source destination
链输出(策略接受 145K 数据包,8873K 字节)
pkts bytes target prot opt in out source destination<br>
211 12660 重定向 tcp -- * * 127.0.0.1 127.0.0.1 tcp dpt:80 重定向端口 8000
Chain POSTROUTING (policy ACCEPT 145K packets, 8886K bytes)
pkts bytes target prot opt in out source destination
我正在尝试使用 azure active directory 对用户进行身份验证,但我得到了 `AADSTS50011:请求中指定的回复 url 与为应用程序配置的回复 url 不匹配 我正在使用 django-microsoft-auth 库。我已经提到了与此相关的多个 Whosebug 问题,但其中 none 解决了我的问题。 None 其中是 Django 特定的
settings.py
"""
Django settings for mywebapp project.
Generated by 'django-admin startproject' using Django 2.1.4.
For more information on this file, see
https://docs.djangoproject.com/en/2.1/topics/settings/
For the full list of settings and their values, see
https://docs.djangoproject.com/en/2.1/ref/settings/
"""
import os
# Build paths inside the project like this: os.path.join(BASE_DIR, ...)
BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
# Quick-start development settings - unsuitable for production
# See https://docs.djangoproject.com/en/2.1/howto/deployment/checklist/
# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = 'wi31*5al3v=&or_p354489830j)w_zr-)1^a$m*=@yo1l62nni'
# SECURITY WARNING: don't run with debug turned on in production!
DEBUG = True
ALLOWED_HOSTS = ["*"]
SITE_ID = 1
# Application definition
INSTALLED_APPS = [
'django.contrib.sites',
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'myapp',
'microsoft_auth',
]
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]
ROOT_URLCONF = 'mywebapp.urls'
TEMPLATES = [
{
'BACKEND': 'django.template.backends.django.DjangoTemplates',
'DIRS': [],
'APP_DIRS': True,
'OPTIONS': {
'context_processors': [
'django.template.context_processors.debug',
'django.template.context_processors.request',
'django.contrib.auth.context_processors.auth',
'django.contrib.messages.context_processors.messages',
'microsoft_auth.context_processors.microsoft',
],
},
},
]
WSGI_APPLICATION = 'mywebapp.wsgi.application'
# Database
# https://docs.djangoproject.com/en/2.1/ref/settings/#databases
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.sqlite3',
'NAME': os.path.join(BASE_DIR, 'db.sqlite3'),
}
}
AUTHENTICATION_BACKENDS = [
'microsoft_auth.backends.MicrosoftAuthenticationBackend',
'django.contrib.auth.backends.ModelBackend' # if you also want to use Django's authentication
# I recommend keeping this with at least one database superuser in case of unable to use others
]
# Password validation
# https://docs.djangoproject.com/en/2.1/ref/settings/#auth-password-validators
AUTH_PASSWORD_VALIDATORS = [
{
'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
},
]
# Internationalization
# https://docs.djangoproject.com/en/2.1/topics/i18n/
LANGUAGE_CODE = 'en-us'
TIME_ZONE = 'UTC'
USE_I18N = True
USE_L10N = True
USE_TZ = True
# Static files (CSS, JavaScript, Images)
# https://docs.djangoproject.com/en/2.1/howto/static-files/
STATIC_URL = '/static/'
MICROSOFT_AUTH_CLIENT_ID ={clientid}
MICROSOFT_AUTH_CLIENT_SECRET = {Secret}
MICROSOFT_AUTH_LOGIN_TYPE = 'ma'
urls.py
urlpatterns = [
path('microsoft/', include('microsoft_auth.urls', namespace='microsoft')),
path('myapp/', include('myapp.urls')),
path('admin/', admin.site.urls),
]
通常,当 Azure 门户中定义的重定向 url 与授权请求中的重定向 url 不匹配时,就会出现此问题。可以使用fiddler抓取授权请求url,找到请求中的重定向url。像
https://login.microsoftonline.com/{tenant}/oauth2/authorize? client_id=6731de76-14a6-49ae-97bc-6eba6914391e &response_type=code &redirect_uri=http%3A%2F%2Flocalhost%3A12345 &response_mode=query &resource=https%3A%2F%2Fservice.contoso.com%2F &state=12345
复制此 redirect_uri 并将其粘贴到 Azure 门户。
当你 运行 内置服务器时,它 运行 默认在端口 8000 上。所以你在 Azure 中输入的回调 URL 是 http://localhost:8000/microsoft/auth-callback/
问题是 Azure 回调但删除了冒号和端口号,因此它会在 http://localhost/microsoft/auth-callback/ 上回调您的服务器,这显然会失败,因为您的服务器在端口 8000 上侦听。
在这种情况下,您只需配置一个 iptables 重定向规则,将流量重定向到端口 80 上的本地主机到端口 8000,就像这样(在 Linux 上):
iptables -t nat -I OUTPUT --source 127.0.0.1 --destination 127.0.0.1 -p tcp --dport 80 -j REDIRECT --to-ports 8000
# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 295 packets, 66558 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 295 packets, 66558 bytes)
pkts bytes target prot opt in out source destination
链输出(策略接受 145K 数据包,8873K 字节)
pkts bytes target prot opt in out source destination<br>
211 12660 重定向 tcp -- * * 127.0.0.1 127.0.0.1 tcp dpt:80 重定向端口 8000
Chain POSTROUTING (policy ACCEPT 145K packets, 8886K bytes)
pkts bytes target prot opt in out source destination