Azure Authentication #2924

New Issue

Closed

opened 2026-02-05 05:45:08 +03:00 by OVERLORD · 5 comments

OVERLORD commented 2026-02-05 05:45:08 +03:00

Owner

Copy Link

Originally created by @corbing on GitHub (Jul 28, 2022).

Attempted Debugging

• I have read the debugging page

Searched GitHub Issues

• I have searched GitHub for the issue.

Describe the Scenario

I have followed the authentication procedures for AzureAD (Microsoft) found in the docs. When I try to "login with Microsoft Azure" it asks for my credentials and then fails with a generic message:
An Error Occurred
An unknown error occurred
RETURN TO HOME

If I attempt to login again, it just immediately fails with the generic error above without requesting my MS credentials. I have rechecked all of the Azure IDs and even got a new APP_SECRET.

See below for the log error.

Exact BookStack Version

22.06.2

Log Content

[2022-07-28 02:44:24] production.ERROR: Client error: `POST https://login.microsoftonline.com/41e004fe-4b46-48c0>
{"error":"invalid_client","error_description":"AADSTS700025: Client is public so neither 'client_assertion' nor >
 {"exception":"[object] (GuzzleHttp\\Exception\\ClientException(code: 401): Client error: `POST https://login.mi>
{\"error\":\"invalid_client\",\"error_description\":\"AADSTS700025: Client is public so neither 'client_assertio>
 at /var/www/bookstack/vendor/guzzlehttp/guzzle/src/Exception/RequestException.php:113)

PHP Version

No response

Hosting Environment

Ubuntu 22.04 x64 on Digital Ocean installed via official script. https installed via certbot instructions.

# Application key
APP_KEY=base64:6Uy1uab1HJ4P<snip>

# Application URL
APP_URL=https://<snip>

# Active Directory Authenticaion with Microsoft 365
AZURE_APP_ID=c2a5e<snip>
AZURE_APP_SECRET=Jto8Q~<snip>
AZURE_TENANT=41e004fe-<snip>

Originally created by @corbing on GitHub (Jul 28, 2022). ### Attempted Debugging - [X] I have read the debugging page ### Searched GitHub Issues - [X] I have searched GitHub for the issue. ### Describe the Scenario I have followed the authentication procedures for AzureAD (Microsoft) found in the docs. When I try to "login with Microsoft Azure" it asks for my credentials and then fails with a generic message: An Error Occurred An unknown error occurred RETURN TO HOME If I attempt to login again, it just immediately fails with the generic error above without requesting my MS credentials. I have rechecked all of the Azure IDs and even got a new APP_SECRET. See below for the log error. ### Exact BookStack Version 22.06.2 ### Log Content ``` [2022-07-28 02:44:24] production.ERROR: Client error: `POST https://login.microsoftonline.com/41e004fe-4b46-48c0> {"error":"invalid_client","error_description":"AADSTS700025: Client is public so neither 'client_assertion' nor > {"exception":"[object] (GuzzleHttp\\Exception\\ClientException(code: 401): Client error: `POST https://login.mi> {\"error\":\"invalid_client\",\"error_description\":\"AADSTS700025: Client is public so neither 'client_assertio> at /var/www/bookstack/vendor/guzzlehttp/guzzle/src/Exception/RequestException.php:113) ``` ### PHP Version _No response_ ### Hosting Environment Ubuntu 22.04 x64 on Digital Ocean installed via official script. https installed via certbot instructions. ``` # Application key APP_KEY=base64:6Uy1uab1HJ4P<snip> # Application URL APP_URL=https://<snip> # Active Directory Authenticaion with Microsoft 365 AZURE_APP_ID=c2a5e<snip> AZURE_APP_SECRET=Jto8Q~<snip> AZURE_TENANT=41e004fe-<snip> ```

OVERLORD added the 🐕 Support label 2026-02-05 05:45:08 +03:00

OVERLORD closed this issue 2026-02-05 05:45:14 +03:00

OVERLORD commented 2026-02-05 05:45:18 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Jul 28, 2022):

Hi @corbing,

From what I can find, this error can often be to the wrong type of application being created or due to non-expected settings being active.

• Has this definitely been set-up as a standard app registration? Does it show anything in the top-left of the azure view about being an "Enterprise Application"?
• When viewing the "Overview" page for the app registration, what is the text shown under the "Redirect URIs" property?
• On the "Authentication" page for the app registration, is the "Allow public client flows" option enabled?

@ssddanbrown commented on GitHub (Jul 28, 2022): Hi @corbing, From what I can find, this error can often be to the wrong type of application being created or due to non-expected settings being active. - Has this definitely been set-up as a standard app registration? Does it show anything in the top-left of the azure view about being an "Enterprise Application"? - When viewing the "Overview" page for the app registration, what is the text shown under the "Redirect URIs" property? - On the "Authentication" page for the app registration, is the "Allow public client flows" option enabled?

