MS Office 365 integration is giving AADSTS90102

I don’t know if anything has changed recently, but after following the guide on integrating ms office AAD auth to erpnext, I am getting AADSTS90102: ‘redirect_uri’ value must be a valid absolute URI.

I even gave all 3 forms of email access as suggested in this discussion:

I tried a lot of things, but still haven’t been able to fix this issue. One reason I think could be happening is the redirect URI being sent from the side of erpnext is not https and also for some reason the http word gets repeated twice in the url. Also the baseurl (office.prishapolicy.com) isn’t even mentioned in the redirect URI. Here you can see the redirect uri encoded in the flow:

https://login.microsoftonline.com/common/oauth2/authorize?redirect_uri=http%3A%2F%2F%27http%3A%2Fapi%2Fmethod%2Ffrappe.integrations.oauth2_logins.login_via_office365&state=eyJzaXRlIjogImh0dHA6Ly8naHR0cDovL2xvY2FsaG9zdCciLCAidG9rZW4iOiAiNDNmZGRmODI2Y2IwZTU1NDkyMTlmOTdiNmY3MzQ0ZmY2NjI0MzEzOWMxMDY2YTJkMjE5OTBmYjkiLCAicmVkaXJlY3RfdG8iOiBudWxsfQ%3D%3D&response_type=code&scope=openid&client_id=11410b3b-3aa9-40f2-a58a-2e400b0f1147

The redirect uri should be something like this:

https%3A%2F%2Foffice.prishapolicy.com%2Fapi%2Fmethod%2Ffrappe.integrations.oauth2_logins.login_via_office365

Any help would be appreciated

1 Like

Quoting from azure docs : * Redirect URIs must begin with the scheme https . There are some exceptions for localhost redirect URIs.

Taken from : https://docs.microsoft.com/en-us/azure/active-directory/develop/reply-url

1 Like

This is the tutorial I followed, but all the video tutorials here are broken and the screenshots are also a bit outdated https://frappeframework.com/docs/v13/user/en/guides/deployment/how-to-enable-social-logins#office-365

Google also has the same issue

I finally kind of solved this by changing the site configurations of the erp installation.

Disclosure : I am an absolute beginner in ERPNext and this install has been hosted on azure using a bitnami installer, so your file structure and overall system might vary slightly.

But these are my two main config files which were used to fix the auth flow.

Site config:

Here is the key and value that I changed
“host_name”: “https://office.prishapolicy.com

Also in the Common site config :

Notice that i changed webserver_port from the default value of 8000 to an empty string. I don’t know if doing this was entirely safe but this was the only way to make the redirect_uri not mention the port number, I got the idea to do this from Google Settings Error: redirect_uri_mismatch and https://frappeframework.com/docs/v13/user/en/basics/site_config#mandatory-settings

I hope this helps someone who is stuck with this.

2 Likes

Yes, that worked. The key is the “host_name”: “https://office.prishapolicy.com" setting, other wise the local DNS setting is used, which in shared environments is not necessary the same as the registered domain!