Redirect URI (reply URL) restrictions - Microsoft Entra (2023)

  • Article
  • 6 minutes to read

A redirect URI, or reply URL, is the location where the authorization server sends the user once the app has been successfully authorized and granted an authorization code or access token. The authorization server sends the code or token to the redirect URI, so it's important you register the correct location as part of the app registration process.

The Azure Active Directory (Azure AD) application model specifies these restrictions to redirect URIs:

Maximum number of redirect URIs

This table shows the maximum number of redirect URIs you can add to an app registration in the Microsoft identity platform.

Accounts being signed inMaximum number of redirect URIsDescription
Microsoft work or school accounts in any organization's Azure Active Directory (Azure AD) tenant256signInAudience field in the application manifest is set to either AzureADMyOrg or AzureADMultipleOrgs
Personal Microsoft accounts and work and school accounts100signInAudience field in the application manifest is set to AzureADandPersonalMicrosoftAccount

The maximum number of redirect URIS can't be raised for security reasons. If your scenario requires more redirect URIs than the maximum limit allowed, consider the following state parameter approach as the solution.

Maximum URI length

You can use a maximum of 256 characters for each redirect URI you add to an app registration.

Redirect URIs in application vs. service principal objects

  • Always add redirect URIs to the application object only.
  • Do not add redirect URI values to a service principal because these values could be removed when the service principal object syncs with the application object. This could happen due to any update operation which triggers a sync between the two objects.

Query parameter support in redirect URIs

Query parameters are allowed in redirect URIs for applications that only sign in users with work or school accounts.

(Video) Redirect URI Configurations for local Debugging in Azure App Registration

Query parameters are not allowed in redirect URIs for any app registration configured to sign in users with personal Microsoft accounts like Outlook.com (Hotmail), Messenger, OneDrive, MSN, Xbox Live, or Microsoft 365.

App registration sign-in audienceSupports query parameters in redirect URI
Accounts in this organizational directory only (Contoso only - Single tenant)Redirect URI (reply URL) restrictions - Microsoft Entra (1)
Accounts in any organizational directory (Any Azure AD directory - Multitenant)Redirect URI (reply URL) restrictions - Microsoft Entra (2)
Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)Redirect URI (reply URL) restrictions - Microsoft Entra (3)
Personal Microsoft accounts onlyRedirect URI (reply URL) restrictions - Microsoft Entra (4)

Supported schemes

HTTPS: The HTTPS scheme (https://) is supported for all HTTP-based redirect URIs.

HTTP: The HTTP scheme (http://) is supported only for localhost URIs and should be used only during active local application development and testing.

Example redirect URIValidity
https://contoso.comValid
https://contoso.com/abc/response-oidcValid
https://localhostValid
http://contoso.com/abc/response-oidcInvalid
http://localhostValid
http://localhost/abcValid

Localhost exceptions

Per RFC 8252 sections 8.3 and 7.3, "loopback" or "localhost" redirect URIs come with two special considerations:

  1. http URI schemes are acceptable because the redirect never leaves the device. As such, both of these URIs are acceptable:
    • http://localhost/myApp
    • https://localhost/myApp
  2. Due to ephemeral port ranges often required by native applications, the port component (for example, :5001 or :443) is ignored for the purposes of matching a redirect URI. As a result, all of these URIs are considered equivalent:
    • http://localhost/MyApp
    • http://localhost:1234/MyApp
    • http://localhost:5000/MyApp
    • http://localhost:8080/MyApp

From a development standpoint, this means a few things:

  • Do not register multiple redirect URIs where only the port differs. The login server will pick one arbitrarily and use the behavior associated with that redirect URI (for example, whether it's a web-, native-, or spa-type redirect).

    This is especially important when you want to use different authentication flows in the same application registration, for example both the authorization code grant and implicit flow. To associate the correct response behavior with each redirect URI, the login server must be able to distinguish between the redirect URIs and cannot do so when only the port differs.

    (Video) Google OAuth2: How the fix redirect_uri_mismatch error. Part 2 server sided web applications.

  • To register multiple redirect URIs on localhost to test different flows during development, differentiate them using the path component of the URI. For example, http://localhost/MyWebApp doesn't match http://localhost/MyNativeApp.

  • The IPv6 loopback address ([::1]) is not currently supported.

Prefer 127.0.0.1 over localhost

To prevent your app from being broken by misconfigured firewalls or renamed network interfaces, use the IP literal loopback address 127.0.0.1 in your redirect URI instead of localhost. For example, https://127.0.0.1.

