-
-
Notifications
You must be signed in to change notification settings - Fork 10.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug] Microsoft Entra ID Error AADSTS50011 with OpenID authentication #4723
Comments
👀 @gemnioo Thank you for raising an issue. We will investigate into the matter and get back to you as soon as possible. |
I found a similar discussion and issue related to Microsoft Entra ID errors in Lobe Chat:
For your specific issue with the AADSTS50011 error, here are some troubleshooting steps you can follow:
By following these steps, you should be able to resolve the redirect URI mismatch error. If the issue persists, consider reviewing the Microsoft documentation for additional troubleshooting tips. |
|
yep I use "openssl rand -base64 32" instead |
What did it say in docker logs? |
docker logs $(docker ps -a | grep lobe-chat-database | awk '{print $1}').
and
|
the main "JWTs must use Compact JWS serialization, JWT must be a string" looks like this error BerriAI/litellm#6793 https://authjs.dev/guides/refresh-token-rotation#jwt-strategy |
What if removing |
BTW, have you set |
follow the just released tutorial, switch NextAuth methods from Microsoft Entra ID to Cloudflare Zero Trust https://lobehub.com/zh/docs/self-hosting/advanced/auth/next-auth/cloudflare-zero-trust I could success login. seems like this ""JWTs must use Compact JWS serialization, JWT must be a string"" error in Microsoft Entra ID auth lead to this issue. and I can confirm the "NEXTAUTH_URL=" in lobe-chat.env should end with "example.com/api/auth" and the Web Redirect URIs in Microsoft Entra ID -- Callback URL or "Platform configurations section, select Add URI to add the redirect URI" should be end "/api/auth/callback/microsoft-entra-id" PS: some one need update the tutorial screenshort (need update the "/api/auth/callback/azure-ad" |
It's wierd because I have just tried login to my deployment and succeeded. My deployment is on Vercel, but I don't think that makes any difference. Besides,
|
okay I will try again with not set "NEXTAUTH_URL" next few days with lobehub/lobe-chat-database image update. |
I tried the lobehub/lobe-chat-database [v1.32.2] and removing NEXTAUTH_URL. the login error shows below, and "docker logs -f lobe-chat-database" looks good to me. IMO it's JWS serialization error https://authjs.dev/guides/refresh-token-rotation#jwt-strategy If keep NEXTAUTH_URL If remove NEXTAUTH_URL |
@EINDEX Hi, can you help this? |
CSRF error see #3991 |
CSRF error see #3991 |
Hi @gemnioo You are using https with IP 0.0.0.0, which seems strange, what is your redirect URL on Azure side? for the localhost server on MS entra id SSO, if nextauth_url is the default value the redirect URL should be setting |
on Azure side the Web redirect URL is https://name.tailscale_tailnet_name.ts.net/api/auth/callback/microsoft-entra-id on lobe-chat.env NEXTAUTH_URL=https://name.tailscale_tailnet_name.ts.net/api/auth I use tailscale funnel --bg 3210 or tailscale serve --bg 3210 to expose lobechat in Internat or within Tailnet 就如我在你的PR下提的 update tutorial image request 所示 #4168 (comment) |
Hi @gemnioo I am using this configuration with ts net command which is running well, cannot reproduce your error. I suggest using an incognito window to try again.
|
@EINDEX lunch break quick deploy in another device with "--network host" linked to tailnet pgvector db. still shows Error AADSTS50011 in incognito mode. docker command
lobe-chat.env
VDS logs check
|
📦 Environment
Docker
📌 Version
lobehub/lobe-chat-database v1.31.10
💻 Operating System
Other Linux
🌐 Browser
Firefox
🐛 Bug Description
Follow this tutorial https://lobehub.com/zh/docs/self-hosting/advanced/auth/next-auth/microsoft-entra-id
I successful add Microsoft Entra ID info in the lobe-chat.env config. but shows error Error AADSTS50011
Follow Microsoft docs https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/app-integration/error-code-AADSTS50011-redirect-uri-mismatch#resolution
"On the app registration page, select Authentication. In the Platform configurations section, select Add URI to add the redirect URI displayed in the error message to Microsoft Entra ID."
I modify the Web Redirect URIs
But shows error like this
if click the Reload button
and click will looped to the first Ooops page.
the config in the lobe-chat.env like
I tried modify the NEXTAUTH_URL with /api/auth ending or
/api/auth/callback/microsoft-entra-idthe only difference were "/api/auth/callback/microsoft-entra-id" will Reload to Sign in with Microsoft Entra ID Page.Pls advise. Should I ADD user "LobeChat" into Home -> Microsoft Entra ID -> App registrations -> Owner ?📷 Recurrence Steps
Docker deploy with
lobe-chat-database docker
pgvector/pgvector:pg17
Cloudflare R2 bucket
Microsoft Entra ID
"tailscale serve or tailscale funnel"
🚦 Expected Behavior
No response
📝 Additional Information
No response
The text was updated successfully, but these errors were encountered: