I am trying to establish SSO using Azure AD, but facing a peculiar condition. When I first try to login via application url, it redirects me to AD login page. After successful authentication, a cookie is generated. But the redirection does not take place to the original uri that I opened.
It goes to domain controller page where it says 403- forbidden access.
But, after refreshing the page, site opens normally like how it should have in the 1st time itself.
Original URL: https://-webapp*.tl.co.in/TSEERMDEV/
During login:
https://login.microsoftonline.com/f35425af-4755-4e0c-xxxx-b3cb9f1c6afd/oauth2/v2.0/authorize?client_id=cccccccc-219d-4c3b-bbc9-a1d32caa79a3&post_uri=https%3A%2F%2F**-webapp*.t**l.co.in%2FTSEERMDEV%2F&response_type=id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DP2o_ddgKlg9kRjVV49yxtFnHEZPT-i4ROq2k7zUVGDv0SzlhfhKy8WLkinKE_IFSgN2tWpJt4Jte-Y34NIod0mmmmmmmmsssssssstetstesteB7IOnFZUKVyv-kNbXQev25viPA-5TDi2sIkhBPSZKwSzvCP9cu_7VRNk5v53Ekjo032xjNA_-R-ulXWAW_SM3O6zqh6otO3O1tR1xpXQ8A&response_mode=form_post&nonce=637594416396999271.ZDA5M2Y4MGYtMmFiNC00OGJhLThhMDUtNDY5YTNlYTU1NTRhNzUwZjdiMDUtZGZmNy00YjMNC44GGMtNmQyYzliNzNkYjA4&x-client-SKU=ID_NET461&x-client-ver=5.3.0.0
redirect url: https://-webapp*.tl.co.in/TSEERMDEV/
Your original URL: https://-webapp*.tl.co.in/TSEERMDEV/ is invalid, and the invalid url cannot be added as the redirect url of the application.
So, you need to set the correct redirect url, and then you can try to use this url to send a login request:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id={client_id}
&response_type=id_token
&redirect_uri={redirect_uri}
&response_mode=form_post
&scope=openid
&state=12345
&nonce=678910
Related
I have a React app which uses MSAL msal-react v1.3.1. I am using loginRedirect method to redirect a predefined user flow configured in Azure B2C for password reset. The current behaviour is that when the password reset is complete it redirects back to the page that first invoked the redirect to AD B2C once it has completed successfully.
Is there a way to change the redirect url when the flow has completed to something like below?
instance.loginRedirect({
authority: `${config.authentication.authority}/${config.authentication.flow.register}`,
redirectUri: window.location.href + '?success=true'
});
I have tried to set the redirectUri and postLoginRedirectUri which don't appear to change the outcome.
There appears to be a restriction on the redirectUrl as described here.
The redirect url must be registered with the application and cannot contain wildcards or query string parameters.
What I had to do in this situation was set the navigateToLoginRequestUrl to false where you set up your msal. Example of someone's code with the navigateToLoginRequestUrl option: https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/3818
Then maybe you could use the state option to pass any information you want to the return URL instead of a query parameter on returnURL. But I don't quite see the point here.
instance.loginRedirect({
authority: `${config.authentication.authority}/${config.authentication.flow.register}`,
redirectUri: window.location.href,
state: 'success'
});
I am using MVC.net with "sign in with microsoft" as the login.
First, everything works on localhost.
I have registered my app on the AZ portal, with a redirect URL of https://xxxxxxx.com/xxx/Home/Index
I have a web.config redirect uri that matches
when I publish the application and sign in with microsoft it authenticates, then redirects to https://xxxxxxx.com/xxx/Home/Index as a Post with form data of (string code, string id_token, string state, string session_state) with 302 error
which then redirects to the root https://xxxxxxx.com
Update the reply back(redirect url) in application registration.
Hey Guys after publish to Azure I get the following error when I want to login.
I checked the URL in my Code and the App Registration --> It's the same...
When i run with Azure domain: (I already created a new registered app)
We're unable to complete your request
unauthorized_client:
The client does not exist or is not enabled for consumers. If you are the application developer, configure a new application through the App Registrations in the Azure Portal at https://go.microsoft.com/fwlink/?linkid=2083908.
When I run localhost login appears and I logging in it redirects
me to this:
The reply URL specified in the request does not match the reply URLs configured for the application
Sorry, but we’re having trouble signing you in.
AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'ace44f89-fa01-41a3-8d0c-f0835adb1065'.
Troubleshooting details:
Request Id: e9199aae-5431-4ca5-ae1e-ad2ab78f0a00
Correlation Id: cc29341a-f2bd-4b2b-a968-474c8203c493
Timestamp: 2021-04-13T07:32:21Z
Message: AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'ace44f89-fa01-41a3-8d0c-f0835adb1065'.
The client does not exist or is not enabled for consumers.
This error means you are using a Microsoft Account to login your client app, but it is not enabled for that.
To change the setting for an existing AD App, navigate to the Manifest blade of it in the portal, find the signInAudience attribute, set it with AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
AADSTS50011: The reply URL specified in the request does not match the
reply URLs configured for the application
When you visit the application url , you will be redirected to the login page. Decode the authorization request url, you will find redirect_url, copy the value of redirect_url and paste it into the azure portal, and try again.
