We have the following Azure AD B2C Application (which we will call aadb2c) with the following settings
Include web app/ web API: YES
Allow Implicit Flow: YES
Reply Url:
- https://localhost:44339/
- https://productionURL.com
- https://productionURL.com/
App ID URI (which is optional): none
Native CLient: NO
This Application is what our website https://productionURL.com uses to login it's users with azure AD B2C.
However, on production we keep on getting the error:
The redirect URI 'productionURL.com' provided in the request is not registered for the client id 'aadb2c'
According to this we should add the link to out reply url.
But as you can see above, we already included https://productionURL.com in the "Reply URL" section
of the Azure AD B2C blade.
What could be causing this error to happen? How do we resolve the redirect URI request not registered error?
It needs to be configured in the code as well and you need to make sure that the protocols match. This can also happen if there's a mismatch with the tenant ID or the app ID.
Check the B2C callback request in Chrome DevTools > Network with "Preserve log" to see what URL is being returned. This should give you insight into the problem.
As an extra measure to ensure that the protocols are matching, you can add:
if (context.ProtocolMessage.RedirectUri.Contains("http:"))
{
context.ProtocolMessage.RedirectUri = context.ProtocolMessage.RedirectUri.Replace("http:", "https:");
}
After hours looking at our code and finding no traces of the url without any protocol or any trace of "http:", we now had to look at our deployment orchestrator.
Apparently in Octopus we are deploying the app with an incorrect URI: it's missing the protocol "https://"
Related
I am trying to run the WebApp B2C sample:
https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC/1-5-B2C
When I try to login, I get the following error:
IDX40002: Microsoft.IdentityModel does not support a B2C issuer with 'tfp' in the URI. See https://aka.ms/ms-id-web/b2c-issuer for details.
If I edit the Instance to https://myHost.b2clogin.com I get:
AADSTS50011: The redirect URI 'https://myHost.b2clogin.com/1c2009bb-7e35-4a0e-9f22-xxxxxxxxx/oauth2/authresp' specified in the request does not match the redirect URIs configured for the application 'c24b0337-0bd9-45ee-8376-xxxxxxxxx'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.
Edit:
These are my redirects:
I tried to reproduce the same in my environment and got the below results:
I deployed custom policy starter pack via IEF Setup App by entering my Azure B2C tenant name like below:
When I checked that in Portal, custom policies are created successfully like below:
Now I registered one Azure AD B2C app named webapp1 as below:
I added redirect Uri to the above application like below: https://localhost:44316/signin-oidc
Now, I followed the same link that you mentioned and deployed one sample B2C web application by modifying appsettings.json file like below:
"AzureAdB2C": {
"Instance": "https://sridevib2c.b2clogin.com",
"ClientId": "9986e76d-bxx7-4x6x-bxx7-3d8xxxxx9a45",
"Domain": "sridevib2c.onmicrosoft.com",
"SignedOutCallbackPath": "/signout/B2C_1A_SIGNUP_SIGNIN",
"SignUpSignInPolicyId": "B2C_1A_SIGNUP_SIGNIN",
"ResetPasswordPolicyId": "B2C_1A_PASSWORDRESET",
"EditProfilePolicyId": "B2C_1A_PROFILEEDIT" // Optional profile editing policy
//"CallbackPath": "/signin/B2C_1A_SIGNUP_SIGNIN" // defaults to /signin-oidc
},
JSON file:
When I ran the above web application, it took me to below web page:
After selecting Sign Up/In, I got the login screen like below:
When I entered my credentials, I logged in to the application successfully like below:
When I clicked on Sign Out, it showed me below screen by signing me out:
After a long research I found this article/sample, where the Microsoft.Identity.UI framework is replaced with the Microsoft.AspNetCore.Authentication.AzureADB2C.UI.
However, with the https://myDomain.b2clogin.com url I still get the same error, using the custom domain it works, that's enough for me.
I'm creating an angular application that should authenticate with MS Azure AD single Tenant App which should be used only in one organization. Below are the configs which I have tried
auth: {
clientId: 'MY_CLIENT_ID',
// authority: 'https://login.microsoftonline.com/MY_TENANT_ID',
//authority: 'https://login.microsoftonline.com/MY_ORGANIZATION_DOMAIN',
authority: 'https://login.microsoftonline.com/organizations',
redirectUri: 'http://localhost:6735'
},
All thes above ways of authority I have tried. It goes to the login page of Microsoft but after giving correct credentials it redirects with some code in the URL and login doesn't happen.
