are redirect urls ignoring port

Question

are redirect urls ignoring port

drdamour 11

asked at https://github.com/MicrosoftDocs/azure-docs/issues/47893 and directed here

when you setup redirect urls, is the port number considered? I've noticed that i only put my localhost:5001 kestral url but if i switch to IIS express on 43215 everything works without issue as well as if the port is totally ignored.

Answer 1

Marilee Turscak-MSFT 22,286 Microsoft Employee

They are not ignoring the port. Each URL with a different port should be distinct. My guess is that you have two URLs registered for the application. If that is the case the Azure portal may do this change for you.

If you only had one URL registered you would get an error about an invalid reply url.

Check under the registration for that application to see if you have both URLs registered.

drdamour 11 Reputation points

2020-02-19T02:56:08.227+00:00
i double and triple checked, we only have 1 entry for localhost, for port 5001. These are set through our terraform which only has one for localhost. There are 3 total does that matter?

my requested reply is localhost 44315 as seen in this pic

using implicit tokens if that matters.

could this be an tennant setting my org has flipped?

Another test case:

set reply url to https://localhosts:5001/login/ad-reply (note the extra s)

ran with port 44317 so redirect was localhost:44317

verified i got reply url not set error (since hosts don't match)

switched reply url to https://localhost:5001/login/ad-reply (removed the s, but port is still wrong)

attempted to login and SUCCESS (if port was considered this should fail)

certainly seems like port is being ignored.
Marilee Turscak-MSFT 22,286 Reputation points Microsoft Employee

2020-02-19T22:03:26.88+00:00

You can still run the application if the reply URL doesn't match (not sure if that was what you were trying to do the first time).

"If I switch to IIS express on 43215 everything works without issue as well as if the port is totally ignored."

What exactly is your doubt?
drdamour 11 Reputation points

2020-02-19T22:55:12.33+00:00
this is not run, this is attempt to login.

please assume for a second that you may possibly be incorrect and read my test case, then explain it.

set reply url to https://localhosts:5001/login/ad-reply (note the extra s)

ran with port 44317 so redirect was localhost:44317

verified i got reply url not set error (since hosts don't match) when trying to login

switched reply url to https://localhost:5001/login/ad-reply (removed the s, but port is still wrong)

attempted to login and SUCCESS (if port was considered this should fail)
Marilee Turscak-MSFT 22,286 Reputation points Microsoft Employee

2020-02-25T19:47:47.187+00:00

Thank you for clarifying. I wasn't trying to make an assumption but my product team contact wanted to confirmation from you - thanks for that!

In that case, you should not be able to sign in. Could you create a new application and try again? The issue may be exclusive to the current application.
drdamour 11 Reputation points

2020-02-25T19:54:08.847+00:00

I have tried 3 different app regs across 2 subscriptions with same results. They are all in same tennent

Answer 2

Hirsch Singhal [MSFT] 11

Just a heads up here - Azure AD follows the OAuth 2.0 spec here, which states that specifically for loopback redirects an exact match is required except for the port URI component on localhost requests. It is expected that on localhost you can choose any port. We will look into updating the portal to make this more obvious and not allow localhost port components.

Chris DaMour 1 Reputation point

2020-07-17T17:50:11.583+00:00

ahhh...well that would explain it. thx!

Answer 3

Hi I am having some trouble redirecting back to application once authentication is completed. I have a redirect URL https://myapp.domain.com.au:4443/project/saml/acs
but when azure redirects, it does to http://192.168.200.229/project/saml/acs.

I check while signing in the MS login page, the redirect url has redirect parameter https://myapp.domain.com.au:4443/project/saml/acs and after login it does take to https://myapp.domain.com.au:4443/project/saml/acs but my debug gets error
"The response was received at http://192.168.200.229/project/saml/acs instead of https://myapp.domain.com.au:4443/project/saml/acs "

I have no idea whats happening, any suggestions ??

Answer 4

Hi @Marilee Turscak-MSFT,

I bumped into the same issue.

Registered redirect URLs:

http://localhost:8000
http://localhost:8001

When I specify redirect_url=8000 the IDP redirects back to 8001, this is not expected behavior, the redirect_url URL should be used.

The current behavior is [probably]:

Verify that redirect_url matches one of the registerd application URLs
Select random redirect_url out of the approved application URLs (probably the last)
Redirect to URL selected by (2)

Expected behavior:

Verify that redirect_url matches one of the registered application URLs
Redirect to URL specified in (1)

Rational: The application may run multi-instance or crash in which the port is already allocated, we would like to use port range in order to allow redundency/concurrency.

Please let me know if there is a better forum to discuss this.

Thanks,

are redirect urls ignoring port

4 answers

Activity