I am using MVC.net with "sign in with microsoft" as the login.
First, everything works on localhost.
I have registered my app on the AZ portal, with a redirect URL of https://xxxxxxx.com/xxx/Home/Index
I have a web.config redirect uri that matches
when I publish the application and sign in with microsoft it authenticates, then redirects to https://xxxxxxx.com/xxx/Home/Index as a Post with form data of (string code, string id_token, string state, string session_state) with 302 error
which then redirects to the root https://xxxxxxx.com
Update the reply back(redirect url) in application registration.
Related
I am trying to establish SSO using Azure AD, but facing a peculiar condition. When I first try to login via application url, it redirects me to AD login page. After successful authentication, a cookie is generated. But the redirection does not take place to the original uri that I opened.
It goes to domain controller page where it says 403- forbidden access.
But, after refreshing the page, site opens normally like how it should have in the 1st time itself.
Original URL: https://-webapp*.tl.co.in/TSEERMDEV/
During login:
https://login.microsoftonline.com/f35425af-4755-4e0c-xxxx-b3cb9f1c6afd/oauth2/v2.0/authorize?client_id=cccccccc-219d-4c3b-bbc9-a1d32caa79a3&post_uri=https%3A%2F%2F**-webapp*.t**l.co.in%2FTSEERMDEV%2F&response_type=id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DP2o_ddgKlg9kRjVV49yxtFnHEZPT-i4ROq2k7zUVGDv0SzlhfhKy8WLkinKE_IFSgN2tWpJt4Jte-Y34NIod0mmmmmmmmsssssssstetstesteB7IOnFZUKVyv-kNbXQev25viPA-5TDi2sIkhBPSZKwSzvCP9cu_7VRNk5v53Ekjo032xjNA_-R-ulXWAW_SM3O6zqh6otO3O1tR1xpXQ8A&response_mode=form_post&nonce=637594416396999271.ZDA5M2Y4MGYtMmFiNC00OGJhLThhMDUtNDY5YTNlYTU1NTRhNzUwZjdiMDUtZGZmNy00YjMNC44GGMtNmQyYzliNzNkYjA4&x-client-SKU=ID_NET461&x-client-ver=5.3.0.0
redirect url: https://-webapp*.tl.co.in/TSEERMDEV/
Your original URL: https://-webapp*.tl.co.in/TSEERMDEV/ is invalid, and the invalid url cannot be added as the redirect url of the application.
So, you need to set the correct redirect url, and then you can try to use this url to send a login request:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id={client_id}
&response_type=id_token
&redirect_uri={redirect_uri}
&response_mode=form_post
&scope=openid
&state=12345
&nonce=678910
Hey Guys after publish to Azure I get the following error when I want to login.
I checked the URL in my Code and the App Registration --> It's the same...
When i run with Azure domain: (I already created a new registered app)
We're unable to complete your request
unauthorized_client:
The client does not exist or is not enabled for consumers. If you are the application developer, configure a new application through the App Registrations in the Azure Portal at https://go.microsoft.com/fwlink/?linkid=2083908.
When I run localhost login appears and I logging in it redirects
me to this:
The reply URL specified in the request does not match the reply URLs configured for the application
Sorry, but we’re having trouble signing you in.
AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'ace44f89-fa01-41a3-8d0c-f0835adb1065'.
Troubleshooting details:
Request Id: e9199aae-5431-4ca5-ae1e-ad2ab78f0a00
Correlation Id: cc29341a-f2bd-4b2b-a968-474c8203c493
Timestamp: 2021-04-13T07:32:21Z
Message: AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'ace44f89-fa01-41a3-8d0c-f0835adb1065'.
The client does not exist or is not enabled for consumers.
This error means you are using a Microsoft Account to login your client app, but it is not enabled for that.
To change the setting for an existing AD App, navigate to the Manifest blade of it in the portal, find the signInAudience attribute, set it with AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
AADSTS50011: The reply URL specified in the request does not match the
reply URLs configured for the application
When you visit the application url , you will be redirected to the login page. Decode the authorization request url, you will find redirect_url, copy the value of redirect_url and paste it into the azure portal, and try again.
I've been following the guide in this repo to setup a resource token provider as an Azure function.
https://github.com/adamhockemeyer/Azure-Functions---CosmosDB-ResourceToken-Broker
I've setup the Cosmos DB, App registration, and Azure function with permissions according to the instructions. When I get to step 3 in the guide where I enter https://{function-url}/.auth/login/{provider} into my browser I get the following error.
ADSTS50011: The reply url specified in the request does not match the
reply urls configured for the application: [App id]
Update
I changed the Reply URL in my App Registration to https://{function-url}/.auth/login/{provider}/callback with {function-url} as my Function App URL. Originally I had it set to one of my Function URL's. Now i'm getting a 404 not found error.
App Registration Redirect URL
Function App URL
Function App Authentication Settings
You need to add the URL as below in your app registration, then it should work.
Note: After adding the URl, go back to the Authentication / Authorization in your functionapp, turn off the Authentication Providers whcih you configured -> turn off Authentication / Authorization, then turn on and configure again, otherwise it seems not become effective.
https://{function-url}/.auth/login/{provider}/callback
Update:
Turn off all the configuration and create the new AD App like below.
I have registered the app in Azure AAD with reply urls. Enable id_token and auth token. If i give the exact url as the parameter it works fine. but if I add the query string as a parameter in reply url it is not working and throws error
AADSTS50011: The reply url specified in the request does not match the
reply urls configured for the application: ''.
Below is my sample URL format generated by ADAL.js file.
https://login.microsoftonline.com/.onmicrosoft.com/oauth2/authorize
?response_type=id_token &client_id=
&redirect_uri=?p1=123&p2=456
&state=62439108-d296-4a0d-91cc-4f6580656e83
&client-request-id=1a5ad90a-26fc-4e60-bbcc-8d58bbbcc1f7
&x-client-SKU=Js &x-client-Ver=1.0.13
&nonce=a4a6215c-0706-4fbc-91a9-36e4cd3a262e
If i remove this ?p1=123&p2=456 query string from the redirect_url, it works fine. The other workaround i see is if i go to legacy app registration and add "" at the end of the url it is working. But the new app registration does not allow "" in the reply_url while registration.
Anyone else also faced the same issue and fixed without adding "*" in the reply_url registration? please let me know.
This is an issue with ADAL.js (and MSAL.js) setting the redirect URI to the current URL by default.
You can get around it with an approach like this:
Set redirect URI as window.location.origin + "/aad-callback" (or anything else)
When requiring login, store current URL in sessionStorage (or local storage or a cookie)
Trigger login redirect
When your app gets a callback to /aad-callback, handle the tokens from the URL fragment
Load the local redirect URL from sessionStorage
Redirect user there
I wrote an article related to this but for MSAL.js: https://joonasw.net/view/avoiding-wildcard-reply-urls-with-msal-js.
The concepts are the same for ADAL.js.
I configured azure AD as an identity provider for my organization's application
whenever i try to access the application its redirecting the request to azure login. But I am getting a bad request error and its showing the below message
The SP name qualifier 'abc.xxxx.com' is not valid.
I am not sure if i have done something wrong.
Below is my configuration
SIGN ON URL
https://abc.xxxx.com/myapp/saml/ssoRequest?ticket=kcflmlmnpgg
ISSUER URL
https://abc.xxxx.com
REPLY URL
https://abc.xxxx.com/myapp/ssoResponse
The problem was when i was submitting the SAML request I was not prepending the 'http://' in the service provider name