I am developing a Python/Flask application and I want to use OAuth for signing in. My employer uses Azure Active Directory so I am trying to integrate with it as an OAuth provider.
I am not an Azure tenant administrator.
I created an App Registration and set up my code following Microsoft's documentation, but I am the only person who can successfully sign in to the app.
I am constructing my authorization URL like this (I have the correct tenant name, client id, and redirect URI in my code):
import urllib.parse
import uuid
authorization_endpoint = 'https://login.microsoft.com/my-tenant.onmicrosoft.com/oauth2/authorize'
query = {
    'client_id': 'my-client-id',
    'nonce': uuid.uuid4(),
    'redirect_uri': 'https://my-app.example.com/authorize',
    'response_mode': 'form_post',
    'response_type': 'id_token',
    'scope': 'openid',
    'state': uuid.uuid4()
}
authorization_url = f'{authorization_endpoint}?{urllib.parse.urlencode(query)}'
When I personally test signing in to the app, everything works fine. But when anyone else tries, they visit the authorization URL, sign in with their credentials, and then get a page with this error:
AADSTS165000: Invalid Request: The request tokens do not match the user context. Do not copy the user context values (cookies; form fields; headers) between different requests or user sessions; always maintain the ALL of the supplied values across a complete single user flow. Failure Reasons:[Token values do not match;]
Why does it work for me and for no one else?
The authorization endpoint is wrong. It should be https://login.microsoftonline.com/... instead of https://login.microsoft.com/....
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With