Recently I have used Facebook Login option in my website. I have wrote all the APIs needed and tested them thoroughly in using "localhost" as domain. While configuring settings in my APP in Facebook developers account, I have setup all the necessary settings like giving Oauth redirect URL, adding domain name in basic settings and other things. Everything worked fine then. So, I have requested required app permissions like pages_manage_posts, pages_read_enagagment, pages_show_list and applied for them. Facebook approved them in the app review.
the Redirect URL ("https://execute.app/#/socialmedia/management/") that I used in Facebook is correctly put in the Facebook Oauth redirect URL path as shown in the pic below.
I have used server side APIs for Facebook login and graph APIs. I have used Oauth2 for Facebook login. You can see the code below
var OAuth2 = require('oauth').OAuth2;
var oauth2 = new OAuth2(CONSTANTS.FB_APP_Key,
CONSTANTS.FB_APP_Secret,
"", "https://www.facebook.com/dialog/oauth",
"https://graph.facebook.com/oauth/access_token",
null);
app.get('/api/document/facebook/auth', function (req, res) {
var redirect_uri = "https://execute.app/#/socialmedia/management/";
console.log("redirect_uri ", redirect_uri);
var params = { 'redirect_uri': redirect_uri, 'scope': 'email,public_profile,pages_manage_posts,pages_show_list,pages_read_engagement' };
var authUrl = oauth2.getAuthorizeUrl(params);
res.send({
"status": true,
"message": "login url generated successfully",
"url": authUrl
});
});
I will explain the problem in two scenarios below.
Scenario-1: When there is and existing active Facebook session in browser i.e, when some user is already logged into Facebook in facebook.com or developers.facebook.com and when we try to login into Facebook from our website, Oauth Authentication API gets called and returns Facebook login URL with status code 200 and the url gets opened in a new tab, its works fine, we don't need to enter Facebook login credentials again, we can just click on "**Continue as USER**" button and then we get the login code, with which we can get user access token. After getting token everything works as planned.
Scenario-2: But if no user is already logged into Facebook in browser and when I click on **login to Facebook** button, API call is made and it returns login URL, but the response status code sent by Oauth login API is 304. A new Facebook login tab is opened, but there is a warning displaying a message saying "URL blocked.
This redirect failed because the redirect URI is not white-listed in the app's client OAuth settings. Make sure that the client and web OAuth logins are on and add all your app domains as valid OAuth redirect URIs."
But you can see that I have added correct Redirect URL in Facebook already. It works in scenario-1 and does not work in another as I mentioned above.
Note: the Facebook login URL returned by Oauth Authentication API is same regardless the status code 200 or 304 . It goes as " https://www.facebook.com/dialog/oauth?redirect_uri=https%3A%2F%2Fexecute.app%2F%23%2Fsocialmedia%2Fmanagement%2F&scope=email%2Cpublic_profile%2Cpages_manage_posts%2Cpages_show_list%2Cpages_read_engagement&client_id=88XXXXXXX663"
Please help me in solving this issue ,thanks in advance
The OAuth RFC states for the redirect URI that:
The endpoint URI MUST NOT include a fragment component.
It might be a bug in Facebook that it works for some scenarios and does not work for others, but in fact it's best to avoid a URI with a fragment component. If Facebook's documentation states that you can use redirect URIs with fragments I would try to contact them ask why this doesn't work in some scenarios.
I have registered the app in Azure AAD with reply urls. Enable id_token and auth token. If i give the exact url as the parameter it works fine. but if I add the query string as a parameter in reply url it is not working and throws error
AADSTS50011: The reply url specified in the request does not match the
reply urls configured for the application: ''.
Below is my sample URL format generated by ADAL.js file.
https://login.microsoftonline.com/.onmicrosoft.com/oauth2/authorize
?response_type=id_token &client_id=
&redirect_uri=?p1=123&p2=456
&state=62439108-d296-4a0d-91cc-4f6580656e83
&client-request-id=1a5ad90a-26fc-4e60-bbcc-8d58bbbcc1f7
&x-client-SKU=Js &x-client-Ver=1.0.13
&nonce=a4a6215c-0706-4fbc-91a9-36e4cd3a262e
If i remove this ?p1=123&p2=456 query string from the redirect_url, it works fine. The other workaround i see is if i go to legacy app registration and add "" at the end of the url it is working. But the new app registration does not allow "" in the reply_url while registration.
Anyone else also faced the same issue and fixed without adding "*" in the reply_url registration? please let me know.
This is an issue with ADAL.js (and MSAL.js) setting the redirect URI to the current URL by default.
You can get around it with an approach like this:
Set redirect URI as window.location.origin + "/aad-callback" (or anything else)
When requiring login, store current URL in sessionStorage (or local storage or a cookie)
Trigger login redirect
When your app gets a callback to /aad-callback, handle the tokens from the URL fragment
Load the local redirect URL from sessionStorage
Redirect user there
I wrote an article related to this but for MSAL.js: https://joonasw.net/view/avoiding-wildcard-reply-urls-with-msal-js.
The concepts are the same for ADAL.js.