Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug] Microsoft Entra ID Error AADSTS50011 with OpenID authentication #4723

Open
gemnioo opened this issue Nov 18, 2024 · 20 comments
Open

[Bug] Microsoft Entra ID Error AADSTS50011 with OpenID authentication #4723

gemnioo opened this issue Nov 18, 2024 · 20 comments
Labels
🐛 Bug Something isn't working | 缺陷

Comments

@gemnioo
Copy link

gemnioo commented Nov 18, 2024

📦 Environment

Docker

📌 Version

lobehub/lobe-chat-database v1.31.10

💻 Operating System

Other Linux

🌐 Browser

Firefox

🐛 Bug Description

Follow this tutorial https://lobehub.com/zh/docs/self-hosting/advanced/auth/next-auth/microsoft-entra-id

I successful add Microsoft Entra ID info in the lobe-chat.env config. but shows error Error AADSTS50011

Follow Microsoft docs https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/app-integration/error-code-AADSTS50011-redirect-uri-mismatch#resolution

"On the app registration page, select Authentication. In the Platform configurations section, select Add URI to add the redirect URI displayed in the error message to Microsoft Entra ID."

I modify the Web Redirect URIs

image

But shows error like this

image

if click the Reload button

image

and click will looped to the first Ooops page.

the config in the lobe-chat.env like

NEXT_AUTH_SECRET=openssl rand -base64 32
NEXT_AUTH_SSO_PROVIDERS=microsoft-entra-id
AUTH_MICROSOFT_ENTRA_ID_ID=
AUTH_MICROSOFT_ENTRA_ID_SECRET=
AUTH_MICROSOFT_ENTRA_ID_TENANT_ID=
NEXTAUTH_URL= https://example.com/api/auth

I tried modify the NEXTAUTH_URL with /api/auth ending or /api/auth/callback/microsoft-entra-id

the only difference were "/api/auth/callback/microsoft-entra-id" will Reload to Sign in with Microsoft Entra ID Page.
Pls advise. Should I ADD user "LobeChat" into Home -> Microsoft Entra ID -> App registrations -> Owner ?

📷 Recurrence Steps

Docker deploy with

lobe-chat-database docker
pgvector/pgvector:pg17
Cloudflare R2 bucket
Microsoft Entra ID
"tailscale serve or tailscale funnel"

🚦 Expected Behavior

No response

📝 Additional Information

No response

@gemnioo gemnioo added the 🐛 Bug Something isn't working | 缺陷 label Nov 18, 2024
@github-project-automation github-project-automation bot moved this to Roadmap - Chat 1.x in Lobe Chat Routine Nov 18, 2024
@lobehubbot
Copy link
Member

👀 @gemnioo

Thank you for raising an issue. We will investigate into the matter and get back to you as soon as possible.
Please make sure you have given us as much context as possible.
非常感谢您提交 issue。我们会尽快调查此事,并尽快回复您。 请确保您已经提供了尽可能多的背景信息。

Copy link

dosubot bot commented Nov 18, 2024

I found a similar discussion and issue related to Microsoft Entra ID errors in Lobe Chat:

  1. A similar discussion titled "Problem Of Microsoft Entra ID :在zeabur平台上使用docker部署服务端数据库版本时使用Microsoft Entra ID部署时回调地址无响应" was resolved by correcting a domain error [1].
  2. A closed issue titled "[Bug] Microsoft Entra ID 身份验证服务报错" was resolved by addressing a Docker image problem [2].

For your specific issue with the AADSTS50011 error, here are some troubleshooting steps you can follow:

  1. Ensure Correct Redirect URI: Double-check that the redirect URI in your Microsoft Entra ID application matches exactly with the one specified in your lobe-chat.env file. It should be set to https://your-domain/api/auth/callback/microsoft-entra-id if that's the path your application uses [3].

  2. Modify Redirect URIs: If you haven't already, modify the Redirect URIs in the Microsoft Entra ID app registration to include the exact URI shown in the error message. This is crucial for resolving redirect URI mismatches [3].

  3. Check Environment Variables: Ensure that all environment variables in your lobe-chat.env file are correctly set, especially NEXTAUTH_URL, which should match the callback URL configured in your Microsoft Entra ID settings [3].

  4. Add Users: Adding "LobeChat" as an owner in the Microsoft Entra ID app registration is not typically necessary for resolving redirect URI issues. Focus on ensuring that the redirect URIs and environment variables are correctly configured.

By following these steps, you should be able to resolve the redirect URI mismatch error. If the issue persists, consider reviewing the Microsoft documentation for additional troubleshooting tips.

To continue talking to Dosu, mention @dosu.

@BrandonStudio
Copy link
Contributor

NEXT_AUTH_SECRET should be a base64 string

@gemnioo
Copy link
Author

gemnioo commented Nov 19, 2024

NEXT_AUTH_SECRET should be a base64 string

yep I use "openssl rand -base64 32" instead

@BrandonStudio
Copy link
Contributor

What did it say in docker logs?

@gemnioo
Copy link
Author

gemnioo commented Nov 19, 2024

What did it say in docker logs?

docker logs $(docker ps -a | grep lobe-chat-database | awk '{print $1}').

🌐 DNS Server: [ '127.0.0.11' ]
-------------------------------------
[Database] Start to migration...
✅ database migration pass.
-------------------------------------
  ▲ Next.js 14.2.8
  - Local:        http://localhost:3210
  - Network:      http://0.0.0.0:3210

 ✓ Starting...
 ✓ Ready in 119ms
[auth][error] MissingCSRF: CSRF token was missing during an action signin. Read more at https://errors.authjs.dev#missingcsrf
    at tR (/app/.next/server/chunks/38106.js:1:39757)
    at i0 (/app/.next/server/chunks/38106.js:368:52432)
    at async i2 (/app/.next/server/chunks/38106.js:368:56596)
    at async /app/node_modules/.pnpm/[email protected]_@[email protected]_@[email protected][email protected][email protected][email protected]/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:36932
    at async eC.execute (/app/node_modules/.pnpm/[email protected]_@[email protected]_@[email protected][email protected][email protected][email protected]/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:27548)
    at async eC.handle (/app/node_modules/.pnpm/[email protected]_@[email protected]_@[email protected][email protected][email protected][email protected]/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:38186)
    at async doRender (/app/node_modules/.pnpm/[email protected]_@[email protected]_@[email protected][email protected][email protected][email protected]/node_modules/next/dist/server/base-server.js:1359:42)
    at async cacheEntry.responseCache.get.routeKind (/app/node_modules/.pnpm/[email protected]_@[email protected]_@[email protected][email protected][email protected][email protected]/node_modules/next/dist/server/base-server.js:1581:28)
    at async NextNodeServer.renderToResponseWithComponentsImpl (/app/node_modules/.pnpm/[email protected]_@[email protected]_@[email protected][email protected][email protected][email protected]/node_modules/next/dist/server/base-server.js:1489:28)
    at async NextNodeServer.renderPageComponent (/app/node_modules/.pnpm/[email protected]_@[email protected]_@[email protected][email protected][email protected][email protected]/node_modules/next/dist/server/base-server.js:1913:24)
[auth][error] CallbackRouteError: Read more at https://errors.authjs.dev#callbackrouteerror
[auth][cause]: u: JWTs must use Compact JWS serialization, JWT must be a string
    at /app/.next/server/chunks/38106.js:368:33665
    at iH (/app/.next/server/chunks/38106.js:368:34195)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async iz (/app/.next/server/chunks/38106.js:368:40333)
    at async i0 (/app/.next/server/chunks/38106.js:368:51902)
    at async i2 (/app/.next/server/chunks/38106.js:368:56596)
    at async /app/node_modules/.pnpm/[email protected]_@[email protected]_@[email protected][email protected][email protected][email protected]/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:36932
    at async eC.execute (/app/node_modules/.pnpm/[email protected]_@[email protected]_@[email protected][email protected][email protected][email protected]/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:27548)
    at async eC.handle (/app/node_modules/.pnpm/[email protected]_@[email protected]_@[email protected][email protected][email protected][email protected]/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:38186)
    at async doRender (/app/node_modules/.pnpm/[email protected]_@[email protected]_@[email protected][email protected][email protected][email protected]/node_modules/next/dist/server/base-server.js:1359:42)

