Azure AD B2C does not respect redirect_uri

Dzenan 65 Reputation points
2023-03-22T10:09:25.8133333+00:00

Azure AD B2C does not always respect the redirect_uri specified in the authentication request using the authorization code flow.

  1. Create app reg in B2C
  2. Add https://random1.com/signin-oidc as redirect uri
  3. Verify it works from your app
  4. Add https://random2.com/signin-oidc as redirect uri
  5. Verify it works from your app on a new domain
  6. User gets sent to https://random1.com/signin-oidc and not https://random2.com/signin-oidc even if the initial redirect to B2C contains ...&redirect_uri=https://random2.com/signin-oidc

Often occurs when you have a dev environment where you want to reuse the same app reg for localhost development but also have a URL when its deployed to the dev environment.

Am I doing something wrong or is this a bug?

Microsoft Security | Microsoft Entra | Microsoft Entra External ID
{count} votes

3 answers

Sort by: Most helpful
  1. Dzenan 65 Reputation points
    2023-04-04T11:44:30.2133333+00:00

    I can provide a browser trace if strictly needed, but this happens consistently when you have two redirect urls registered. Development on localhost works fine if I only have https://localhost/signin-oidc registered, but when I add a new one one of them breaks.

    1 person found this answer helpful.
    0 comments No comments

  2. Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator
    2023-03-28T13:31:45.13+00:00

    @Dzenan

    Kindly validate the Redirect URL configured in the application code. In the Azure portal, the redirect URIs that you register on the Authentication page for your application need to match these URLs.

    User's image

    If this does not help then we need to have browser trace while trying to reproduce the issue or a fiddler trace would help.

    Please do let me know if you have any further queries.

    Thanks,

    Akshay Kaushik

    Please "Accept the answer" (Yes/No), and share your feedback if the suggestion works as per your business need. This will help us and others in the community as well.

    0 comments No comments

  3. Nitish Chauhan 81 Reputation points
    2023-05-18T20:46:56.3466667+00:00

    I was able to reproduce this simply by getting access tokens from the /authorize endpoint while using custom policies so.....

    POST:
    https://tenantName.b2clogin.com/tenantName.onmicrosoft.com/OUR-POLICY-NAME/oauth2/v2.0/authorize

    I would pass in a callback URL and it would not return the same one or say it doesn't exist in app registration even if I clearly see that it does (and waited a period of time after adding).

    I was able to resolve by creating a new App Registration with only a single Redirect URI. Also seemed to help to create a new nonce id.

    Very concerning behavior for Mobile App Users since these app registration id's are loaded as build configurations and would require app updates to resolve.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.