drawio Error 500 after OneDrive authorization

Preflight Checklist

[x] I agree to follow the Code of Conduct that this project adheres to.
[x] I have searched the issue tracker for a feature request that matches the one I want to file, without success.

You must agree to search and the code of conduct. You must fill in this entire template. If you delete part/all or miss parts out your issue will be closed.

If you are technical, you should report bugs along the lines of https://marker.io/blog/how-to-write-bug-report. If you are not technical, we will make allowances, please try to make an effort to understand the process.

Describe the bug Authorizing to OneDrive ends with HTTP error 500.

To Reproduce After opening draw.io at https://10.0.0.6:8443/ and clicking “OneDrive”, then “Authorize”, the redirection occurs to: https://10.0.0.6:8443/microsoft?code=[edited]&state=cId%3d917ecb76-392e-4f27-93fd-f4a1c59343f7%26domain%3d10.0.0.6%3a8443%26token%3d12pelamf9get192gm0bfmfq1vic0v7124iqhm4k4s8v3gs3srhuv&session_state=b4db3864-add6-49a6-af77-4647378cde00# resulting in a browser error: “This page isn’t working. HTTP ERROR 500”.

Expected behavior OneDrive works

Screenshots

draw.io version (In the Help->About menu of the draw.io editor):

draw.io version 26.0.9

Desktop (please complete the following information):

OS: macOS 15.3
Browser: Arc
Browser Version: 1.79.1 (58230)

I tested the problem in incognito/private mode with all browser extensions switched off, write "yes" below: yes

Additional context none

Feb 17 '25 14:02 grzywek

Without knowing exactly what you've deployed or how you've deployed there's no way we can determine what has happened.

Feb 18 '25 12:02 davidjgraph

Well, nothing fancy. Just a regular Docker deployment.

After fresh set up I added the following env variables:

Of course before I created App Reg:

so in general Draw.io works but once I click "Authorize"

I'm redirected to the URL from first post and receive error 500.

Is anything more needed to set up on the Azure or Docker side to make it working?

Feb 21 '25 15:02 grzywek

What is the content of the 500 response?

Feb 27 '25 17:02 davidjgraph

@davidjgraph no content (empty Response from server). Just error 500.

I managed to find in logs the following entry. It's added to the log at the moment I click "Authorize" button:

27-Feb-2025 18:17:25.277 SEVERE [https-openssl-nio-8443-exec-9] com.mxgraph.online.AbsAuth.contactOAuthServer AUTH-SERVLET: [https://login.microsoftonline.com/common/oauth2/v2.0/token] ERROR: Server returned HTTP response code: 400 for URL: https://login.microsoftonline.com/common/oauth2/v2.0/token -> {"error":"invalid_request","error_description":"AADSTS50194: Application '917ecb76-392e-4f27-93fd-f4a1c59343f7'(DRAWIO) is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after '10/15/2018'. Use a tenant-specific endpoint or configure the application to be multi-tenant. Trace ID: 50578fc4-5c55-431b-bfd4-9f2f490be800 Correlation ID: 23fcc2e2-6af8-4f28-a6c0-f9d3ca9e4de4 Timestamp: 2025-02-27 18:17:25Z","error_codes":[50194],"timestamp":"2025-02-27 18:17:25Z","trace_id":"50578fc4-5c55-431b-bfd4-9f2f490be800"

After I changed and selected the second option in App Registration configuration, it starts working:

But I would prefer to leave the "Single Tenant" option. Would that be possible?

Feb 27 '25 18:02 grzywek

Does https://github.com/jgraph/drawio/pull/4905 help?

Mar 03 '25 12:03 davidjgraph

Hi @davidjgraph and @grzywek . The fix done in #4905 should help but I was not able to verify it locally (it was discussed in the mentioned PR).

@davidjgraph I pulled the latest docker image and unfortunately there is something more to be done "somewhere" because I have in logs: com.mxgraph.online.AbsAuth.doGetAbst AUTH-SERVLET: [169.254.169.126] ERROR: Reading secret msgraph_tenant_id failed.". Unfortunatelly there is no SecretFacade class source in the project so I don't know how this class works. So you were right @davidjgraph that it should be tested before merging a PR but as we discussed I couldn't do it... (and I repeat I would be happy to help if there is an instruction how to build and test the project locally :)).

Mar 14 '25 08:03 krzysztof-cislo

@grzywek , if you use docker image, you should go back to version jgraph/drawio:26.0.9 and leave multi tenant configuration for now. Otherwise it won't work.

Mar 14 '25 08:03 krzysztof-cislo

Probably just needs a try/catch around the getSecret call in case TENANT_ID_FILE_PATH doesn't exist. I've pushed a change.

Apr 05 '25 15:04 davidjgraph

@davidjgraph , it's not a matter of try/catch. I mean try/catch fixed the release but single tenant still doesn't work.

Apr 11 '25 05:04 krzysztof-cislo

ok, but we need at least to have it working in multi tenant without the error, I assume that's ok now?

Apr 11 '25 12:04 davidjgraph

Yes, multi tenant is working fine now again. So the issue from this thread is resolved.

Apr 11 '25 12:04 krzysztof-cislo

@grzywek and anyone else getting this error, there is a missing line in docker-entrypoint.sh that might resolve the issue

    if [[ "${DRAWIO_MSGRAPH_TENANT_ID}" ]]; then
        echo -n "${DRAWIO_MSGRAPH_TENANT_ID}" > $CATALINA_HOME/webapps/draw/WEB-INF/msgraph_tenant_id
        echo "window.DRAWIO_MSGRAPH_TENANT_ID = '${DRAWIO_MSGRAPH_TENANT_ID}'; " >> $CATALINA_HOME/webapps/draw/js/PreConfig.js
    fi

Failure to set msgraph_tenant_id results in trying to do the code-token exchange against the /common endpoint, which will fail if you authorized your app to a specific tenant. This is much simpler and safer alternative than going the multitenant route

Sep 23 '25 15:09 bnevis-i