and

[auth][details]: {
 "provider": "microsoft-entra-id"
}
[NextAuth] Error: {
 cause: 'Configuration',
 message: 'Wrong configuration, make sure you have the correct environment variables set. Visit https://lobehub.com/docs/self-hosting/advanced/authentication for more details.',
 name: 'NextAuth Error'
}
[auth][error] CallbackRouteError: Read more at https://errors.authjs.dev#callbackrouteerror
[auth][cause]: u: JWTs must use Compact JWS serialization, JWT must be a string
   at /app/.next/server/chunks/38106.js:368:33665
   at iH (/app/.next/server/chunks/38106.js:368:34195)
   at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
   at async iz (/app/.next/server/chunks/38106.js:368:40333)
   at async i0 (/app/.next/server/chunks/38106.js:368:51902)
   at async i2 (/app/.next/server/chunks/38106.js:368:56596)
   at async /app/node_modules/.pnpm/[email protected]_@[email protected]_@[email protected][email protected][email protected][email protected]/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:36932
   at async eC.execute (/app/node_modules/.pnpm/[email protected]_@[email protected]_@[email protected][email protected][email protected][email protected]/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:27548)
   at async eC.handle (/app/node_modules/.pnpm/[email protected]_@[email protected]_@[email protected][email protected][email protected][email protected]/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:38186)
   at async doRender (/app/node_modules/.pnpm/[email protected]_@[email protected]_@[email protected][email protected][email protected][email protected]/node_modules/next/dist/server/base-server.js:1359:42)
[auth][details]: {
 "provider": "microsoft-entra-id"
}
[NextAuth] Error: {
 cause: 'Configuration',
 message: 'Wrong configuration, make sure you have the correct environment variables set. Visit https://lobehub.com/docs/self-hosting/advanced/authentication for more details.',
 name: 'NextAuth Error'
}
[NextAuth] Error: {
 cause: 'Configuration',
 message: 'Wrong configuration, make sure you have the correct environment variables set. Visit https://lobehub.com/docs/self-hosting/advanced/authentication for more details.',
 name: 'NextAuth Error'
}
[NextAuth] Error: {
 cause: 'Configuration',
 message: 'Wrong configuration, make sure you have the correct environment variables set. Visit https://lobehub.com/docs/self-hosting/advanced/authentication for more details.',
 name: 'NextAuth Error'
}

@gemnioo
Copy link
Author

gemnioo commented Nov 19, 2024

the main "JWTs must use Compact JWS serialization, JWT must be a string"

looks like this error BerriAI/litellm#6793

https://authjs.dev/guides/refresh-token-rotation#jwt-strategy

@BrandonStudio
Copy link
Contributor

What if removing NEXTAUTH_URL?

@BrandonStudio
Copy link
Contributor

BTW, have you set APP_URL?

@gemnioo
Copy link
Author

gemnioo commented Nov 19, 2024

follow the just released tutorial, switch NextAuth methods from Microsoft Entra ID to Cloudflare Zero Trust

https://lobehub.com/zh/docs/self-hosting/advanced/auth/next-auth/cloudflare-zero-trust

I could success login. seems like this ""JWTs must use Compact JWS serialization, JWT must be a string"" error in Microsoft Entra ID auth lead to this issue.

and I can confirm the "NEXTAUTH_URL=" in lobe-chat.env should end with "example.com/api/auth" and the Web Redirect URIs in Microsoft Entra ID -- Callback URL or "Platform configurations section, select Add URI to add the redirect URI" should be end "/api/auth/callback/microsoft-entra-id"

PS: some one need update the tutorial screenshort (need update the "/api/auth/callback/azure-ad"

@BrandonStudio
Copy link
Contributor

It's wierd because I have just tried login to my deployment and succeeded. My deployment is on Vercel, but I don't think that makes any difference. Besides,

  • I use the latest version
  • I does not set NEXTAUTH_URL

@gemnioo
Copy link
Author

gemnioo commented Nov 19, 2024

It's wierd because I have just tried login to my deployment and succeeded. My deployment is on Vercel, but I don't think that makes any difference. Besides,

* I use the latest version

* I does not set `NEXTAUTH_URL`

okay I will try again with not set "NEXTAUTH_URL" next few days with lobehub/lobe-chat-database image update.

