AAD - Getting "Invalid redirect URI" despite having it registered

Tynstar81 26 Reputation points
2022-08-13T09:27:03.143+00:00

I implemented Azure login in my app and it works fine on localhost.

However, after deploying the code to production, I suddenly get this error:

AADSTS90023: The provided value for the input parameter 'redirect_uri' is not valid. The expected value is a URI which matches a redirect URI registered for this client application.
Trace ID: 9c0f7ffc-a823-4fee-8463-7e73c0ef2f00
Correlation ID: 097e62b7-8e34-47aa-93f1-1258390c6bac
Timestamp: 2022-08-13 08:59:38Z

The redirect_uri value sent by my application is https://my.chronolink.app/api/microsoft/login/finish, and precisely that value is one of the web redirect URIs in my app registration. Based on my understanding of Redirect URI (reply URL) restrictions and limitations, I believe this URI to be entirely valid.

This is the authorization request URL constructed by MSAL4J for the attempt above:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?scope=openid+profile+offline_access+User.Read&response_type=code&redirect_uri=https%3A%2F%2Fmy.chronolink.app%2Fapi%2Fmicrosoft%2Flogin%2Ffinish&state=1c51a904-1284-4ee9-a035-2b0797753549&nonce=0fe1dfea-905b-43b5-afad-ba500c073115&prompt=select_account&client_id=b317b17f-b1bc-4e98-a58c-d7170c992b77&response_mode=query

Although the error message does not mention anything about domains or domain verification, I suspected the problem may lie there. So I added both chronolink.app and my.chronolink.app as custom domains to AAD, then selected chronolink.app as the primary one. I also selected that domain for the app registration's "Branding & properties" publisher domain. But all that didn't fix the problem.

Is this maybe related to "Publisher verification"? The branding & properties page says this:

Starting November 9th, 2020 end users will no longer be able to grant consent to newly registered multitenant apps without verified publishers.

I'm not sure what this means exactly, or whether it even applies to my app. If it does, I sure would expect to get a more specific error message than "redirect_uri is not valid", though.

Please help!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,560 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 34,036 Reputation points Microsoft Employee
    2022-08-17T22:08:01.043+00:00

    Hi @Tynstar81 ,

    Thanks for your post! Since your application is working in localhost, I'm suspecting that the issue has to do with which URL is being defaulted to in the app registration. If you do not specify a Redirect URI in your Login URL, the user will be redirected to the first URL specified in your app's registration. If you do specify the Redirect URI in your login URL, it also needs to exactly match what you have in the registration. You need to make sure that there is no slash missing, or extra space.

    I don't think the error is related to the domain issue, but if you have a reference to the wrong domain, app ID, or tenant ID in the app registration, you may also run into this issue.

    Let me know if this helps! I'm happy to troubleshoot over email and take a closer look if you're still running into this issue.

    -

    If the information helped you, please Accept the answer. This will help us and other community members as well.