Hello
our Apache httpd Service is working with redirection to https , it redirects serveral webapps like knime , keycloak, no Problems so far.
Now we must change to oAuth / openID for authentification (login.microsoftonline.com).
In knime we defined 2 groups where the user/consumer can connect to and only if the user is member of one of those groups he is allowed to connect.
After successful authorization, the Errormessage is:
AADSTS50011: The redirect URI 'http://webserver/knime_cloud/' specified in the request does not match the redirect URIs configured for the application '3904d*'.
Make sure the redirect URI sent in the request matches one added to your application in the Azure portal.
Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.
The registered Url (and only this url works) is : https://webserver/knime_cloud
We cannot change the url to http://webserver/knime_cloud
I installed tshark on the knime-server and monitored the packets that came from the webserver, when accessing the knime-logon page.
webserver is a substitude for the real hostname!
tshark16.txt________________________________________________________________________________
Hypertext Transfer Protocol
GET /knime_cloud/webportal/_login/_nuxt/login_config.json HTTP/1.1\r\n
…
Host: webserver\r\n
…
Referer: https://webserver/knime_cloud/webportal/\r\n
...
x-forwarded-proto: https\r\n
...
[Full request URI: http://webserver/knime_cloud/webportal/_login/_nuxt/login_config.json]
[HTTP request 1/1]
…
__________________________________________________________________________________________
ssl.conf__________________________________________________________________________________
<VirtualHost _default_:443>
...
RewriteEngine On
#RewriteOptions InheritBefore
RewriteCond %{HTTPS} on
RewriteRule .* - [E=REQUEST_SCHEME:https]
ServerName webserver:443
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
SSLHonorCipherOrder on
SSLCompression off
SSLCertificateFile "/etc/httpd/ssl_certificates/webserverpem.pem"
SSLCertificateKeyFile "/etc/httpd/ssl_keys/webserverkey.key"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response- 1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI}
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Ssl: on
RequestHeader set X-Url-Scheme: https
...
</VirtualHost>
__________________________________________________________________________________________
Allhough, there are rewrite rules for http to https it does not apply to 'Full request URI' mentioned in tshark16.txt .
Which changes must be made to the apache httpd configuration for the 'Full request URI' to start with https,
because probably this is the setting the MS openID connect Server is complaning about.
thanks in advance
Greetings kernos
our Apache httpd Service is working with redirection to https , it redirects serveral webapps like knime , keycloak, no Problems so far.
Now we must change to oAuth / openID for authentification (login.microsoftonline.com).
In knime we defined 2 groups where the user/consumer can connect to and only if the user is member of one of those groups he is allowed to connect.
After successful authorization, the Errormessage is:
AADSTS50011: The redirect URI 'http://webserver/knime_cloud/' specified in the request does not match the redirect URIs configured for the application '3904d*'.
Make sure the redirect URI sent in the request matches one added to your application in the Azure portal.
Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.
The registered Url (and only this url works) is : https://webserver/knime_cloud
We cannot change the url to http://webserver/knime_cloud
I installed tshark on the knime-server and monitored the packets that came from the webserver, when accessing the knime-logon page.
webserver is a substitude for the real hostname!
tshark16.txt________________________________________________________________________________
Hypertext Transfer Protocol
GET /knime_cloud/webportal/_login/_nuxt/login_config.json HTTP/1.1\r\n
…
Host: webserver\r\n
…
Referer: https://webserver/knime_cloud/webportal/\r\n
...
x-forwarded-proto: https\r\n
...
[Full request URI: http://webserver/knime_cloud/webportal/_login/_nuxt/login_config.json]
[HTTP request 1/1]
…
__________________________________________________________________________________________
ssl.conf__________________________________________________________________________________
<VirtualHost _default_:443>
...
RewriteEngine On
#RewriteOptions InheritBefore
RewriteCond %{HTTPS} on
RewriteRule .* - [E=REQUEST_SCHEME:https]
ServerName webserver:443
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
SSLHonorCipherOrder on
SSLCompression off
SSLCertificateFile "/etc/httpd/ssl_certificates/webserverpem.pem"
SSLCertificateKeyFile "/etc/httpd/ssl_keys/webserverkey.key"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response- 1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI}
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Ssl: on
RequestHeader set X-Url-Scheme: https
...
</VirtualHost>
__________________________________________________________________________________________
Allhough, there are rewrite rules for http to https it does not apply to 'Full request URI' mentioned in tshark16.txt .
Which changes must be made to the apache httpd configuration for the 'Full request URI' to start with https,
because probably this is the setting the MS openID connect Server is complaning about.
thanks in advance
Greetings kernos