@gemnioo
Copy link
Author

gemnioo commented Nov 20, 2024

@BrandonStudio

I tried the lobehub/lobe-chat-database [v1.32.2] and removing NEXTAUTH_URL. the login error shows below, and "docker logs -f lobe-chat-database" looks good to me. IMO it's JWS serialization error https://authjs.dev/guides/refresh-token-rotation#jwt-strategy

If keep NEXTAUTH_URL
same as the initial error

If remove NEXTAUTH_URL
jump to add "https://0.0.0.0:3210/api/auth/error?error=Configuration"

image

@cy948
Copy link
Contributor

cy948 commented Nov 20, 2024

@EINDEX Hi, can you help this?

@cy948
Copy link
Contributor

cy948 commented Nov 20, 2024

CSRF error see #3991

@lobehubbot
Copy link
Member

Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑‍🤝‍🧑👫🧑🏿‍🤝‍🧑🏻👩🏾‍🤝‍👨🏿👬🏿


CSRF error see #3991

@EINDEX
Copy link
Contributor

EINDEX commented Nov 23, 2024

Hi @gemnioo

You are using https with IP 0.0.0.0, which seems strange, what is your redirect URL on Azure side?

for the localhost server on MS entra id SSO, if nextauth_url is the default value the redirect URL should be setting http://localhost:3210/api/auth/callback/microsoft-entra-id.

@gemnioo
Copy link
Author

gemnioo commented Nov 23, 2024

Hi @gemnioo

You are using https with IP 0.0.0.0, which seems strange, what is your redirect URL on Azure side?

for the localhost server on MS entra id SSO, if nextauth_url is the default value the redirect URL should be setting http://localhost:3210/api/auth/callback/microsoft-entra-id.

on Azure side the Web redirect URL is https://name.tailscale_tailnet_name.ts.net/api/auth/callback/microsoft-entra-id

on lobe-chat.env NEXTAUTH_URL=https://name.tailscale_tailnet_name.ts.net/api/auth

I use tailscale funnel --bg 3210 or tailscale serve --bg 3210 to expose lobechat in Internat or within Tailnet

就如我在你的PR下提的 update tutorial image request 所示 #4168 (comment)

@EINDEX
Copy link
Contributor

EINDEX commented Nov 25, 2024

Hi @gemnioo

I am using this configuration with ts net command which is running well, cannot reproduce your error.

I suggest using an incognito window to try again.

tailscale serve http://localhost:3210
docker run -it --rm \
  -e KEY_VAULTS_SECRET=<secret> \
  -e NEXTAUTH_URL=https://<name>.<ts-net>.ts.net/api/auth  \
  -e NEXT_AUTH_SECRET=<secret> \
  -e NEXT_AUTH_SSO_PROVIDERS=microsoft-entra-id \
  -e AUTH_MICROSOFT_ENTRA_ID_SECRET= \
  -e AUTH_MICROSOFT_ENTRA_ID_ID= \
  -e AUTH_MICROSOFT_ENTRA_ID_ISSUER= \
  -e ACCESS_CODE=disable \
  -e NEXTAUTH_SECRET= \
  -e ENABLE_OAUTH_SSO=1 \
  -e APP_URL=https://<name>.<ts-net>.ts.net/ \
  -p 3210:3210  lobehub/lobe-chat
image

@gemnioo
Copy link
Author

gemnioo commented Nov 25, 2024

@EINDEX lunch break quick deploy in another device with "--network host" linked to tailnet pgvector db. still shows Error AADSTS50011 in incognito mode.

