Azure ad authentication not sending correct base URL

[drzippit]

ISSUE TYPE

• Bug Report

SUMMARY

I've set the base URL to https://awx.myurl.com but when I try to authenticate with Azure AD (which shows the https:// url in the callback url) it sends the callback url as http://

ENVIRONMENT

• AWX version: 4.0.0.0
• AWX install method: docker on linux
• Ansible version: 2.7.9
• Operating System: Ubuntu 18.04
• Web Browser: Firefox and Vivaldi

STEPS TO REPRODUCE

Set AWX base URL to https://awx.myurl.com, create Azure AD app. Go to Settings > Authentication. See the callback URL as https://, save and logout. On the login page click Login with Azure and get the following error:

Sorry, but we’re having trouble signing you in.
AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: 'xxxxxxxxxxxx'. 

Then looking at the actual url I see that it send the http:// url and not the https:// url

EXPECTED RESULTS

To be logged in via Azure AD SSO

ACTUAL RESULTS

Wrong callback URL sent.

ADDITIONAL INFORMATION

[ryanpetrello]

@drzippit,

Are you running some sort of proxy in front of AWX? This looks like it could be a misconfiguration on your end.

[drzippit]

@ryanpetrello

I am. I have it behind an nginx reverse proxy. How would I go about correcting the config?

[ryanpetrello]

@drzippit

The best answer is "it's complicated" (we don't currently have any official documentation on doing it, and given the number of variables it'll probably come down to just troubleshooting it - maybe there's a bug lurking under the surface somewhere?)

Have you tried seeing if anyone else has encountered this problem in our mailing list or IRC room?

http://webchat.freenode.net/?channels=ansible-awx
https://groups.google.com/forum/#!forum/awx-project

[drzippit]

@ryanpetrello I have not checked out the mailing list or IRC. I'll check them out.

It's possible for me to work without a reverse proxy if that enables me to use SSO. Is that answer less complicated?

[ryanpetrello]

@drzippit,

Here's a similar issue, only with SAML, which might point you in the right direction:

#1016 (comment)

I suspect this will probably come down to some mixture of X-Forwarded-XXXXX header configuration necessary in nginx.

This Red Hat Ansible Tower documentation might be applicable, too: https://docs.ansible.com/ansible-tower/latest/html/administration/proxy-support.html

[piwi91]

@drzippit

We're running AWX behind an Nginx reverse proxy with Azure AD enabled. This is working fine after passing some headers to awx_web. This is our configuration to get it working:

server {
    listen      80;
    server_name awx.domain.tld;
    rewrite     ^  https://$host$request_uri? permanent;
  }
server {
    listen              443;
    server_name         awx.domain.tld;
    ssl                 on;
    ssl_certificate     /etc/pki/tls/certs/cert.pem;
    ssl_certificate_key /etc/pki/tls/private/cert.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    location / {
        proxy_pass http://127.0.0.1:8012;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port 443;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

[drzippit]

@piwi91 and @ryanpetrello,

Thank you both so much. It was indeed the headers that needed to be forwarded. Login now sends the HTTPS url.

Now I think I just have to map the accounts because I get the error "Your credentials aren't allowed. "

[svrraja]

@piwi91 How did you pass the headers to awx_web ?

[drzippit]

@svrraja
He literally posted his nginx reverse proxy config.