Redirect to a subdomain mapped to a private IP's SSL doesn't seem to work in a Django app

[anjanesh]

I have a temp / fake sub-domain uat-project.domain.com which I've mapped to the IP in my hosts file.
The IP is not a public IP but a private one.
My DevOps guy created SSL for it so https://uat-project.domain.com works on my laptop.
But post logging in using Active Directory login, it doesn't seem to redirect to https://uat-project.domain.com/auth/redirect

AADSTS50011: The redirect URI 'http://uat-project.domain.com/auth/redirect' specified in the request does not match the redirect URIs configured for the application 'xxxx-xxxx-xxxx-xxx-xxxx'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.

I added https://uat-project.domain.com/auth/redirect to App Registrations > ProjectName > Authentication

Why is AD trying to redirect to a http one and not an https one ?

[rayluo]

We haven't tested it using httpS while running locally. But if you actually have httpS://uat-project.domain.com working on your laptop, please make sure you visit your local website using httpS rather than http, and try it again.

Specifically, the redirect URI is automatically detected by this sample in this line. You may somehow print or log the value of the redirect uri for troubleshooting.

[anjanesh]

This is not on localhost - but on our Azure VM which doesn't have a public IP - the private IP is mapped to the domain uat-project.domain.com in my hosts file for which SSL is configured for uat-project.domain.com - but inspite of going to httpS://uat-project.domain.com and login, it still tries to redirect to http://uat-project.domain.com/auth/redirect (not https).

[rayluo]

Like I mentioned in my earlier post here, when in doubt, you can always print the output of Flask's url_for(...) in this line, and examine whether it contains httpS. If it was indeed the culprit, then you can find more hint from here.

[anjanesh]

I'm using it in Django 4.2.6 : D:\workspace\django\projectName\env\Lib\site-packages\ms_identity_web\django

__init__.py
adapter.py
middleware.py
msal_views_and_urls.py

[rayluo]

Hmm, we do not currently have a Django sample. But I think you can simply double check what URL your web app feeds into our underlying API. For example, this was how we did it in this Flask-powered sample. You shall make sure your Django-powered app will also feed the right redirect uri (i.e., with httpS) into the underlying API.

[anjanesh]

But what I installed as pip install git+https://github.com/azure-samples/ms-identity-python-utilities@main - this works in Django on my localhost.

[Anyel-ec]

Azure Active Directory (AAD) expects the redirect URL to be a secure (HTTPS) URL for security reasons. If you're experiencing an AAD HTTPS redirect error, it's likely that your application configuration in Azure AD is not configured to use HTTPS.

[anjanesh]

I have already added https link to the redirect input

[anjanesh]

Solved this after a long time via https://forum.djangoproject.com/t/request-scheme-is-not-honoring-https/25099/2.

On my server, the django server was running behind an NGINX acting as a proxy which was causing Django not to recognize that the server is on https.

All I had to do was this in my django's settings.py file :

SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")

This one-line of missing code caused a whole lot of debugging.