You cannot, however, use the Redirect URIs text box in the Azure portal to add a loopback-based redirect URI that uses the http scheme:

Redirect URI (reply URL) restrictions - Microsoft Entra (5)

To add a redirect URI that uses the http scheme with the 127.0.0.1 loopback address, you must currently modify the replyUrlsWithType attribute in the application manifest.

Restrictions on wildcards in redirect URIs

Wildcard URIs like https://*.contoso.com may seem convenient, but should be avoided due to security implications. According to the OAuth 2.0 specification (section 3.1.2 of RFC 6749), a redirection endpoint URI must be an absolute URI.

(Video) URL Rewrite in IIS

Wildcard URIs are currently unsupported in app registrations configured to sign in personal Microsoft accounts and work or school accounts. Wildcard URIs are allowed, however, for apps that are configured to sign in only work or school accounts in an organization's Azure AD tenant.

To add redirect URIs with wildcards to app registrations that sign in work or school accounts, use the application manifest editor in App registrations in the Azure portal. Though it's possible to set a redirect URI with a wildcard by using the manifest editor, we strongly recommend you adhere to section 3.1.2 of RFC 6749. and use only absolute URIs.

If your scenario requires more redirect URIs than the maximum limit allowed, consider the following state parameter approach instead of adding a wildcard redirect URI.

Use a state parameter

If you have several subdomains and your scenario requires that, upon successful authentication, you redirect users to the same page from which they started, using a state parameter might be helpful.

In this approach:

  1. Create a "shared" redirect URI per application to process the security tokens you receive from the authorization endpoint.
  2. Your application can send application-specific parameters (such as subdomain URL where the user originated or anything like branding information) in the state parameter. When using a state parameter, guard against CSRF protection as specified in section 10.12 of RFC 6749).
  3. The application-specific parameters will include all the information needed for the application to render the correct experience for the user, that is, construct the appropriate application state. The Azure AD authorization endpoint strips HTML from the state parameter so make sure you are not passing HTML content in this parameter.
  4. When Azure AD sends a response to the "shared" redirect URI, it will send the state parameter back to the application.
  5. The application can then use the value in the state parameter to determine which URL to further send the user to. Make sure you validate for CSRF protection.

Warning

(Video) How to redirect an IIS website to a new location using Windows Server 2019

This approach allows a compromised client to modify the additional parameters sent in the state parameter, thereby redirecting the user to a different URL, which is the open redirector threat described in RFC 6819. Therefore, the client must protect these parameters by encrypting the state or verifying it by some other means, like validating the domain name in the redirect URI against the token.

Next steps

Learn about the app registration Application manifest.

FAQs

What should be the redirect URI in oauth2? ›

According to the OAuth 2.0 specification (section 3.1. 2 of RFC 6749), a redirection endpoint URI must be an absolute URI.

How do I fix the response URL mismatch error? ›

Resolution. To fix the issue, follow these steps: Ensure that the AssertionConsumerServiceURL value in the SAML request matches the Reply URL value configured in Azure AD. Verify or update the value in the Reply URL textbox to match the AssertionConsumerServiceURL value in the SAML request.

How do I create a redirect URI in Azure? ›

To configure redirect URIs:
  1. Navigate to the app's configuration page. ...
  2. Select Authentication.
  3. Under Platform configuration select + Add a platform.
  4. Under Web Applications, choose Web.
  5. Leave Logout URL and Implicit grant empty, and click Configure.
Dec 20, 2022

What is redirect URI in Msal? ›

MSAL uses a default redirect URI, if you don't specify one. The format is msauth. [Your_Bundle_Id]://auth . The default redirect URI format works for most apps and scenarios, including brokered authentication and system web view. Use the default format whenever possible.

How many URL redirects is too many? ›

Your browser protects you from this redirect loop by only allowing a certain number of redirects (usually a maximum of 10) before it gives up and displays the “too many redirects” error message. This message appears differently between Chrome, Safari, and other browsers. Chrome's error message appearance.

Is redirect URI mandatory? ›

Redirect uri is required in client registration and oauth flows(authorization code flow and implicit flow). Lack of a redirection URI registration requirement can enable an attacker to use the authorization endpoint as an open redirector.

How do I check for URL errors? ›

To see information in the Google index about a URL:
  1. Open the URL Inspection tool.
  2. Enter the complete URL to inspect. A few notes: ...
  3. Read Understanding the results.
  4. If you've fixed issues since the data was acquired, test the live URL to see if Google thinks these issues are fixed. ...
  5. Optionally request indexing for the URL.

