When you register an Azure AD application, amongst other things you are required to configure a Reply URL, which by default takes its value from the Sign-On URL value you enter during the Azure application registration wizard.
The explanation for the Reply URL parameter is in most cases a little vague…
From Authentication Scenarios for AzureAD…
Reply URL and Redirect URI: In the case of a web API or web application, the Reply URL is the location to which Azure AD will send the authentication response, including a token if authentication was successful
This I find is a rather terse explanation, so I’ll try to explain it with an example using the implicit grant flow, by the way this is true for both the implicit grant flow and the authorization code flow.
My Azure application configuration includes the following Reply URL…
In the authorization URL below (lines breaks included for clarity), you can see that I set the redirect_uri querystring parameter to https://pdogs.azurewebsites.net/callback.html (url encoded).
Firstly, the redirect_uri supplied is a specific location in my application where I want Azure, to send the OAuth2 response, which may include an authorization code, an id_token or access_token or both, and in this location (or page) in my application I’ll handle that response in some way.
Secondly, the value I supply as the redirect_uri parameter, must match one of the Reply URL’s that is configured in the Azure application registration, by scheme and host/origin.
In the case above, a redirect_uri of https://pdogs.azurewebsites.net/callback.html matches the Reply URL configured in Azure.
Azure uses this pairing and matching of redirect_uri with Reply URL’s as a security measure to prevent misuse of your application such that, some one could attempt to authenticate their own application using your Azure applications coordinates, and have the access token sent to their application instead of yours.
Once they have an access token, they can use it for whatever purpose and without your knowledge.
So what happens when we try to do this? lets create another authorization URL using a redirect_uri parameter that is not configured as a valid Reply URL in my Azure application…
Here I’ve set the redirect_uri parameter to https://pdogs-babel.azurewebsites.net, and when I send this to the authorization endpoint…
We see the following error message…
AADSTS50011: The reply address https://pdogs-babel.azurewebsites.net/callback.html does not match the reply addresses configured for the application: ef92a29b-b332-9d43-1341-23326315fa42.
So this is great, Azure is helping us maintain the security of our application, but, one thing you may be tempted to do, is to also add the URL of your local dev server that you use for developing your application, so you end up with Reply URL’s configured as follows…
If you are using the implicit grant flow, this could allow someone to gain an access token using your application coordinates. The initial authorization URL is sent over HTTP by the browser, and the authorisation endpoint returns the reply using a HTTP 302 [Found] response with a Location header value containing the URL found in the redirect_uri parameter plus the hash fragment containing the access_token, as you can see below…
As long as you have a local server listening at (in this case) localhost on port 3000 the browser will dutifully load the URL found in the Location header and Johnny Hacker now has an access_token for your application to do with as they please – all without your knowledge, and when that token expires, they can do the same thing again.
9 thoughts on “Understanding the OAuth2 redirect_uri and Azure AD Reply URL Parameters”
If I am getting this right, your scenario is that someone might utilize the http://localhost as the reply url to get an access token for another user. That would be the case only if the attacker can run a listener on the victim’s machine on localhost, in which case, a lot of things are compromised for that poor victim..
Can a redirect URI be relative, or parameterized somehow? My customers use a server app that accesses the Microsoft Graph API. Each customer will have to have an Azure AD admin grant permissions to the multi-tenant part of my app that grabs some Graph data. I’d like to have their redirect URI be somewhere within a domain my app will know about, instead of a hard-coded URL. Do you know if that’s possible?
A redirect uri supplied by the client app cannot be relative, but it can be an absolute url to a specific page, which, at least, domain matches one or more of the Azure App Registrations Redirect URI
Hi Phil, I am trying to authenticate a Single Page Application Web App hosted in Azure using Azure AD, i m using adal.js and angular-adal.js to interpret the received token and process it,, unfortunately after authentication the angular library cannot receive the token,,, i know the reason for this issue,,, the redirect uri is always https://*****.azurewebsites.net/.auth/login/aad/callback , i have this url configured in Azure AD app reply url’s ,,,, all i need is that when i launch the application the authentication should happen with the redirect uri like https://******.azurewebsites.net/index.jsp ( this is the first page of my SPA which contains the angular logic to interpret the token) How could i change the default redirect uri /.auth/login/aad/callback ?
Hi, I’m not familiar enough with the Adal-Angular package to help you here I’m afraid
I have set my dynamic crm tenant url as reply url but it doesn’t match saying as message. How to set dynamic crm tenant url as reply url?
Not sure how to help with this, can you be more specific?
Thanks for sharing all of your experiences!
Hi Arulraj – I think the default “Reply URL” has been inside the Azure Active Directory (respective AD). So we can edit that from the Active Directory section.