HAproxy Microsoft Graph, Microsoft oAuth token

Help!
1

I am using HAProxy version 2.7.4-d28541d 2023/03/10

I am not an expert with HA proxy, that can be the first reason for my requests getting failed.

I have a Java application that is on a server which dont have access to Internet. Access is only available via HA Proxy. So I was trying to configure HA proxy for the microsoft Graph API.

Microsoft Graph uses following two domains:

https://graph.microsoft.com → For Graph API calls

https://login.microsoftonline.com → for OAUTH token

I can call the boththe URLS from my Haproxy Server. For example I can get the bearer token using below curl command:

curl -k -X POST \
  https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'client_id={client-id}' \
  --data-urlencode 'client_secret={client-secret}' \
  --data-urlencode 'grant_type=client_credentials' \
  --data-urlencode 'scope=https://graph.microsoft.com/.default

Response looks like as following :

{
  "token_type": "Bearer",
  "expires_in": 3599,
  "ext_expires_in": 3599,
  "access_token": "<<Access Token>>"
}

I have configured my haproxy as following:

frontend nicrosoft_graph_front
  bind *:443 ssl crt /etc/ssl/certs/spteluat.pem no-tls-tickets no-tlsv11
  mode http
  acl login_path path_beg /mslogin
  use_backend login_backend if login_path

backend login_backend
  mode http
  option forwardfor
  balance roundrobin
  server loginserver login.microsoftonline.com:443 check check-ssl verify none

It is not working. when use the same curl command:

curl -k -X POST \
  https://localhost/mslogin/c648fe9a-244d-49b5-a052-6e961eb048b8/oauth2/v2.0/token \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'client_id=901f8630-ed72-40c3-ad7a-5e2bfb61fe87' \
  --data-urlencode 'client_secret=U0z8Q~p3r~-GoKWOpxjFhpFeeQ847dWh1Dooua0p' \
  --data-urlencode 'grant_type=client_credentials' \
  --data-urlencode 'scope=https://graph.microsoft.com/.default'

It gives me Error:

<html><body><h1>502 Bad Gateway</h1>
The server returned an invalid or incomplete response.
</body></html>

At some point I believe I had little success when added below in backend config

http-request set-path %[path,regsub(^/mslogin/,/)]

but then it start returning 302 , which I believe is due to Microsoft login URL have some redirects (I dont know how to handle those as well).

Any help how can i make this HAproxy Config work.

2

You should not put HAProxy in front of someone else’s website, like Microsoft. I’m not sure what you’re trying to accomplish by doing this, but I would imagine Microsoft has protections in place to prevent this from working.