Azure AD App Registration Multiple URLs

Question

Azure AD App Registration Multiple URLs

devopsfj 256

Good Afternoon,

I am currently building a containerized App which sits inside of a App Service Container.

I am looking to implement Azure AD Authentication using App Registrations, now my only issue is that you have to specify a redirect URL, which can only be one URL, now this is where the issue comes in, if I set the URL redirect to my production URL (example.com), if I was to access the website via azurewebsites.net, after logging in with Azure AD, the App Registration is going to redirect me to example.com, which becomes an issue as I sometimes want to access the App Service directly, not through other means (for example through an AppGw).

Is there no way to set an App Registration to redirect from the original URL specified, for example, what is the behaviour if this is left blank?

Hope that makes sense.

1 answer

Your answer

Answer 1

Hi @devopsfj ,

One option I can think of is adding your-app.azurewebsites.net as a redirect URI and modify your application so that the sign in request passes the current host URL. Your application will create login request

   https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?  
   client_id=6731de76-14a6-49ae-97bc-6eba6914391e  
   &response_type=id_token  
   &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F  /// <=== interpolate your redirect URI  
   &scope=openid  
   &response_mode=fragment  
   &state=12345  
   &nonce=678910

where redirect_uri is set to whatever URL the client is currently on.

Another option is using the state parameter to redirect the user to the same page request they came from. But your app needs to be able to protect from those parameters as they could be compromised. This AAD blog post from 2019 does illustrate how you would configure an ASP.NET MVC through OWIN to use the state parameter by injecting the value through the RedirectToIdentityProvider

   var stateQueryString = notification.ProtocolMessage.State.Split('=');  
   var protectedState = stateQueryString[1];  
   var state = notification.Options.StateDataFormat.Unprotect(protectedState);  
   state.Dictionary.Add("MyData", "123");  
   notification.ProtocolMessage.State = stateQueryString[0] + "=" + notification.Options.StateDataFormat.Protect(state);

and reading it back out once authenticated

   string mycustomparameter;  
   var protectedState = notification.ProtocolMessage.State.Split('=')[1];  
   var state = notification.Options.StateDataFormat.Unprotect(protectedState);  
   state.Dictionary.TryGetValue("MyData", out mycustomparameter);

devopsfj 256 Reputation points

2022-01-14T09:11:53.59+00:00

Thanks for your answer, point one sounds like it could work.

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=id_token
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F /// <=== interpolate your redirect URI
&scope=openid
&response_mode=fragment
&state=12345
&nonce=678910

Where do I change this as I am using Easy Auth with App Service?
Ryan Hill 30,281 Reputation points Microsoft Employee Moderator

2022-01-14T22:51:25.32+00:00

In the ASP.NET world; if you're using Microsoft.Identity.Web, it has this UI Customization that you can leverage <a href="/MicrosoftIdentity/Account/SignIn?redirectUri=/TodoList">Sign In</a>. Otherwise, you can go the custom AccountContoller route.

[HttpGet("{scheme?}")] public IActionResult SignIn([FromRoute] string scheme) { scheme ??= OpenIdConnectDefaults.AuthenticationScheme; var redirectUrl = Url.Content("~/"); // update the URL with logic from the current host URL e.g. HttpContext.Current.Request.Url.AbsolutePath. var properties = new AuthenticationProperties { RedirectUri = redirectUrl }; return Challenge(properties, scheme); }

ref: https://learn.microsoft.com/en-us/azure/active-directory-b2c/enable-authentication-web-application-options#add-the-account-controller

Share via

Azure AD App Registration Multiple URLs

1 answer

Your answer