drawio
drawio copied to clipboard
jgraph
Selfhosted and OneDrive with internal application ID does not support single tenant configurations
Preflight Checklist
- [x] I agree to follow the Code of Conduct that this project adheres to.
- [x] I have searched the issue tracker for a feature request that matches the one I want to file, without success.
Describe the bug We have been running a self-hosted version for some time and are in the process of implementing OneDrive. We have created our own application/client ID, and the application has been successfully setup in Azure and authorization approved by the administrator.
When clicking on the Authorize button, it produces a 500 error and the following Tomcat logs:
9-Aug-2023 12:13:46.071 SEVERE [http-nio-8080-exec-108] com.mxgraph.online.AbsAuth.contactOAuthServer AUTH-SERVLET: [https://login.microsoftonline.com/common/oauth2/v2.0/token] ERROR: Server returned HTTP response code: 400 for URL: https://login.microsoftonline.com/common/oauth2/v2.0/token -> {"error":"invalid_request","error_description":"AADSTS50194: Application 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'(DrawIO) is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after '10/15/2018'. Use a tenant-specific endpoint or configure the application to be multi-tenant.\r\nTrace ID: xxxxx\r\nCorrelation ID: xxxxx\r\nTimestamp: 2023-08-09 18:13:46Z","error_codes":[50194],"timestamp":"2023-08-09 18:13:46Z","trace_id":"xxxxx","correlation_id":"xxxxx"}
MSGraphAuth.java reads the client ID from the msgraph_client_id file, but uses the hard-coded /common URL used for multi-tenant applications and has no mechanism to support single-tenant applications:
`
public static String CLIENT_SECRET_FILE_PATH = "msgraph_client_secret";
public static String CLIENT_ID_FILE_PATH = "msgraph_client_id";
private static Config CONFIG = null;
protected Config getConfig()
{
if (CONFIG == null)
{
String clientSerets = SecretFacade.getSecret(CLIENT_SECRET_FILE_PATH, getServletContext()),
clientIds = SecretFacade.getSecret(CLIENT_ID_FILE_PATH, getServletContext());
CONFIG = new Config(clientIds, clientSerets);
CONFIG.REDIRECT_PATH = "/microsoft";
CONFIG.AUTH_SERVICE_URL = "https://login.microsoftonline.com/common/oauth2/v2.0/token";
}
return CONFIG;
} `
Single tenant applications use the application ID in place of the 'common' in the URL.
Expected behavior Internally generated application ID's for single-tenant applications should be supported
draw.io version (In the Help->About menu of the draw.io editor):
- draw.io version 21.1.4
I am also in need of single tenant option, please provide an option to replace /common with application id
Encountering this same issue. At the moment there is a workaround available but I'm not sure how appropriate it is to the context.
Workaround is to go to app registration > Authentication > Supported account types: set to "Accounts in any organizational directory (multitenant)"
If this will be adjusted, the docker entrypoint configuration also needs updates; https://github.com/jgraph/docker-drawio/blob/dev/main/docker-entrypoint.sh#L84-L89 Store copy of tenant id on server-side, to retrieve tenant id in java code. The necessary environment variables already exist and are documented.
I also have this problem, and it's the only reason our organizations have not adopted this platform for diagramming.
We also have this issue. Would it be possible to create a patch for it? 🙏
Sure, here is the PR: https://github.com/jgraph/drawio/pull/4905
@davidjgraph please check