What is a URL response code? ›

HTTP response status codes indicate whether a specific HTTP request has been successfully completed. Responses are grouped in five classes: Informational responses ( 100 – 199 ) Successful responses ( 200 – 299 ) Redirection messages ( 300 – 399 )

What is URI in Azure AD? ›

The uniform resource identifier (URI) identifies a resource. Usually the resource is a resource on the web, but it doesn't have to be.

What are the 4 types of redirecting? ›

Types of redirects
  • 301 Permanent.
  • 302 Found.
  • 307 Temporary.
Oct 7, 2020

How do I enable url redirects? ›

On the taskbar, click Start, and then click Control Panel. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off. Expand Internet Information Services, then World Wide Web Services, then Common Http Features. Select HTTP Redirection, and then click OK.

How do I set a redirect URL? ›

Click the URL Redirects tab. In the upper right, click Add URL redirect. In the right panel, select the Standard or Flexible redirect type. A standard redirect is used to redirect one URL to another.

What causes URL redirection? ›

Web pages may be redirected to a new domain for three reasons: a site might desire, or need, to change its domain name; an author might move their individual pages to a new domain; two web sites might merge.

What are the consequences of URL redirection? ›

The user may be subjected to phishing attacks by being redirected to an untrusted page. The phishing attack may point to an attacker controlled web page that appears to be a trusted web site. The phishers may then steal the user's credentials and then use these credentials to access the legitimate web site.

How to get authorization code from redirect URI? ›

The redirect_uri is the home page/login URL from the same AAD App. Upon successful request, this endpoint will redirect to your login page with the authorization code appended to the URL.

How do I bypass too many redirects? ›

So how to fix the ERR_TOO_MANY_REDIRECTS error?
  1. Delete cookies on that specific site.
  2. Clear site, server, proxy, and browser cache.
  3. Determine nature of redirect loop.
  4. Check your HTTPS settings.
  5. Check third-party services.
  6. Check your WordPress site settings.
  7. Temporarily disable WordPress plugins.
  8. Check redirects on your server.
Dec 26, 2022

How do you bypass redirected you too many times? ›

How To Fix Too Many Redirects
  1. Clear cookies on the redirecting website.
  2. Clear your browser cache.
  3. Ensure your SSL certificate is installed correctly.
  4. Evaluate your third-party services and plugins.
  5. Reset your htaccess file.
  6. Contact your hosting provider.
Oct 12, 2021

Is there a limit to redirects? ›

Answer. There are no limits in using 301 redirects on a site.

What can I use instead of redirects? ›

Synonyms of redirect
  • turn.
  • divert.
  • swing.
  • deflect.
  • whip.
  • shift.
  • veer.
  • move.

How do I redirect a URL without changing the URL? ›

To do this, you would modify your .htaccess file for the domain that your users will go to, and insert these lines of code:
  1. RewriteCond %{HTTP_HOST} ^DomainA.com. ...
  2. RewriteCond %{HTTP_HOST} ^DomainA.com RewriteRule ^(.*) https://DomainB.com/PathToPageHere [P]
Aug 16, 2021

What makes a URL suspicious? ›

Take an extra second to inspect URLs for suspicious misspellings, punctuation, or possibly long and garbled text in the address bar. If you're using a web browser that only displays the domain instead of the full address, you might need to click on the address bar to reveal the whole URL.

Why does a URL get rejected? ›

One reason you get the above error in your browser is that your Windows PC has restricted your access to your site. One way to get around this is to add your site's URL to your system's trusted sites list. Launch Control Panel, select Network and Internet, and choose Internet Options.

What causes an invalid URL? ›

Resolution. The reason the user is seeing the "Invalid URL" error message is because the assessment they are trying to view is not assigned to them. The assessment the user is trying to access is not public. There is some logic which happens when a user tries to view an assessment.

What is URI and URL give examples? ›

A URI aims to identify a resource and differentiate it from other resources by using the name of the resource or location of the resource. A URL aims to find the location or address of a resource on the web. An example of a URI can be ISBN 0-486-35557-4. An example of an URL is https://www.javatpoint.com.

What is URL and URI with example? ›

Difference between URL and URI
URLURI
Access the location or address of the resourceFind the resource
Its components are protocol, domain, path, hash, query string and so onComponents included are scheme, authority, path, query and more
Example- https://google.inExample-:urn:isbn:0-284-56889-3
4 more rows

What is an example of a URL code? ›

A typical URL could have the form http://www.example.com/index.html , which indicates a protocol ( http ), a hostname ( www.example.com ), and a file name ( index. html ).