OVERLORD commented 2026-02-05 05:45:26 +03:00

Author

Owner

Copy Link

@corbing commented on GitHub (Jul 28, 2022):

Thank you for your help, Dan!

• Has this definitely been set-up as a standard app registration?

It appears to be a standard app. It does not show "Enterprise Application" in the upper left on any of the Manage options. If I click the application name on the Overview page under the text "Managed application in local directory" then it goes to an area where I can set it up as an Enterprise Application and it does say "Enterprise Application" in the upper left. But, none of that is configured.

• When viewing the "Overview" page for the app registration, what is the text shown under the "Redirect URIs" property?

It says:
Redirect URIs
0 web, 0 spa, 1 public client

If I click on that link it then shows:
Redirect URIs
https://domain/login/service/azure/callback

• On the "Authentication" page for the app registration, is the "Allow public client flows" option enabled?

No, it was not. But, I enabled that option and still get the same results.

@corbing commented on GitHub (Jul 28, 2022): Thank you for your help, Dan! > * Has this definitely been set-up as a standard app registration? It appears to be a standard app. It does not show "Enterprise Application" in the upper left on any of the Manage options. If I click the application name on the Overview page under the text "Managed application in local directory" then it goes to an area where I can set it up as an Enterprise Application and it does say "Enterprise Application" in the upper left. But, none of that is configured. > * When viewing the "Overview" page for the app registration, what is the text shown under the "Redirect URIs" property? It says: Redirect URIs 0 web, 0 spa, 1 public client If I click on that link it then shows: Redirect URIs https://domain/login/service/azure/callback > * On the "Authentication" page for the app registration, is the "Allow public client flows" option enabled? No, it was not. But, I enabled that option and still get the same results.

OVERLORD commented 2026-02-05 05:45:31 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Jul 28, 2022):

No, it was not. But, I enabled that option and still get the same results.

Okay, leave that disabled, I was just checking it's not active.

It says:
Redirect URIs
0 web, 0 spa, 1 public client

This indicates to me that the wrong type of configured platform maybe.
Within the "Authentication" page of the app registration, you should have a "Web" type of application (With redirects) under the "Platform configurations" section. What do you have here?

@ssddanbrown commented on GitHub (Jul 28, 2022): > No, it was not. But, I enabled that option and still get the same results. Okay, leave that disabled, I was just checking it's not active. > It says: > Redirect URIs > 0 web, 0 spa, 1 public client This indicates to me that the wrong type of configured platform maybe. Within the "Authentication" page of the app registration, you should have a "Web" type of application (With redirects) under the "Platform configurations" section. What do you have here?

OVERLORD commented 2026-02-05 05:45:34 +03:00

Author

Owner

Copy Link

@corbing commented on GitHub (Jul 28, 2022):

This indicates to me that the wrong type of configured platform maybe.

Bingo! That was the issue! I guess by default it configures it as a "mobile or desktop application". I added the web platform, updated the URI, and everything started working.

I very much appreciate your help! Look forward to diving in now!

@corbing commented on GitHub (Jul 28, 2022): > This indicates to me that the wrong type of configured platform maybe. Bingo! That was the issue! I guess by default it configures it as a "mobile or desktop application". I added the web platform, updated the URI, and everything started working. I very much appreciate your help! Look forward to diving in now!

OVERLORD commented 2026-02-05 05:45:37 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Jul 28, 2022):

@corbing Happy to help, I think the "Platform" box when creating the application is new, I've just updated our docs with a mention to set this to "Web" to help prevent future confusion.

Just an added note, If you're looking to use AzureAD as your main/only auth option, and you want to provide a seamless experience, Our SAML2 and OIDC options can both work with AzureAD I believe, with SAML2 having group/role sync support with BookStack (OIDC will gain this in the future). There are a bit more complex to set-up, but may work better (depending on environment and requirements. I do have videos covering these auth options on our YouTube channel, albeit no videos specifically for AzureAD.

@ssddanbrown commented on GitHub (Jul 28, 2022): @corbing Happy to help, I think the "Platform" box when creating the application is new, I've just updated our docs with a mention to set this to "Web" to help prevent future confusion. Just an added note, If you're looking to use AzureAD as your main/only auth option, and you want to provide a seamless experience, Our SAML2 and OIDC options can both work with AzureAD I believe, with SAML2 having group/role sync support with BookStack (OIDC will gain this in the future). There are a bit more complex to set-up, but may work better (depending on environment and requirements. I do have videos covering these auth options on our [YouTube channel](https://www.youtube.com/c/BookStackApp), albeit no videos specifically for AzureAD.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

further_theme_development

l10n_development

release

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

pull-request

Mirrored from GitHub Pull Request

No Label 🐕 Support

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#2924