Understanding the OAuth2 redirect_uri and Azure AD Reply URL Parameters


When you register an Azure AD application, amongst other things you are required to configure a Reply URL, which by default takes its value from the Sign-On URL value you enter during the Azure application registration wizard.

oauth2

The explanation for the Reply URL parameter is in most cases a little vague…

From Authentication Scenarios for AzureAD

Reply URL and Redirect URI: In the case of a web API or web application, the Reply URL is the location to which Azure AD will send the authentication response, including a token if authentication was successful

This I find is a rather terse explanation, so I’ll try to explain it with an example using the implicit grant flow, by the way this is true for both the implicit grant flow and the authorization code flow.

My Azure application configuration includes the following Reply URL

https://pdogs.azurewebsites.net

In the authorization URL below (lines breaks included for clarity), you can see that I set the redirect_uri querystring parameter to https://pdogs.azurewebsites.net/callback.html (url encoded).

https://login.microsoftonline.com/1c3d2eea-12db-2ec3-437e-2eec7289e1a1/oauth2/authorize
?client_id=ef92a29b-b332-9d43-1341-23326315fa42
&response_type=id_token+token
&redirect_uri=https%3A%2F%2Fpdogs.azurewebsites.net%2Fcallback.html
&state=12345
&nonce=678910
&resource=https%3A%2F%2Fgraph.microsoft.com%2F

Firstly, the redirect_uri supplied is a specific location in my application where I want Azure, to send the OAuth2 response, which may include an authorization code, an id_token or access_token or both, and in this location (or page) in my application I’ll handle that response in some way.

Secondly, the value I supply as the redirect_uri parameter, must match one of the Reply URL’s that is configured in the Azure application registration, by scheme and host/origin.

In the case above, a redirect_uri of https://pdogs.azurewebsites.net/callback.html matches the Reply URL configured in Azure.

Azure uses this pairing and matching of redirect_uri with Reply URL’s as a security measure to prevent misuse of your application such that, some one could attempt to authenticate their own application using your Azure applications coordinates, and have the access token sent to their application instead of yours.

Once they have an access token, they can use it for whatever purpose and without your knowledge.

So what happens when we try to do this? lets create another authorization URL using a redirect_uri parameter that is not configured as a valid Reply URL in my Azure application…

https://login.microsoftonline.com/1c3d2eea-12db-2ec3-437e-2eec7289e1a1/oauth2/authorize
?client_id=ef92a29b-b332-9d43-1341-23326315fa42
&response_type=id_token+token
&redirect_uri=https%3a%2f%2fpdogs-babel.azurewebsites.net%2Fcallback.html
&state=12345
&nonce=678910
&resource=https%3A%2F%2Fgraph.microsoft.com%2F

Here I’ve set the redirect_uri parameter to https://pdogs-babel.azurewebsites.net, and when I send this to the authorization endpoint…

We see the following error message…

AADSTS50011: The reply address https://pdogs-babel.azurewebsites.net/callback.html does not match the reply addresses configured for the application: ef92a29b-b332-9d43-1341-23326315fa42.

So this is great, Azure is helping us maintain the security of our application, but, one thing you may be tempted to do, is to also add the URL of your local dev server that you use for developing your application, so you end up with Reply URL’s configured as follows…

https://pdogs.azurewebsites.net

http://localhost:3000

If you are using the implicit grant flow, this could allow someone to gain an access token using your application coordinates. The initial authorization URL is sent over HTTP by the browser, and the authorisation endpoint returns the reply using a HTTP 302 [Found] response with a Location header value containing the URL found in the redirect_uri parameter plus the hash fragment containing the access_token, as you can see below…

azure-replyurl2

As long as you have a local server listening at (in this case) localhost on port 3000 the browser will dutifully load the URL found in the Location header and Johnny Hacker now has an access_token for your application to do with as they please – all without your knowledge, and when that token expires, they can do the same thing again.

Published by

Phil Harding

SharePoint Consultant, Developer, Father, Husband and Climber.

One thought on “Understanding the OAuth2 redirect_uri and Azure AD Reply URL Parameters

  1. If I am getting this right, your scenario is that someone might utilize the http://localhost as the reply url to get an access token for another user. That would be the case only if the attacker can run a listener on the victim’s machine on localhost, in which case, a lot of things are compromised for that poor victim..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s