Awx: Azure ad authentication not sending correct base URL

Created on 20 Jun 2019  路  9Comments  路  Source: ansible/awx
ISSUE TYPE
  • Bug Report
SUMMARY

I've set the base URL to https://awx.myurl.com but when I try to authenticate with Azure AD (which shows the https:// url in the callback url) it sends the callback url as http://

ENVIRONMENT
  • AWX version: 4.0.0.0
  • AWX install method: docker on linux
  • Ansible version: 2.7.9
  • Operating System: Ubuntu 18.04
  • Web Browser: Firefox and Vivaldi
STEPS TO REPRODUCE

Set AWX base URL to https://awx.myurl.com, create Azure AD app. Go to Settings > Authentication. See the callback URL as https://, save and logout. On the login page click Login with Azure and get the following error:

```Sign in

Sorry, but we鈥檙e having trouble signing you in.
AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: 'xxxxxxxxxxxx'.
```
Then looking at the actual url I see that it send the http:// url and not the https:// url

EXPECTED RESULTS

To be logged in via Azure AD SSO

ACTUAL RESULTS

Wrong callback URL sent.

ADDITIONAL INFORMATION
api help wanted medium needs_devel bug
Source
picture drzippit

Most helpful comment

@drzippit

We're running AWX behind an Nginx reverse proxy with Azure AD enabled. This is working fine after passing some headers to awx_web. This is our configuration to get it working:

server {
    listen      80;
    server_name awx.domain.tld;
    rewrite     ^  https://$host$request_uri? permanent;
  }
server {
    listen              443;
    server_name         awx.domain.tld;
    ssl                 on;
    ssl_certificate     /etc/pki/tls/certs/cert.pem;
    ssl_certificate_key /etc/pki/tls/private/cert.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    location / {
        proxy_pass http://127.0.0.1:8012;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port 443;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}
picture piwi91 on 24 Jun 2019
1 👍1

All 9 comments

@drzippit,

Are you running some sort of proxy in front of AWX? This looks like it could be a misconfiguration on your end.

ryanpetrello picture ryanpetrello on 21 Jun 2019

@ryanpetrello

I am. I have it behind an nginx reverse proxy. How would I go about correcting the config?

drzippit picture drzippit on 21 Jun 2019

@drzippit

The best answer is "it's complicated" (we don't currently have any official documentation on doing it, and given the number of variables it'll probably come down to just troubleshooting it - _maybe_ there's a bug lurking under the surface somewhere?)

Have you tried seeing if anyone else has encountered this problem in our mailing list or IRC room?

http://webchat.freenode.net/?channels=ansible-awx
https://groups.google.com/forum/#!forum/awx-project

ryanpetrello picture ryanpetrello on 21 Jun 2019

@ryanpetrello I have not checked out the mailing list or IRC. I'll check them out.

It's possible for me to work without a reverse proxy if that enables me to use SSO. Is that answer less complicated?

drzippit picture drzippit on 21 Jun 2019

@drzippit,

Here's a similar issue, only with SAML, which might point you in the right direction:

https://github.com/ansible/awx/issues/1016#issuecomment-360023289

I suspect this will _probably_ come down to some mixture of X-Forwarded-XXXXX header configuration necessary in nginx.

This Red Hat Ansible Tower documentation might be applicable, too: https://docs.ansible.com/ansible-tower/latest/html/administration/proxy-support.html

ryanpetrello picture ryanpetrello on 21 Jun 2019

@drzippit

We're running AWX behind an Nginx reverse proxy with Azure AD enabled. This is working fine after passing some headers to awx_web. This is our configuration to get it working:

server {
    listen      80;
    server_name awx.domain.tld;
    rewrite     ^  https://$host$request_uri? permanent;
  }
server {
    listen              443;
    server_name         awx.domain.tld;
    ssl                 on;
    ssl_certificate     /etc/pki/tls/certs/cert.pem;
    ssl_certificate_key /etc/pki/tls/private/cert.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    location / {
        proxy_pass http://127.0.0.1:8012;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port 443;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}
piwi91 picture piwi91 on 24 Jun 2019
1 👍1

@piwi91 and @ryanpetrello,

Thank you both so much. It was indeed the headers that needed to be forwarded. Login now sends the HTTPS url.

Now I think I just have to map the accounts because I get the error "Your credentials aren't allowed. "

drzippit picture drzippit on 24 Jun 2019

@piwi91 How did you pass the headers to awx_web ?

svrraja picture svrraja on 20 Jul 2019

@svrraja
He literally posted his nginx reverse proxy config.

drzippit picture drzippit on 23 Jul 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

IMOKURI picture IMOKURI  路  3Comments
astraios picture astraios  路  3Comments
Gui13 picture Gui13  路  3Comments
mwiora picture mwiora  路  3Comments
augabet picture augabet  路  3Comments