Problem:

See update at the end.  This is no longer an issue.

Customer configures the following redirect URLs for his registered application in Azure AD

clip_image001[6]

and issues the following request to authenticate to Azure AD:

GET https://login.microsoftonline.com/<tenant id>/oauth2/authorize?client_id=<app id>&redirect_uri=https%3a%2f%2flocalhost%3a44396%2fbac%2faad%3freqId%3dA123&response_mode=form_post&….

After logging in he is redirected to https://localhost:44396/bac/aad instead of https://localhost:44396/bac/aad?reqId=A123.

The redirected URL does not have anything after the query string.

Root Cause:

The behavior is by design.  This is an Azure AD’s security feature to prevent Covert Redirect attack.

Resolution:

We recommend customer to make use of the ‘state’ parameter instead of using query string to preserve the state of the request.

Update 8/15/2019

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/whats-new

https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-breaking-changes#redirect-uris-can-now-contain-query-string-parameters

Azure AD now can accept reply URLs with query string.  This can be done by modifying the manifest file in the App Registration portal like the following.  This functionality is currently not available in the UI yet.

“publisherDomain”: “xxx.onmicrosoft.com”,
“replyUrlsWithType”: [
{
“url”: “https://localhost”,
“type”: “Web”
},
     {
          “url”: “https://www.contoso.com/otdsws/login?authhandler=Microsoft+OAuth”,
          “type”: “Web”
     }
],

“requiredResourceAccess”: [
{

..

Update 8/23/2019 – You now can enter reply URL with query string in the App Registration UI

12 Thoughts to “Query String is not allowed in redirect_uri for Azure AD”

  1. hariprasad

    but i created one api in azure , i am using that api as redirect uri in token endpoint, it showing Access denied due to missing subscription key. Make sure to include subscription key when making requests to an API. error. how to pass key to that redirect uri

    1. bac hoang

      You can store the subscription key info in a cookie or push it to the ‘state’ parameter

  2. Brent Edds

    Does this no longer work? I get an error when adding in UI or manifest

    1. Bac Hoang [MSFT]

      This is still working for me using the UI. Make sure you add the reply URL in the ‘Web’ platform section

  3. George Martinez

    This is not working for me

    1. Bac Hoang [MSFT]

      Care to elaborate?

      1. Shaun Stevens

        This functionality no longer works. I get the error of URL may not contain a query string.

        1. Bac Hoang [MSFT]

          can you clarify what reply URL you are trying to add? I just tried this reply URL: https://www.contoso.com/page?app=xyz and it worked just fine.

  4. ben

    I pass query params (siteName=someName) into state. When authenticated and redirects to the site. the query params is like ‘siteName%3d%25E6%2595%25AC%25E6%259D%25B1%25E7%25A7%2591%25E6%258A%2580%26’

    How can I get exact value of query params to match ?

    1. Bac Hoang [MSFT]

      Do you have a repro for this?

      1. ben
        const scopeConfig = {
          scopes: ['user.read'],
          state: { siteName: 'someChineseText' }
        }
        
        msal.config.auth.redirectUri = location.origin + '/site'
        // also add this Uri in App registration
        
        

        If I logged and redirect to /site. query params contains id_token and siteName that I passed in scopeConfig.
        but ‘someChineseText’ part is ‘siteName%3d%25E6%2595%25AC%25E6%259D%25B1%25E7%25A7%2591%25E6%258A%2580%26’

        I need to receive the original chinese text in order to match in my if else statement

        1. Bac Hoang [MSFT]

          This will take some time to investigate. Can you open a support case for this?

Leave a Reply to Brent Edds Cancel reply