Query String is not allowed in redirect_uri for Azure AD
Problem:
Customer configures the following redirect URLs for his registered application in Azure AD
![clip_image001[6]](https://msdntnarchive.z22.web.core.windows.net/media/2018/04/clip_image00161.png "clip_image001[6]")
and issues the following request to authenticate to Azure AD:
GET https://login.microsoftonline.com/<tenant id>/oauth2/authorize?client_id=<app id>&redirect_uri=https%3a%2f%2flocalhost%3a44396%2fbac%2faad%3freqId%3dA123&response_mode=form_post&….
After logging in he is redirected to https://localhost:44396/bac/aad instead of https://localhost:44396/bac/aad ?reqId=A123.
The redirected URL does not have anything after the query string.
Root Cause:
The behavior is by design. This is an Azure AD’s security feature to prevent Covert Redirect attack.
Resolution:
We recommend customer to make use of the ‘state’ parameter instead of using query string to preserve the state of the request.
Comments
- Anonymous
November 01, 2018
but i created one api in azure , i am using that api as redirect uri in token endpoint, it showing Access denied due to missing subscription key. Make sure to include subscription key when making requests to an API. error. how to pass key to that redirect uri- Anonymous
November 11, 2018
You can store the subscription key info in a cookie or push it to the 'state' parameter
- Anonymous