AADSTS50011 with AWS Cognito

Pascal Liu 46 Reputation points
2020-12-09T23:06:43.817+00:00

Hello !

I configured a AWS Cognito user pool and added an Azure AD ad OIDC Id provider.
For some reason I encounter the "AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application" error.

I looked at the other issues and i paid attention to have the same redirect url in the cognito app as well as in the Azure AD app.

I tried to add many different urls as well but still got no chance.

Request Id: 3d1858ea-795e-423a-b564-c47c00613800
Correlation Id: df4a9a75-a8d0-4f59-8120-cc3805d34b6d
Timestamp: 2020-12-09T23:03:48Z
Message: AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: '75b18685-d413-4ff5-8f5d-2241da947552'.

Thanks for your help

46707-screenshot-2020-12-10-at-000302.png
46708-screenshot-2020-12-10-at-000309.png

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,473 questions
0 comments
Accepted answer
  1. soumi-MSFT 11,716 Reputation points Microsoft Employee
    2020-12-10T10:56:09.697+00:00

    Hello @Pascal Liu , thank you for reaching out. Based on the details shared above, I did check the backend logs using the correlationID and timestamp and I did see a mismatch in the Redirect_URIs, the one sent in the request and the ones configured in your app registration.

    From the backend logs what I found is:

    Redirect_URIs configured in App Registration in AAD:

    • ReplyAddressValue:https://www.pldev.fr/auth
    • ReplyAddressValue:https://www.pldev.fr/auth/oidc
    • ReplyAddressValue:https://www.pldev.fr
    • ReplyAddressValue:https://cyconia.auth.eu-west-3.amazoncognito.com/login
    • ReplyAddressValue:https://cyconia.auth.eu-west-3.amazoncognito.com The following redirect_URI present in the request i.e https://cyconia.auth.eu-west-3.amazoncognito.com/oauth2/idpresponse is nowhere available in the list of the reply_urls configured in the App Registration.

    To fix this issue, either you update the request with the right redirect_url or you add the redirect_url present in your current request into the reply_url section of your app registration. The bottom line is the reply_url/redirect URI being sent in the request should always match with the redirect_url/rely_url configured in the app registration in AAD.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as an Answer; if the above response helped in answering your query.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pascal Liu 46 Reputation points
    2020-12-10T12:29:26.277+00:00

    Thank you very much. It indeed solved the issue, I didn't have the right Redirect_URI generated by Cognito. I assumed the url would be either the one I set as callback in my Cognito app, or the url from which I access the login page.
    It's now working.

    I do have an additional problem as it properly returns the user to https://www.pldev.fr/auth/oidc after login (which is my callback url set in Cognito), but with the following GET error :
    https://www.pldev.fr/auth/oidc?error_description=pldev-azuread+Error+-+401+error+getting+token&error=invalid_request#

    Shall I open another ticket for this or can you help directly here ?
    Thank you very much