I have MS Azure B2C AD login setup in Blazor Server. The shared URL is https://login.subone.dev.mymaindomain.com. The redirect URL is https://login.subone.dev.mymaindomain.com/signin-oidc. It works perfectly. I have added another site: https://companyone.subone.dev.mymaindomain.com. The redirect URL is https://companyone.subone.dev.mymaindomain.com/signin-oidc. It works perfectly as well. I even can redirect (from my web app) between the "login" and "companyone" subdomains without login. Good!
The problem is that I have more than 1000 subdomains and the B2C redirect /signin-oidc has a limit on a number of redirect URLs. If I add https://companytwo.subone.dev.mymaindomain.com without corresponding https://companytwo.subone.dev.mymaindomain.com/signin-oidc and trying to access to "companytwo" from my app I am getting an error. From MS site https://learn.microsoft.com/en-us/azure/active-directory/develop/reply-url#maximum-number-of-redirect-uris: Use a state parameter If you have several subdomains and your scenario requires that, upon successful authentication, you redirect users to the same page from which they started, using a state parameter might be helpful. In this approach: Create a "shared" redirect URI per application to process the security tokens you receive from the authorization endpoint. Your application can send application-specific parameters (such as the subdomain URL where the user originated or anything like branding information) in the state parameter. When using a state parameter, guard against CSRF protection as specified in section 10.12 of RFC 6749). The application-specific parameters will include all the information needed for the application to render the correct experience for the user, that is, construct the appropriate application state. The Azure AD authorization endpoint strips HTML from the state parameter so make sure you are not passing HTML content in this parameter. When Azure AD sends a response to the "shared" redirect URI, it will send the state parameter back to the application. The application can then use the value in the state parameter to determine which URL to further send the user to. Make sure you validate for CSRF protection.
This is not working for me. The state parameter is a string that is not changing on the MS side. So I can send and get the redirect URL in this string. But I already know the redirect URL. And if I try to redirect then I get the error because there is no corresponding /signin-oidc. Could somebody point me in the right direction?