ERPNext.com Frappe Cloud Support Partners Foundation Frappe School

Social Login Office 365 AADSTS50011

I follow the instructions on https://frappe.io/docs/user/en/guides/deployment/how-to-enable-social-logins
but I have a problem erro on return URL
“AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: …”

I have check the same URL URI return https://login.microsoftonline.com/common/oauth2/authorize?redirect_uri=https%3A%2F%2Ferpnext.mntb.org.br%2Fapi%2Fmethod%2Ffrappe.integrations.oauth2_logins.login_via_office365&state=eyJzaXRlIjo....aaa&response_type=code&scope=openid&client_id=5613b138-d693-4fba-adbc-8c4c7d33c679&sso_reload=true

I do not know how to resolve this problem.

Any one can help me?

1 Like

We are encountering the same issue.

1 Like

I check and the URI on azure was wrong. I fix and now I have thi error

Server Error
Traceback (most recent call last):
File “/home/frappe/frappe-bench/apps/frappe/frappe/app.py”, line 60, in application
response = frappe.api.handle()
File “/home/frappe/frappe-bench/apps/frappe/frappe/api.py”, line 55, in handle
return frappe.handler.handle()
File “/home/frappe/frappe-bench/apps/frappe/frappe/handler.py”, line 22, in handle
data = execute_cmd(cmd)
File “/home/frappe/frappe-bench/apps/frappe/frappe/handler.py”, line 61, in execute_cmd
return frappe.call(method, **frappe.form_dict)
File “/home/frappe/frappe-bench/apps/frappe/frappe/init.py”, line 1042, in call
return fn(*args, **newargs)
File “/home/frappe/frappe-bench/apps/frappe/frappe/integrations/oauth2_logins.py”, line 28, in login_via_office365
login_via_oauth2_id_token(“office_365”, code, state, decoder=decoder_compat)
File “/home/frappe/frappe-bench/apps/frappe/frappe/utils/oauth.py”, line 116, in login_via_oauth2_id_token
info = get_info_via_oauth(provider, code, decoder, id_token=True)
File “/home/frappe/frappe-bench/apps/frappe/frappe/utils/oauth.py”, line 148, in get_info_via_oauth
frappe.throw(_(“Email not verified with {0}”).format(provider.title()))
File “/home/frappe/frappe-bench/apps/frappe/frappe/init.py”, line 364, in throw
msgprint(msg, raise_exception=exc, title=title, indicator=‘red’)
File “/home/frappe/frappe-bench/apps/frappe/frappe/init.py”, line 350, in msgprint
_raise_exception()
File “/home/frappe/frappe-bench/apps/frappe/frappe/init.py”, line 316, in _raise_exception
raise raise_exception(msg)
frappe.exceptions.ValidationError: E-mail não verificado com Office_365

how can I resolve this?

Hi @Rodrigo_Rafael,

We manage to fix it by going in Azure-> App Registration->Token Configuration and choose Add optional claim and select email for all 3 Access, Token, SAML might work with just one but have not tested

Alex

1 Like

Ok, thankyou!!
It is working now!!

But how can I configure the default user permitions for new users with social login?

Update field, “Default Role at Time of Signup” on “Portal Settings” Page

Hi, I am having the same issue as you are having.

I tried providing the following URL where {{ domain }} is “hundredeyes.frappe.cloud”.

  1. https://hundredeyes.frappe.cloud/desk
  2. https://hundredeyes.frappe.cloud/#login/api/method/frappe.www.login.login_via_office365
  3. https://hundredeyes.frappe.cloud/api/method/frappe.www.login.login_via_office365

I’ve provided the Client_ID and Client Secret under Social login keys but I am still getting the URL’s not matched error.

PFA my settings:

Can you please guide me to correctly configure this, any help would be appreciated.

Regards,
Rahul

check the url of the social login button,
does it have http or https in redirect_uri query param?

if it is http then you need to set “host_name”: “https://your.site.domain” in site_config.json.

Looking at the Social Login details - the redirect URI/reply URL on Azure AD side should be:

https://your.site.domain/api/method/frappe.integrations.oauth2_logins.login_via_office365

After getting this corrected I’m now faced with…

KeyError: ‘Decoder failed to handle access_token with data as returned by provider. A different decoder may be needed.’

This looks like an issue with python3? Similar issue happening here with Box’s API but I haven’t looked too much more into the issue on ERPNext side and how it handles this.

For Python 3, the bytes response has to be decoded first. You can do that by passing it a custom decoder:

import json

def new_decoder(payload):
    return json.loads(payload.decode('utf-8'))

session = box_storage.get_auth_session(data=data, decoder=new_decoder)

The decoder_compat is already used

Any update on this? I have the same issue and I have updated site_config to my URL and still not working

Im getting this error
KeyError: ‘Decoder failed to handle access_token with data as returned by provider. A different decoder may be needed. Provider returned: b’{“error”:“invalid_client”,“error_description”:“AADSTS500112: The reply address \‘https://nrrderp.westus2.cloudapp.azure.com:8000/api/method/frappe.integrations.oauth2_logins.login_via_office365\’ does not match the reply address \‘https://nrrderp.westus2.cloudapp.azure.com/api/method/frappe.integrations.oauth2_logins.login_via_office365\’ provided when requesting Authorization code.\\r\\nTrace ID: 6bf8918a-c866-482c-bb8d-ace390b5d000\\r\\nCorrelation ID: cef26cbf-e7e6-4450-a717-48a652655d5d\\r\\nTimestamp: 2021-09-29 18:10:49Z”,“error_codes”:[500112],“timestamp”:“2021-09-29 18:10:49Z”,“trace_id”:“6bf8918a-c866-482c-bb8d-ace390b5d000”,“correlation_id”:“cef26cbf-e7e6-4450-a717-48a652655d5d”}’’

The return URL from ERP NEXT is not the same from Azure. If I change the azure one to :8000 will not recogfnize since is not the default port.

Any ideas on how to change the response URL?

your redirect uri has mismatch.

the one registered on Microsoft end needs to be exactly the same that is used in request.

one has the port 8000 and other doesn’t

if you’re in production mode, no need to use :8000

Just validated - only email for Token type of ID needs to be added

  1. image