question

drdamour avatar image
0 Votes"
drdamour asked ·

are redirect urls ignoring port

asked at https://github.com/MicrosoftDocs/azure-docs/issues/47893 and directed here

when you setup redirect urls, is the port number considered? I've noticed that i only put my localhost:5001 kestral url but if i switch to IIS express on 43215 everything works without issue as well as if the port is totally ignored.



azure-ad-app-registration
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MarileeTurscak avatar image
0 Votes"
MarileeTurscak answered ·

They are not ignoring the port. Each URL with a different port should be distinct. My guess is that you have two URLs registered for the application. If that is the case the Azure portal may do this change for you.

If you only had one URL registered you would get an error about an invalid reply url.

Check under the registration for that application to see if you have both URLs registered.

3051-reply-url-register.jpg



· 5 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

i double and triple checked, we only have 1 entry for localhost, for port 5001. These are set through our terraform which only has one for localhost. There are 3 total does that matter?

3091-redirect-urls.png


my requested reply is localhost 44315 as seen in this pic

3052-reply-port.png

using implicit tokens if that matters.


could this be an tennant setting my org has flipped?

Another test case:

  • set reply url to https://localhosts:5001/login/ad-reply (note the extra s)

  • ran with port 44317 so redirect was localhost:44317

  • verified i got reply url not set error (since hosts don't match)

  • switched reply url to https://localhost:5001/login/ad-reply (removed the s, but port is still wrong)

  • attempted to login and SUCCESS (if port was considered this should fail)

certainly seems like port is being ignored.















0 Votes 0 · ·
redirect-urls.png (26.6 KiB)
reply-port.png (37.6 KiB)

You can still run the application if the reply URL doesn't match (not sure if that was what you were trying to do the first time).

"If I switch to IIS express on 43215 everything works without issue as well as if the port is totally ignored."

What exactly is your doubt?

0 Votes 0 · ·
drdamour avatar image drdamour MarileeTurscak ·

this is not run, this is attempt to login.

please assume for a second that you may possibly be incorrect and read my test case, then explain it.

  • set reply url to https://localhosts:5001/login/ad-reply (note the extra s)

    • ran with port 44317 so redirect was localhost:44317

    • verified i got reply url not set error (since hosts don't match) when trying to login

    • switched reply url to https://localhost:5001/login/ad-reply (removed the s, but port is still wrong)

    • attempted to login and SUCCESS (if port was considered this should fail)

0 Votes 0 · ·
Show more comments
HirschSinghalMSFT-7416 avatar image
0 Votes"
HirschSinghalMSFT-7416 answered ·

Just a heads up here - Azure AD follows the OAuth 2.0 spec here, which states that specifically for loopback redirects an exact match is required except for the port URI component on localhost requests. It is expected that on localhost you can choose any port. We will look into updating the portal to make this more obvious and not allow localhost port components.

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ahhh...well that would explain it. thx!

0 Votes 0 · ·