Screenshot 2024-11-25

docker command

docker run -it -d \
  -p 3210:3210 \
  --network host \
  --env-file lobe-chat.env \
  --name lobe-chat-database \
  lobehub/lobe-chat-database

lobe-chat.env

FEATURE_FLAGS="-welcome_suggest"
APP_URL=https://name.tailnet_name.ts.net
DATABASE_URL=postgres://postgres:[email protected]:5432/postgres   \\example
KEY_VAULTS_SECRET=
NEXT_AUTH_SECRET=
NEXT_AUTH_SSO_PROVIDERS=microsoft-entra-id
AUTH_MICROSOFT_ENTRA_ID_ID=
AUTH_MICROSOFT_ENTRA_ID_SECRET=
AUTH_MICROSOFT_ENTRA_ID_TENANT_ID=
NEXTAUTH_URL=https://name.tailnet_name.ts.net/api/auth
S3_ACCESS_KEY_ID= 
S3_SECRET_ACCESS_KEY= 
S3_BUCKET=lobechat
S3_ENDPOINT=https://   .r2.cloudflarestorage.com
S3_PUBLIC_DOMAIN=https://      .r2.dev
OPENAI_API_KEY=PASSWORD
OPENAI_PROXY_URL=http://100.100.100.100/chat/completions  \\example

VDS logs check

root@device:~# docker image pull lobehub/lobe-chat-database:latest
latest: Pulling from lobehub/lobe-chat-database
74f6cce96022: Pull complete
Digest: sha256:e3e87bc6a99540d384b460301f4f939279fec133d67613fe4c88cdcbef15df83
Status: Downloaded newer image for lobehub/lobe-chat-database:latest
docker.io/lobehub/lobe-chat-database:latest
root@device:~# docker run --rm \
  -d -p 14321:8080 \
  -v "${PWD}/searxng:/etc/searxng" \
  -e "BASE_URL=http://localhost:14321/" \
  -e "INSTANCE_NAME=searxng" \
  searxng/searxng
4f854452a214baf7d18f085b1ded82f82a2d81ccb26090814a8c2f496dbb4b4f

root@device:~# nano lobe-chat.env
root@device:~# cat lobe-chat.env
FEATURE_FLAGS="-welcome_suggest"
APP_URL=https://name.tailnet_name.ts.net
DATABASE_URL=postgres://postgres:[email protected]:5432/postgres
KEY_VAULTS_SECRET=
NEXT_AUTH_SECRET=
NEXT_AUTH_SSO_PROVIDERS=microsoft-entra-id
AUTH_MICROSOFT_ENTRA_ID_ID=
AUTH_MICROSOFT_ENTRA_ID_SECRET=
AUTH_MICROSOFT_ENTRA_ID_TENANT_ID=
S3_ACCESS_KEY_ID=
S3_SECRET_ACCESS_KEY=
S3_BUCKET=lobechat
S3_ENDPOINT=https://    .r2.cloudflarestorage.com
S3_PUBLIC_DOMAIN=https://  .r2.dev
OPENAI_API_KEY=
OPENAI_PROXY_URL=http://100.100.100.100/chat/completions
root@device:~# docker run -it -d \
  -p 3210:3210 \
  --network host \
  --env-file lobe-chat.env \
  --name lobe-chat-database \
  lobehub/lobe-chat-database
WARNING: Published ports are discarded when using host network mode
7a5c50340141059d72c73a6735d59cfb98a2de0e56920affee2b5f1ca362fea6
root@device:~# docker logs -f lobe-chat-database
🌐 DNS Server: [ '1.1.1.1', '8.8.8.8' ]
-------------------------------------
[Database] Start to migration...
✅ database migration pass.
-------------------------------------
  ▲ Next.js 14.2.8
  - Local:        http://localhost:3210
  - Network:      http://0.0.0.0:3210

 ✓ Starting...
 ✓ Ready in 101ms
^C

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
🐛 Bug Something isn't working | 缺陷
Projects
Status: Roadmap - Chat 1.x
Development

No branches or pull requests

5 participants