B2C wildcards in redirect uri?

Question

JL 51

Hi,

We are looking to migrate our platform to b2c.

Each of our customer are allocated their own subdomain,
eg, disney.finance.mycompany.com, atlassian.finance.mycompany.com

We have about 500 such subdomains/customers to date.

In our previous provider, we configure the app redirect to accept wildcard for our subdomain: *.finance.mycompany.com

How can we achieve the same thing with b2c?

I have tried to modify the manifest file for the application, but it doesn't work.

thanks

1 answer

Answer 1

soumi-MSFT 11,831 Microsoft Employee Moderator

@JL , Wildcard redirect uris are something that are not supported by AAD or AAD B2C. One of the reasons behind this restriction is the security threat called Open Redirector. You can read more about this threat here:
https://www.rfc-editor.org/rfc/rfc6819#section-4.1.5
https://www.rfc-editor.org/rfc/rfc6819#section-4.2.4

Also, you can check the following url to understand the various restrictions that are imposed on the redirect uris in AAD and AAD B2C: https://learn.microsoft.com/en-us/azure/active-directory/develop/reply-url#maximum-number-of-redirect-uris

You can certainly add all the subdomains as a separate Redirect URI, but then that too has a limit of 256 redirect uris as listed here: https://learn.microsoft.com/en-us/azure/active-directory/develop/reply-url#maximum-number-of-redirect-uris

JL 51 Reputation points

2021-10-19T07:34:12.277+00:00
Thanks for the reply.

In this case, what are my options, if I 1) can't use wildcard, and 2)have a limit of 256 redirect uris?

From the link about reply-url, it mentions using the state parameter and a shared redirect uri:

If you have several subdomains and your scenario requires that, upon successful authentication, you redirect users to the same page from which they started, using a state parameter might be helpful.

Does it mean:

when a user needs to sign in from a subdomain (eg, disney.finance.mycompany.com):

the subdomain initiates the sign in flow by sending the user to b2c, and specifies a shared redirect uri and some state info (ie, subdomain)

after the user authenticates, they are redirected to the shared redirect uri

The shared redirect uri is configured to extract the security tokens and read the state (subdomain)

The shared redirect uri then redirects the user back to the subdomain with the security tokens.

Is my understanding correct?

Do you have any example code for this ?
(example where a shared redirect uri service implementation extracts the token, reads the encoded state, and redirects the user back to the subdomain to complete the sign in?)

Is this achievable using the msaljs library?

Thanks!
Frederik Krautwald 1 Reputation point

2021-12-06T10:18:50.573+00:00

I would also like some more information on using a state parameter with MSALJS.