I can provide a browser trace if strictly needed, but this happens consistently when you have two redirect urls registered. Development on localhost works fine if I only have https://localhost/signin-oidc registered, but when I add a new one one of them breaks.
Azure AD B2C does not respect redirect_uri
Azure AD B2C does not always respect the redirect_uri specified in the authentication request using the authorization code flow.
- Create app reg in B2C
- Add https://random1.com/signin-oidc as redirect uri
- Verify it works from your app
- Add https://random2.com/signin-oidc as redirect uri
- Verify it works from your app on a new domain
- User gets sent to https://random1.com/signin-oidc and not https://random2.com/signin-oidc even if the initial redirect to B2C contains ...&redirect_uri=https://random2.com/signin-oidc
Often occurs when you have a dev environment where you want to reuse the same app reg for localhost development but also have a URL when its deployed to the dev environment.
Am I doing something wrong or is this a bug?
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
3 answers
Sort by: Most helpful
-
-
Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator
2023-03-28T13:31:45.13+00:00 Kindly validate the Redirect URL configured in the application code. In the Azure portal, the redirect URIs that you register on the Authentication page for your application need to match these URLs.
If this does not help then we need to have browser trace while trying to reproduce the issue or a fiddler trace would help.
Please do let me know if you have any further queries.
Thanks,
Akshay Kaushik
Please "Accept the answer" (Yes/No), and share your feedback if the suggestion works as per your business need. This will help us and others in the community as well.
-
Nitish Chauhan 81 Reputation points
2023-05-18T20:46:56.3466667+00:00 I was able to reproduce this simply by getting access tokens from the /authorize endpoint while using custom policies so.....
POST:
https://tenantName.b2clogin.com/tenantName.onmicrosoft.com/OUR-POLICY-NAME/oauth2/v2.0/authorizeI would pass in a callback URL and it would not return the same one or say it doesn't exist in app registration even if I clearly see that it does (and waited a period of time after adding).
I was able to resolve by creating a new App Registration with only a single Redirect URI. Also seemed to help to create a new nonce id.
Very concerning behavior for Mobile App Users since these app registration id's are loaded as build configurations and would require app updates to resolve.