Oauth Redirect on Prod Error

Liquid_Ice · September 28, 2023, 1:38pm

I was able to set up Microsoft Oauth in my local dev environment but when I publish to our prod server I get a 404 error when attempting to log in and grab an authorization token. It looks like it is redirecting to my application, not the Microsoft authorization link.

Here are the steps that work perfectly fine in the local environment.

but when in production it returns this error:

  {
  "status": "404",
  "message": "/common/oauth2/v2.0/authorize?response_type=code&client_id=XXX&scope=User.Read%20offline_access&redirect_uri=http%3A%2F%2Flocalhost%3A3001%2Fapi%2Flogin%2Fauth&state=XXX not found."
}

I’m using node.js and the production environment is on an IIS Server with a reverse proxy.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="ReverseProxyInbound" stopProcessing="true">
                    <match url="(.*)"/>
                    <action type="Rewrite" url="http://localhost:3001/{R:1}"/>
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>

I’m assuming it’s something to do with the reverse proxy but I’m not entirely sure. It also looks like the production server is using the local dev uri redirect for some reason too. Any recommendations at this point would be incredibly helpful as I have been banging my head against a wall for over a week with this oauth.

JonR · September 28, 2023, 5:45pm

Couple things to check

For the Auth Endpoint and Token Endpoint I am not 100% sure but that may need to be changed to include the tenant ID instead of /common/. Best to copy it from the Endpoints in the application itself. At least that is how I have done it before in wappler and in other applications not wappler related. Could work with common but have not tried it that way before.

Can be found under your application Overview then in the top section you should see Delete, Endpoints, Preview features (or at least that is what I see) click on Endpoints. Use the OAuth 2.0 authorization endpoint (v2) and OAuth 2.0 token endpoint (v2) links.

In that same applications Redirect URIs, be sure to include the production website (I believe we discussed this in your other post) so from your error it may be http://localhost:3001/api/login/auth or something like that. Replace with the FQDN if applicable. Can have both there at the same time. However I believe you would get a direct error from a Microsoft branded page if the URL was missing or incorrect in this step.

Liquid_Ice · October 3, 2023, 8:10pm

I’ve had success using /common/ before with my endpoints and also read elsewhere that it is fine so I don’t believe that is the hang-up but I will give it a try. I’ve also made sure the application has both dev and prod redirect URIs.

I just don’t understand why in production the Oauth uses the local dev URI and it also replaces the base URL in the endpoints, switching Microsoft.com to productionurl.com, which causes the 404 error above.

I’m taking a shot in the dark and guessing it’s something to do with IIS server and/or the reverse proxy considering everything works in local dev.

Also I really do appreciate all of your help with this, it has been driving me crazy.

JonR · October 4, 2023, 12:47pm

As you say could have to do with your IIS server configuration, I am using the Docker deployment option as it definitely seems to be the easiest to work with so far. Using the custom server option that we are hosting for the docker deployment.

While it may already be done something else to check, in your project settings for your production target is the web server URL already set to the correct URL and not a localhost as it is in the development target?

To rule out if it is an IIS issue, can you temporarily point to another production target to test with?