http://localhost:6735/#code=0.ASgAmOTRM_cEXkaKjvmSz2YuZyqUYHleyNlFoNYtQ5kOUEUAAAA.AQABAAIAAAD--DLA3VO7QrddgJg7WevrHDMc_BSj9GrzkrZl2zT2QVp1Hml8h7qs1PSWM_umvMyKRk5U0C7IbDSpdEpL9SGjWzBFHBXBXh10eLEioVh1N8-hXeNyfLJFSqXShYPooCX8UnlUnIQqgFhULy_o1f7ybLLbMELBomOnJZQKZuJoxj6UJgtERnAE1TZ5-nx4YkPHSrlOD5aYSF6Pziu2Xfh8UOMArIUMAoXe_RUoqULKSIHFsxXypPpCNDo1ddWsxId96BbDdPhHix2IWCuz3SNtKC6i_22qiQSxHJnT3NlcoxyMS0-9f9tSMSEOmrzCU0y5mbuw7-OGYPO8Na3juGParCuPQhE7ZJyXcwFkKodEdGs-C1U-f5Bc_imtik4B8x6sRB2pa-DOAueRQHsLdUUBQn6w5xRmZ97KKXxuL0A59EHbNhNu59EFoVJB6zTTT3hBHLFg7qL9g2nkfZLAlfpp9IfqnsoZVl9xT0CIbl7NvsRFnjpsyp6Sw4oFvyEHiXuRvKLkl3Jz8O56PJody2hHEeqXuQvnWbZ9nk00MPOvArQ7bKyoCusCPQQp64uoPSLW9G389a3ihHLiiNlzJik2dHWjez2wBpSPwZCOingPRi3Mtkh5pIbxfijejQmWZlXB_wf_GaNPYPGNRXYygeo-2OZ9koWDKhQ5S6GP5ktjGPfDtlh6EJNCHAIuuHbK2IN2vjbxdO4_YVLX1NKq0Hh51B4-zNdsiFlZuVsy5RyA3ZQZGsnR1NIKV_wm5jMmdDsgAA&client_info=eyJ1aWQiOiJlYzczZDQ5OS1iYzFiLTRhZWUtYjMyZi0xYjlmOTMyODRiNjAiLCJ1dGlkIjoiMzNkMWU0OTgtMDRmNy00NjVlLThhOGUtZjk5MmNmNjYyZTY3In0&state=eyJpZCI6IjY3YWVjYjVkLWE5YjUtNDBhMy1iZDE5LWRmYmNmNjcxNTkwZiIsIm1ldGEiOnsiaW50ZXJhY3Rpb25UeXBlIjoicmVkaXJlY3QifX0=&session_state=9e6ae9e7-45ae-4fee-b4b2-921f628093ec
Please check if any of the below is your workaround
If your application audience is a single tenant, you must provide an authority with your tenant id as you tried first:
auth: {
clientId: 'your_client_id',
authority: 'https://login.microsoftonline.com/{your_tenant_id}'
}
};
By default, MSAL is configured to set the redirect URI to the current page that it is running on. If you would like to receive the authorization code on a different page than the one running MSAL, you can set this in the configuration. Any redirect URI used must be configured in the portal registration
If it is SPA, please check if you have selected platfom as SPA in app registration in portal and check the URIs type in the manifest file to be Spa . Make sure you do not have multiple platforms configured in azure (for eg both SPA & Web App for same localhost uri).
Try to give the redirect uri like this with ‘/’ at the end :http://localhost:4200/ or http://localhost:6735/ or redirecturi:'/' and make sure you configured the same uri in the application code and try again .
Make sure your client id and tenant id are given correctly. Local host is probably used while in development.If it still doesn’t work configure with https scheme in redirect uri in both app and in portal.
Reference:
AzureAD/microsoft-authentication-library-for-js (github.com)
Quickstart: | Microsoft Docs
Hey Guys after publish to Azure I get the following error when I want to login.
I checked the URL in my Code and the App Registration --> It's the same...
When i run with Azure domain: (I already created a new registered app)
We're unable to complete your request
unauthorized_client:
The client does not exist or is not enabled for consumers. If you are the application developer, configure a new application through the App Registrations in the Azure Portal at https://go.microsoft.com/fwlink/?linkid=2083908.
When I run localhost login appears and I logging in it redirects
me to this:
The reply URL specified in the request does not match the reply URLs configured for the application
Sorry, but we’re having trouble signing you in.
AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'ace44f89-fa01-41a3-8d0c-f0835adb1065'.
Troubleshooting details:
Request Id: e9199aae-5431-4ca5-ae1e-ad2ab78f0a00
Correlation Id: cc29341a-f2bd-4b2b-a968-474c8203c493
Timestamp: 2021-04-13T07:32:21Z
Message: AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'ace44f89-fa01-41a3-8d0c-f0835adb1065'.
The client does not exist or is not enabled for consumers.
This error means you are using a Microsoft Account to login your client app, but it is not enabled for that.
To change the setting for an existing AD App, navigate to the Manifest blade of it in the portal, find the signInAudience attribute, set it with AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
AADSTS50011: The reply URL specified in the request does not match the
reply URLs configured for the application
When you visit the application url , you will be redirected to the login page. Decode the authorization request url, you will find redirect_url, copy the value of redirect_url and paste it into the azure portal, and try again.
I've been following the guide in this repo to setup a resource token provider as an Azure function.
https://github.com/adamhockemeyer/Azure-Functions---CosmosDB-ResourceToken-Broker
I've setup the Cosmos DB, App registration, and Azure function with permissions according to the instructions. When I get to step 3 in the guide where I enter https://{function-url}/.auth/login/{provider} into my browser I get the following error.
ADSTS50011: The reply url specified in the request does not match the
reply urls configured for the application: [App id]
Update
I changed the Reply URL in my App Registration to https://{function-url}/.auth/login/{provider}/callback with {function-url} as my Function App URL. Originally I had it set to one of my Function URL's. Now i'm getting a 404 not found error.
App Registration Redirect URL
Function App URL
Function App Authentication Settings
You need to add the URL as below in your app registration, then it should work.
Note: After adding the URl, go back to the Authentication / Authorization in your functionapp, turn off the Authentication Providers whcih you configured -> turn off Authentication / Authorization, then turn on and configure again, otherwise it seems not become effective.
https://{function-url}/.auth/login/{provider}/callback
Update:
Turn off all the configuration and create the new AD App like below.
I configured azure AD as an identity provider for my organization's application
whenever i try to access the application its redirecting the request to azure login. But I am getting a bad request error and its showing the below message
The SP name qualifier 'abc.xxxx.com' is not valid.
I am not sure if i have done something wrong.
Below is my configuration
SIGN ON URL
https://abc.xxxx.com/myapp/saml/ssoRequest?ticket=kcflmlmnpgg
ISSUER URL
https://abc.xxxx.com
REPLY URL
https://abc.xxxx.com/myapp/ssoResponse
The problem was when i was submitting the SAML request I was not prepending the 'http://' in the service provider name