This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 6%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
I have MS Azure B2C AD login setup in Blazor Server. The shared URL is https://login.subone.dev.mymaindomain.com. The redirect URL is https://login.subone.dev.mymaindomain.com/signin-oidc. It works perfectly. I have added another site: https://companyone.subone.dev.mymaindomain.com. The redirect URL is https://companyone.subone.dev.mymaindomain.com/signin-oidc. It works perfectly as well. I even can redirect (from my web app) between the "login" and "companyone" subdomains without login. Good!
The problem is that I have more than 1000 subdomains and the B2C redirect /signin-oidc has a limit on a number of redirect URLs. If I add https://companytwo.subone.dev.mymaindomain.com without corresponding https://companytwo.subone.dev.mymaindomain.com/signin-oidc and trying to access to "companytwo" from my app I am getting an error. From MS site https://learn.microsoft.com/en-us/azure/active-directory/develop/reply-url#maximum-number-of-redirect-uris: Use a state parameter If you have several subdomains and your scenario requires that, upon successful authentication, you redirect users to the same page from which they started, using a state parameter might be helpful. In this approach: Create a "shared" redirect URI per application to process the security tokens you receive from the authorization endpoint. Your application can send application-specific parameters (such as the subdomain URL where the user originated or anything like branding information) in the state parameter. When using a state parameter, guard against CSRF protection as specified in section 10.12 of RFC 6749). The application-specific parameters will include all the information needed for the application to render the correct experience for the user, that is, construct the appropriate application state. The Azure AD authorization endpoint strips HTML from the state parameter so make sure you are not passing HTML content in this parameter. When Azure AD sends a response to the "shared" redirect URI, it will send the state parameter back to the application. The application can then use the value in the state parameter to determine which URL to further send the user to. Make sure you validate for CSRF protection.
This is not working for me. The state parameter is a string that is not changing on the MS side. So I can send and get the redirect URL in this string. But I already know the redirect URL. And if I try to redirect then I get the error because there is no corresponding /signin-oidc. Could somebody point me in the right direction?
You can add more Azure B2C "App Registrations"
Basically, add as many as you need. Each can have a set of redirect URLs.
Your application will just need to pass the proper ClientID associated with the redirect URL you need. But this will work for you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 42%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECT%3C/text%3E%3C/svg%3E)
I have the same requirement. Please advise if you find an answer
Hi Michael,
Yes, this would work, but it looks like a workaround. I would expect that there is a solution on my application level. Thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
The suggestion is having a single reply url for all subdomains and passing state so this reply url can figure out the subdomain to redirect to after completing authentication.
Note: typically site authentication would include the return url as state.
(Extra post to display previous)
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more