What is the difference between a URL and a URI? ›

URI identifies a resource and differentiates it from others by using a name, location, or both. URL identifies the web address or location of a unique resource. URI contains components like a scheme, authority, path, and query. URL has similar components to a URI, but its authority consists of a domain name and port.

What is URL URI endpoint? ›

URI is the superset of URL. It comprises of protocol, domain, path, hash, and so on. It comprises of scheme, authority, path, query and many more.

What is the difference between api and URI? ›

A URI is a Universal Resource Identifier, identifying where a specific resource can be found, such as a page or a document. They are used in REST APIs to address resources to developers using an API. You may have seen URIs, URLs, and URNs in networking discussions before, but how do we tell them apart?

What is my valid OAuth redirect URIs? ›

Enter the OAuth redirect URI

The Valid OAuth redirect URL can be found in the plugin's settings, next to the Facebook App Settings. It usually ends with "/facebook/int_callback".

What should I use for redirect URL? ›

A redirect is a way to send both users and search engines to a different URL from the one they originally requested. The three most commonly used redirects are 301, 302, and Meta Refresh.

How do I redirect a URL in OAuth? ›

Link to section Create the redirect URL
  1. Sign in to the Developer Dashboard.
  2. Choose Open for your production application. ...
  3. At the top of the page, set the mode to Production.
  4. In the left pane, choose OAuth.
  5. In the Application ID box, copy and save the application ID for use in the next section.

What is valid redirect URIs? ›

The Valid redirect URIs is a valid URI pattern a browser can redirect to after a successful login. Simple wildcards are allowed such as 'http://example.com/*'.

How do I verify a URL redirect? ›

To test URL Redirection
  1. Open an Internet Explorer browser in the host computer and enter a URL that you specified for redirection.
  2. Verify that the webpage is opened in Internet Explorer on the guest virtual machine.
  3. Repeat this process for each URL that you want to test.
Jun 24, 2020

How do I fix OAuth error? ›

When a user tries to login after the session id is expired, the system throws the OAuth error. Solution: Typically, clearing the browser or device cache fixes the problem.

What does invalid redirect URI mean? ›

While working on a web based client, you have to ensure that the redirect URI passed while authentication, is the same as the one given during registration. If the redirect uri is not the one given during registration, an invalid redirect uri error will be thrown.

What is a redirect URL example? ›

A redirect is when a web page is visited at a certain URL, it changes to a different URL. For instance, a person visits “website.com/page-a” in their browser and they are redirected to “website.com/page-b” instead.

What are the 3 types of URL? ›

type: It specifies the type of the server in which the file is located. address: It specifies the address or location of the internet server. path: It specifies the location of the file on the internet server.

How do I create an authorized redirect URIs? ›

Fill in the form and click Create. Applications that use languages and frameworks like PHP, Java, Python, Ruby, and .NET must specify authorized redirect URIs.
...
Create authorization credentials
  1. Go to the Credentials page.
  2. Click Create credentials > OAuth client ID.
  3. Select the Web application application type.
Oct 18, 2022

Why are URL redirects important? ›

Redirects are important because they: Forward traffic from one URL to another when the old URL no longer exists. Forward authority when backlinks point to a page that has been moved. Improve the overall user experience by ensuring visitors don't land on broken or duplicated pages.

Videos

1. Application types in Microsoft Identity
(Microsoft 365 Developer)
2. An Intro to URL Rewrite + adding www to domain name
(Scott Forsyth)
3. Microsoft Mail Integration (Part 1): Send Mail with Microsoft Graph REST API's,Outlook using POSTMAN
(BEENUM LEARNING)
4. Authenticating users in JavaScript apps with MSAL.js August 2021
(Microsoft DevRadio)
5. Learn Live - Microsoft Identity Platform
(Microsoft Developer)
6. Azure active directory | Azure ad | AZ-203 AZ-204
(Tech of the day)
Top Articles
Latest Posts
Article information

Author: Frankie Dare

Last Updated: 12/08/2022

Views: 6266

Rating: 4.2 / 5 (73 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Frankie Dare

Birthday: 2000-01-27

Address: Suite 313 45115 Caridad Freeway, Port Barabaraville, MS 66713

Phone: +3769542039359

Job: Sales Manager

Hobby: Baton twirling, Stand-up comedy, Leather crafting, Rugby, tabletop games, Jigsaw puzzles, Air sports

Introduction: My name is Frankie Dare, I am a funny, beautiful, proud, fair, pleasant, cheerful, enthusiastic person who loves writing and wants to share my knowledge and understanding with you.