3,286 questions
Web Redirect URIs for Azure AD B2C don't work when URI contains combination of subdomain and port.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 36%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJP%3C/text%3E%3C/svg%3E)
John Payne
0
Reputation points
When using Azure AD B2C to register a SAML\OpenID application, the Redirect URI attribute never seems to match when the URI contains a sub-domain and port number. Individually these work OK. This also doesn't affect regular Entra ID, only Azure AD B2C.
E.g. setting the Redirect URI values below produces the following outcomes:
| Redirect URI | Result |
|---|---|
| https://sub.localhost.com/path/more | OK |
| https://localhost.com:443/path/more | OK |
| https://sub.localhost.com:443/path/more | Broken |
When broken, the authorize endpoint always returns:
error_description=AADB2C90006:
The redirect URI 'https://sub.localhost.com:443/path/more' provided in the request is not registered for the client id '<client_id>'.
Furthermore, changing the Redirect URI to something that works afterwards results in the app always being in a broken state.
Can reproduce sending the following request via Postman:
https://<tenant>.b2clogin.com/<tenant>.onmicrosoft.com/<Policy>/oauth2/v2.0/authorize?client_id=<client_id>&redirect_uri=https%3A%2F%2Fsub.localhost.com%3A443%2Fpath%2Fmore&scope=openid+profile+email&response_type=code&state=345345345&nonce=67546363
This doesn't appear to be listed in the restrictions documentation below so may be a possible bug?
https://learn.microsoft.com/en-us/entra/identity-platform/reply-url
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator2024-04-04T07:20:58.33+00:00 Hi @John Payne ,
Thanks for reaching out.
Did you try with wild card in the URL? The reply URL can be set with * (wildcard character) via the App Manifest.
You need to make sure your application is registered with be below supported type only to support wildcard character.
Thanks,
Shweta
-
John Payne 0 Reputation points
2024-04-04T08:38:36.7366667+00:00 Thanks Shweta, I didn't try wildcards as they aren't recommended according to the documentation (https://learn.microsoft.com/en-us/entra/identity-platform/reply-url)
Wildcard URIs like
https://*.contoso.commay seem convenient, but should be avoided due to security implications.Furthermore, in this use case, we need to use user flows so need to select the third supported account type.
-
Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator
2024-04-08T06:40:39.93+00:00 Yes that's correct , that not the ideal scenario.
I am also trying to understand why you would explicitly specify the port when it is the standard port for HTTPS.
Sign in to comment
Sign in to answer