question

JOCO-1665 avatar image
0 Votes"
JOCO-1665 asked SushmaGowda-5326 commented

The provided value for the input parameter 'redirect_uri' is not valid. Using Authentication/Authorization AAD

I'm using Authentication/Authorization from the App Service Settings. I already inputted my clientID which I created from App registration in Azure Active Directory and Issuer url as

https://login.microsoft.com/Tenant_ID/v2.0

Under my App Registration I set my redirect url as of the ff:

https://sample.azurewebsites.net/.auth/login/aad/callback
https://sample.azurewebsites.net/
https://sample.azurewebsites.net/menu/home

But I still get redirect Uri error

We're unable to complete your request
invalid_request: The provided value for the input parameter 'redirect_uri' is not valid. The expected value is a URI which matches a redirect URI registered for this client application.





azure-active-directoryazure-ad-authenticationazure-ad-app-registration
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

michev avatar image
1 Vote"
michev answered JOCO-1665 commented

Well are you adding the redirect uri as part of the token request? You can share the code sample.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I dont have the code part for the authentication yet. I did the authentication from the Azure Portal, I followed this tutorial under configuring with advance settings


0 Votes 0 ·
soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered SushmaGowda-5326 commented

@JOCO-1665, Thank you for reaching out. The redirect uri is something that AAD needs to know so that once AAD has done preparing the requested token, it would post that token back on that redirect uri so that the application can consume it.


For your application since not sure about the complete request that you are sending, let me share a sample request with which you can test.


https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={client-id}&response_type=code&redirect_uri={redirect-uri}&response_mode=fragment&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2F.default&state=12345


This request uses the following scopes openid, offline_access and https://graph.microsoft.com/.default. You can modify the scope as per your need and then try this request out. When you specify the redirect uri in this request, make sure that same redirect uri is listed in the app registration too. If this request gets successfully submitted to AAD, you should receive a response in the following format:


https://{redirect-uri}#code=xxxxxxx


If this fails, do let us know the exact request that you are sending to AAD to fetch the code or the token so based on that we can help you further.


Hope this helps.


Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.



@soumi-MSFT Thanks for the info above, The redirect works now and It goes to https://{redirect-uri}#code=xxxxxxx?client_info=yyyyy?state=xyxyxy. Where exactly is the access token being sent? I have a js front end and I'm using MSAL.js v.2, how do I send the access token to a php backend in order to validate and login the user.
The documentation is not helping really. Because the redirect uri has '#'code, it is not sent to the backend by browser.
How can I send the access token to the backend?



0 Votes 0 ·
SeanKilleen avatar image
0 Votes"
SeanKilleen answered JOCO-1665 commented

Posting it here just in case it happens to be relevant or useful.

I was getting this error despite using an out of the box template and setting things up as described.

Turns out my application, which was in a container, needed to modify some additional steps (specifically, forwarding some headers) before things would work.

I wrote it up in a blog post here: https://seankilleen.com/2020/06/solved-net-core-azure-ad-in-docker-container-incorrectly-uses-an-non-https-redirect-uri/

Published it ahead of schedule in case you might find it useful.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for this! I'm currently developing using Angular and docker container involve but I'll check this one out.

0 Votes 0 ·
JOCO-1665 avatar image
0 Votes"
JOCO-1665 answered soumi-MSFT commented

@soumi-MSFT


Here's my login request:


https://login.microsoft.com/{tenantid}/oauth2/v2.0/authorize?response_type=code+id_token&redirect_uri=https%3A%2F%2Fsample.azurewebsites.net%2F.auth%2Flogin%2Faad%2Fcallback&client_id={clientID}&scope=openid+profile+email&response_mode=form_post&nonce={some numbers that I dont know}&state=redir%3D%252F




I just followed the steps under "Configure with advance settings.


https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad


I have also tried the login request that you have sent, but it causes a loop even I inputted my user and pass it goes back to login page again.



· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@JOCO-1665, I apologize for the delay in my response. I did check your request and it looks good to me. It looks like we would have to dig a little deeper to understand where the failure is.

To go ahead with this, it would be great if you can send an email on "azcommunity[at]microsoft[dot]com" and share the following details with us:
Tenant ID:
Subscription ID:

Do not forget to share the URL of this issue so that its easier for me to pick this email up and go ahead further with the troubleshooting.

0 Votes 0 ·