Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ghostwriter uses false redirect URL for SSO #568

Open
RaphaelSchein opened this issue Jan 5, 2025 · 4 comments
Open

Ghostwriter uses false redirect URL for SSO #568

RaphaelSchein opened this issue Jan 5, 2025 · 4 comments
Assignees
@chrismaddalena

Comments

@RaphaelSchein
Copy link

Hey,
I have Ghostwriter installed behind a Sophos Firewall, this is published via a function of the firewall called Webserverprotection, a kind of WAF.

If I now want to use SSO via Azure, I get the problem that Ghostwriter uses its private IP address as the redirect URL and not the specified NGINX_HOST.

That's why I get the following error message:
AADSTS50011: The redirect URI 'https://172.24.xx.xxx/accounts/microsoft/login/callback/' specified in the request does not match the redirect URIs configured for the application 'redacted'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.

I am grateful for any kind of help.
@RaphaelSchein RaphaelSchein added the bug Something isn't working label Jan 5, 2025
@chrismaddalena chrismaddalena removed the bug Something isn't working label Jan 13, 2025
@chrismaddalena
Copy link
Collaborator

The URL you visit must be configured with Azure as the trusted origin. Whatever you have configured with Azure is what you should visit in your browser. For example, if you have ghostwriter.yourdomain.com configured for SSO, you want to visit ghostwriter.yourdomain.com to login. If you visit the IP the domain points to, you'll see an error like this.

The NGINX_HOST is an internal value for things like the GraphQL container talking to the Django container. It won't affect or come into play with your SSO configuration.

@RaphaelSchein
Copy link
Author

RaphaelSchein commented Jan 13, 2025
edited
Loading

Hello,
thank you for your answer.

The problem is that even after i added the URL with IP Address to the trusted origins Azure redirects me to the URL with the IP not to the url with the domain name.

The IP is a private IP behind the reverse Proxy so i get an connection error after authenticating with azure.

When i only configure 'https://example.com/accounts/microsoft/login/callback/' in Azure i get the message untrusted origin and it shows me the follwing URL, to what it trys to connect me to: 'https://172.24.xx.xxx/accounts/microsoft/login/callback/'

I need to change the URL that Ghostwriter sends to Azure as Callback URL from 'https://172.24.xx.xxx/accounts/microsoft/login/callback/' to 'https://example.com/accounts/microsoft/login/callback/' in Ghostwriter

@chrismaddalena
Copy link
Collaborator

That URL looks correct. The redirect URL in Azure should match this: https:///accounts/microsoft/login/callback/

If you set the URL and see something different in the response, you may need to re-build the FastAPI app. It may be easier to start from scratch, so FastAPI has the correct URL that matches the one you use to connect to Ghostwriter.

An IP address should work (technically), but we have found that there are still complaints about untrusted redirects if DNS is unhappy. That's why I recommend using a domain name.

@RaphaelSchein
Copy link
Author

Hey,

i have now deployed a new VM and install Ghostwriter from Scratch.

after install i ran the following Commands:

./ghostwriter-cli-linux trustorigin ghostwriter.example.com
./ghostwriter-cli-linux config set allowhost YYY.YYY.YYY.106 (The Private IP of the VM) 
./ghostwriter-cli-linux config set allowhost ghostwriter.example.com (This Domain points to the public IP of the Reverse Proxy, it has the IP YYY.YYY.YYY.254 the Reverseproxy is also the Router for that Network).

I created this is the Content of 1-azure-conf.py

# Provider(s) configuration
SOCIALACCOUNT_PROVIDERS = {
    "microsoft": {
        "APP": {
            "client_id": "REDACTED",
            "secret": "REDACTED",
        },
        "EMAIL_AUTHENTICATION": True,
        "VERIFIED_EMAIL": True
    },
}
# Extend the installed apps with the SSO app for your provider(s)
SSO_PROVIDERS = ["allauth.socialaccount.providers.microsoft"]
INSTALLED_APPS = INSTALLED_APPS + SSO_PROVIDERS

After that i rebuild the containers.

When trying to Login with Microsoft it get the following Error Message:

AADSTS50011: The redirect URI 'https://YYY.YYY.YYY.106/accounts/microsoft/login/callback/' specified in the request does not match the redirect URIs configured for the application 'REDACTED. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.

When trying to add that URI to the allowed Origin, i get no error Message from Microsoft but i am redirected to the link with the private IP, which is not reachable from my system.

What option must i set in Ghostwriter that Ghostwriter uses the Domainname ghostwriter.example.com instead of the private IP ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chrismaddalena chrismaddalena

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@chrismaddalena @RaphaelSchein