Azure SSO
# supportc
codejenn
10/12/2023, 6:57 PMCurious if there are any docs specific to Azure SSO. Or do we feel that the Oauth2 is the base that we would need?
With that is there any issue if our internal users are signing in with one provider, and the external users (mobile) signing in with another?
r
rahul1
10/12/2023, 7:20 PMOauth2 should be the base needed, but let us know if there are any elements specific to Azure that our users should be aware of. We're happy to add a doc
rahul1
10/12/2023, 7:21 PMThere shouldn't be any issues with using different identity providers, from the medplum perspective.
You'll just have to use 2 different ClientApplications, each with their own identity provider configuration
c
codejenn
10/12/2023, 7:23 PMThanks @rahul1 that's what I thought!
We got thrown for a loop after already getting everything setup and working with OKTA to find out they are switching to azure sso for internal users.
As always you guys are ON TOP OF IT!
codejenn
11/01/2023, 5:09 PM@rahul1 we are working through setting up the azure IDP client.
We got it to come up with the authorization and after authorizing we get an error as follows
Copy code
{
"resourceType": "OperationOutcome",
"issue": [
{
"severity": "error",
"code": "invalid",
"details": {
"text": "Failed to verify code - check your identity provider configuration"
}
}
],
"extension": [
{
"url": "https://medplum.com/fhir/StructureDefinition/tracing",
"extension": [
{
"url": "requestId",
"valueUuid": "59c62cc7-9e41-46e7-9caa-c1b3c47c0ef9"
},
{
"url": "traceId",
"valueUuid": "eeaf4109-02d5-4180-9e2d-584deb11f8d0"
}
]
}
]
}codejenn
11/01/2023, 6:37 PMDigging a little further I'm seeing a
400 (bad request)codejenn
11/01/2023, 10:02 PMI ended up finding a postman collection for azure oauth validation where I'm attempting to validate the token response I got.
It uses the medplum api to help with the validation but still not getting through.
Trying to provide as much info as I can.
r
reshma
11/01/2023, 11:30 PMDid you confirm that the identity exists in the Azure SSO system?
That's the first thing I'd try. The next line of thinking is that the code challenge request (external one) is constructed just right. This is the one for Medplum, but don't see an obvious place for the Microsoft version https://www.medplum.com/docs/api/oauth/authorize#authorization-code-grant-with-pkce
r
rahul1
11/01/2023, 11:53 PMHi @codejenn - I see that you got a PKCE issue, I think I can help. Quick clarifying question - which flow are you using:
1. Redirect IDP flow: https://www.medplum.com/docs/auth/methods/external-identity-providers
2. Token Exchange: https://www.medplum.com/docs/auth/methods/token-exchange
c
codejenn
11/01/2023, 11:59 PMThank you both! I am away from my computer at this point so I’ll try more tomorrow morning. I am trying to use option one @rahul1
r
rahul1
11/02/2023, 12:16 AMThanks. So the best way to debug this is to step through the redirect flow step by step (see the diagram). Would you mind indicating with a ✅ which steps are completing properly?
1. Redirect to Azure sign in page (step 3+4)
2. Submit Azure credentials (step 5)
3. Receive 301 redirect response to
api.medplum.com/auth/externalcodecodeprocessCodec
codejenn
11/02/2023, 4:07 PMThanks @rahul1 !
1. Redirect to Azure sign in page (step 3+4) ✅
2. Submit Azure credentials (step 5) ✅
3. Receive 301 redirect response to api.medplum.com/auth/external with code in URL (step 6+7) This is where I get the 400 bad request, it is navigating to the api.medplum as you can see in the screenshot below, however it gets the bad request ⁉️
4. Redirect to your app with code in URL (step 11)
5. Call processCode (step 13)
6. Receive access token (step 14)
r
rahul1
11/02/2023, 11:50 PMHi @codejenn , I've filed an issue to to make a few changes on our server side to replicate what we worked on with POSTMAN. We'll try to get this out ASAP
https://github.com/medplum/medplum/issues/3215
c
codejenn
11/02/2023, 11:51 PMThank you for the update!!
130 Views