Gitea: OpenID Connect issue with Azure AD: implicit vs code authorization flow

That actually seems questionable. Authorization Code Flow should always be used for hosted servers, like Gitea. Implicit Flow is designed for things like public javascript apps. I'd wager there is probably some mis-set setting in Azure or so as you really don't want to be using the implicit flow for a hosted server (just as you really exceptionally don't want to use authorization code flow for a SPA).

Thanks for those insights, I don't know that much about the OpenID format. I will get in contact with Msft support and discuss this issue, will update with a solution.

I think this should be improved in Gitea as oauth should return token/flow that has been requested

@OvermindDL1 was correct, there was a configuration missing on Azure AD side. The docs are a mess about this.

If anyone ever comes across this issue again, you need to configure the AD application on Azure side to Default Client Type: yes. This forces AAD to follow the code flow.

Good afternoon,

I'm having the same issue. I followed @anoff answer and I still have the same problem.

I followed this link for the setup: https://blog.anoff.io/2019-03-23-configure-azure-ad-for-gitea/

I'm using Gitea 1.8 with MySQL on openSUSE Leap 42.1 and I have 2FA enabled in my Azure account.

Hey @Mr-Reca,

did you create a native app in Azure? When looking at your app registration the _Authentication_ tab should be configured like this

Did you also set the correct tenant for the OpenID URL? Maybe you can share your config (w/o secret) and error messages you receive.

Hey @anoff

Where can I check if my app is native or not? I've just followed your blog. I check the _Authentication_ settings (_Default client type_) and I also checked the secrets, keys & IDs.

The only thing is that Azure forced me to use https. I created a certificate using gitea cert --host <hostname>.<domain> and I change the config file.

When I log in, I do the MFA and then the browser shows me the error AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: <client_id>.

The reply URL is the next one:
https://<hostname>.<domain>:3000/user/oauth2/<app_name>/callback

The OpenID URL is the next one:
https://login.microsoftonline.com/<tenant>/v2.0/.well-known/openid-configuration

Do you want the config and some log files in case I missed something?

Thank you so much,

Let's discuss the details offsite, Twitter DM https://twitter.com/an0xff or
email [email protected] a screenshot of your gitea oauth setup

On Thu, May 2, 2019, 22:09 Mr-Reca notifications@github.com wrote:

Hey @anoff https://github.com/anoff

Where can I check if my app is native or not? I've just followed your
blog. I check the Authentication settings (Default client type) and I
also checked the secrets, keys & IDs.

The only thing is that Azure forced me to use https. I created a
certificate using gitea cert --host . and I change the
config file.

When I log in, I do the MFA and then the browser shows me the error AADSTS50011:
The reply url specified in the request does not match the reply urls
configured for the application: .

The reply URL is the next one:
https://.:3000/user/oauth2//callback

The OpenID URL is the next one:
https://login.microsoftonline.com/
/v2.0/.well-known/openid-configuration

Do you want the config and some log files in case I missed something?

Thank you so much,

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/go-gitea/gitea/issues/6345#issuecomment-488814197,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABWPZWWEHUL4RXQ2JSRV2DTPTNDBNANCNFSM4G7BBJXQ
.

If you're using Azure App Proxy make sure you add the root url as a Reply URI in addition to the OpenID URI. This fixes the "not match the reply urls" error