Query String is not allowed in redirect_uri for Azure AD
Problem:
Customer configures the following redirect URLs for his registered application in Azure AD
and issues the following request to authenticate to Azure AD:
GET https://login.microsoftonline.com/<tenant id>/oauth2/authorize?client_id=<app id>&redirect_uri=https%3a%2f%2flocalhost%3a44396%2fbac%2faad%3freqId%3dA123&response_mode=form_post&….
After logging in he is redirected to https://localhost:44396/bac/aad instead of https://localhost:44396/bac/aad ?reqId=A123.
The redirected URL does not have anything after the query string.
Root Cause:
The behavior is by design. This is an Azure AD’s security feature to prevent Covert Redirect attack.
Resolution:
We recommend customer to make use of the ‘state’ parameter instead of using query string to preserve the state of the request.