How to fix the reply URL mismatch error in Azure AD - Microsoft Identity Platform

How to fix the reply URL mismatch error in Azure AD - Microsoft Identity Platform

How to fix the reply URL mismatch error in Azure AD - Microsoft Identity Platform

Jeevan Manoj explains how to fix “AADSTS50011 The reply URL specified in the request does not match the reply URLs configured for the application” error.

Learn more: https://docs.microsoft.com/en-us/answ

► Subscribe to Microsoft Security on YouTube here: https://aka.ms/SubscribeMicrosoftSecu

► Follow us on social:
LinkedIn: https://www.linkedin.com/showcase/mic
Twitter: https://twitter.com/msftsecurity

► Join our Tech Community: https://aka.ms/SecurityTechCommunity

► For more about Microsoft Security: https://msft.it/6002T9HQY

#AzureAD #MicrosoftSecurity


Content

2.967 -> >> [MUSIC]
13.624 -> >> Hi, everyone, my name is Jeevan, and I’m a Program
16.376 -> Manager in the Azure Identity Organization at Microsoft.
20.624 -> Today, I’m going to show you how to resolve the error
24.376 -> the reply URL specified in the request does not match the
28.543 -> reply URLs configured for the application, when users sign
32.624 -> into an application.
36.292 -> We’ll start by discussing what reply URLs are. Reply URLs
41 -> are also sometimes called redirect URIs, but for the
44.624 -> purposes of this video I’ll use the term reply URL.
49.584 -> When an application uses a modern authentication flow,
53.584 -> it delegates the authentication and authorization to an
56.917 -> identity provider such as Azure AD. Once that identity
61.834 -> provider has completed the authentication or authorization
65.75 -> it’ll send the result back to your application. The reply URL
70.624 -> specifies the location that the identity provider should send
74.959 -> the result to. The reply URL is specified in two places.
81.543 -> It is included in the request the application sent to Azure
84.792 -> AD, and also it must be included in the application
88.334 -> registration with Azure AD. This process provides an
92.917 -> additional layer of security, as Azure AD will prevent bad
97.167 -> actors from intercepting your code or access token by
101.708 -> altering the reply URLs. Azure AD only accepts save reply
107.584 -> URL, which are already defined in the Azure portal.
111.624 -> We will look at this in more detail in the demo,
114.417 -> which is up next.
118.251 -> Our user Alice is in the home page of the demo application,
121.251 -> and she’s going to sign into the application by clicking the
124.084 -> sign in button. She’s going to now enter her credentials.
129.917 -> However, she is unable to
131.308 -> sign in and is presented with the
133.125 -> error the reply URL specified in the request does not match
137.376 -> the reply URLs configured for the application.
140.334 -> This is happening because of the mismatch in the reply
142.917 -> URLs defined in the Azure Portal and the reply URL the
146.624 -> application is providing to Azure AD. Let’s now go back to
150.834 -> the sign in experience and try to grab the reply URL passed
154.624 -> by the application to Azure AD.
158.125 -> We are back in the home
159.117 -> page, and this time, let’s try to
160.624 -> grab the URL after pressing the sign in button.
167.501 -> Copy the URL now, and let me paste it on notepad to have
171.624 -> a closer look. As we can see, the redirect URI or reply URI
177.251 -> is defined as part of the request here, and it contains
181.084 -> https demo
183.075 -> app-prod.azurewebsites.net/signin-oidc.
189.042 -> Now, we will go to the Azure Portal and see if this reply
193.624 -> URL is defined in the error lists in the Azure Portal.
197.917 -> We are now in the demo app registration in the Azure
200.584 -> Portal. Let’s head over to the authentication tab.
204.209 -> Over here we can see the error lists of reply URLs,
207.667 -> and we can see that the reply URL, which we saw earlier,
211.624 -> which was demo
212.792 -> app-prod.azurewebsites.net is not
215.708 -> defined in this error list of reply URLs, which is exactly
221.501 -> why the user was given that error. Let’s now add that
224.959 -> reply URL here. I’ve added that, and I’m going to click
230.042 -> save now. We’ll now go back to the application and see if
235.334 -> the user is able to sign in now.
238.624 -> We’re back in the home page of the application and Alice is
241.376 -> going to try to sign in again.
247.501 -> She has entered her credentials. This time the reply URL
252.875 -> mismatch error is gone as we have defined the right reply
255.624 -> URL in the error list, and
257.277 -> Alice is able to successfully sign
259.417 -> in. This reply URL error scenario often happens due to
264.624 -> miscommunications between the DevOps engineers and
267.624 -> the administrators. For example, DevOps engineers move
271.667 -> the application from the staging environment to
274.292 -> production, but the administrator
276.142 -> is adding the production
277.501 -> reply URL in the error list on the Azure Portal.
280.875 -> Another instance where this error is encountered is when
283.875 -> developers use reply URLs starting with localhost in their
288.209 -> local machines while developing the application,
291.624 -> and misses adding that
293.127 -> reply URL in the error list in the
295.584 -> Azure Portal.
297.624 -> We just looked at a frequent problem with an amazingly
300.667 -> simple solution. I really hope it was useful for you.
304.875 -> See you next time. Thank you.
306.875 -> >> [MUSIC]

Source: https://www.youtube.com/watch?v=a_abaB7494s