Microsoft auth by connected app -> How to add login button?

keihkhl · October 11, 2024, 2:15am

Following the instruction ( [Tutorial] Connecting Frappe/ERPNext to Microsoft 365 mail services OAuth - Frappe Framework - Frappe Forum), I was able to add Microsoft Auth to my ERPNext websites.

To further test, I’d like to add this login option available on the login page, but have no clue how to do so.

python_a · October 11, 2024, 2:22am

Go to the Social Login Key Doc

Enable the Social login

keihkhl · October 11, 2024, 2:28am

@python_a Thx. But This looks like I set up new auth, isn’t it?
Shouldn’t I add Client URL’s redirect URL to Azure’s Authentication Web Redirect URIs?

keihkhl · October 11, 2024, 2:37am

This has two bounded issues to me.

The client URLs’ Redirect URL looks following

/api/method/frappe.integrations.oauth2_logins.login_via_office365

Then, when I do try login via Office365, as expected I get an error that the redirect url is not added to Azure registration.

AADSTS50011: The redirect URI ‘mywebsite.com - This website is for sale! - mywebsite Resources and Information.’ specified in the request does not match the redirect URIs configured for the application

The issue here is that
A. It has ‘http’, instead of ‘https’, so I cannot add this URL to Azure’s redirect URI list.
B. I also had to change the ‘http’ to ‘https’ for Microsoft 365 mail OAuth at DB level in tabConnectedApp, I was going to do the same for Social Auth, but the Social Auth’s redirect URL is relative, so I cannot change the value.

I have proxy Nginx server that terminates SSL handshake and forward the traffic to backend by http. Changing this for two ERPNext tenants with different domains will create another problems with double SSL auth. There must be easier solution.

keihkhl · October 11, 2024, 2:45am

I manually changed the Redirect URL in tabSocialLoginKey, then I end up with email not verified with Office 365 error.

I followed instructions from this link - Login with Office 365: Email not verified - Integration - Frappe Forum, and added optional claim for email for all three token types (ID, Access, SAML).

Now it works.

revant_one · October 11, 2024, 4:28am

Add 2 redirect uri on azure end, you can use same client.

You’ll need to add same client in 2 places. Only redirect uri is different.

Post about host_name How to configure microsoft account by oauth in erpnext - #12 by revant_one

keihkhl · October 11, 2024, 8:02am

Yup I can see both works with multiple Redirect URLs. I actually use the same tactic with multiple applications in my websites. Adding two more wasn’t an issue.

spandit230496 · October 17, 2024, 4:21pm

Try This Detailed Process ,if you still needs any help

https://www.notion.so/Add-Social-Login-Active-Directory-122743464d648044b580f6e35e42525d