Share via

Trouble signing in with OAuth2 for certain Microsoft accounts: redirect_uri is not valid

David Howard 35 Reputation points
2023-03-13T20:03:36.7733333+00:00

Hello,

I have been successful setting up a web application that uses Microsoft as an OAuth2 provider server. I've done so by registering an application in the Azure cloud console. Users from the same domain as the application can now use their Microsoft account to authenticate with the web app. However, when I try to use some other accounts (for example, a hotmail account) I am unsuccessful. This is unfortunate as I am trying to make it so that any Microsoft users can use OAuth2 to sign up with my app.

For example, when I initiate the signin process, I end up at a URL like the following:

https://login.microsoft.com/{clientid}/oauth2/v2.0/authorize?client_id={client_id}&response_type=code&redirect_uri={redirect_uri}&scope=email%20profile%20openid&response_mode=form_post

I then see a login prompt. However, when I input certain emails I end up at the following URL (removing the parameters that may reveal sensitive info):

https://login.live.com/oauth20_authorize.srf?response_type=code&client_id={client_id}&scope=openid+profile+email+offline_access&response_mode=form_post&redirect_uri=https%3a%2f%2flogin.microsoft.com%2fcommon%2ffederation%2foauth2msa&state={long_state_string}&estsfed={estsfed}&uaid={uaid}&fci={fci}&username={username}&login_hint={offending_email}

The page then displays the following message:

We're unable to complete your request

invalid_request: The provided value for the input parameter 'redirect_uri' is not valid. The expected value is a URI which matches a redirect URI registered for this client application.

As you can see, I am being redirected to https://login.microsoft.com/common/federation/oauth2msa. I assume there is some sort of additional OAuth processes going on in the background that are causing problems.

Any help would we greatly appreciated! I haven't had any luck researching this issue on my own.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Accepted answer
  1. Paul Schreiber 80 Reputation points
    2023-03-14T22:31:48.02+00:00

    The problem was the OAuth sign-in URL. We were using:

    https://login.microsoft.com/{MICROSOFT_TENANT_ID}/oauth2/v2.0/

    …where MICROSOFT_TENANT_ID is our actual tenant ID.

    The solution was to use:
    https://login.microsoft.com/commong/oauth2/v2.0/

    We were able to figure this out by having someone else log in with their corporate Microsoft account, which displayed a detailed error message:

    AADSTS50020: User account 'mailto:******@yyyy.com' from identity provider 'https://sts.windows.net/xxxxxxxx-bdae-4a06-a5a7-xxxxx/' does not exist in tenant 'Default Directory' and cannot access the application 'd9e27c47-838c-4608-8121-d177d0d9d15e'(Terraso) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

    We then Googled AADSTS50020 and found "Error AADSTS50020 - User account from identity provider does not exist in tenant." The section Cause 2 detailed our problem. I reviewed the Python sample code and made adjustments.

    We are now able to successfully sign in with both our corporate email addresses and @hotmail.com addresses.

    The outside user now gets a different error:

    AADSTS165000: Invalid Request: The request tokens do not match the user context. Do not copy the user context values (cookies; form fields; headers) between different requests or user sessions; always maintain the ALL of the supplied values across a complete single user flow. Failure Reasons:[Token values do not match;]

    Turns out the OAuth URL still isn't right. Ask noted in "Why does Azure Active Directory OAuth work for me and no one else?" on StackOverflow:

    The authorization endpoint is wrong. It should be https://login.microsoftonline.com/... instead of https://login.microsoft.com/....

    So we switched it to https://login.microsoft.com/commong/oauth2/v2.0/ and everything works.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator
    2023-03-15T12:07:09.94+00:00

    Hi @David Howard ,

    Thanks for reaching out.

    I understand you are trying to authenticate all the Microsoft users to your application, but your application currently authenticates users in your tenant.

    The reason your application is not allowed to authenticate all Microsoft users is that you have registered your application as single tenant which only allowed accounts in single directory only.

    You need to register your application as multi-tenant with below supported account type:

    User's image

    which will allow the audience to sign in from other tenants as well as users with Microsoft accounts. If you have sign in audience with Microsoft accounts, you can select 'Personal Microsoft accounts only' as well.

    In the OAuth request, {tenant} value in the path of the request can be used to control who can sign into the application. Valid values are common, organizations, consumers based on the type of audience.

    Reference: https://learn.microsoft.com/en-us/security/zero-trust/develop/identity-supported-account-types

    Hope this will help.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.