Azure AD Ms Identity callback URL (error AADSTS50011)

Question

I'm integrating Azure AD and MS-Identity on a web app with Angular. It works on my machine, but when I deploy it, I get an issue with the callback URL.

First, to make sure the callback URL is ok, I extract it from the microsoft login popup window's URL:

Then, I url decode the content. The URL seems fine and it is available in my Azure app's redirect URL.

Then I login to Microsoft normally and I get this error (AADSTS50011):

Then I inspect the URL again (inside the query string from the urldecoded popup window's URL) and now the URL seems to have been "tampered with". It's now something like this: http://somedomain:80/some_page/somequerystring instead of https://somedomain/some_page/somequerystring so I wonder if it's part of the problem or if it's normal behavior.

It is also mentionned "If you contact your administrator, send this info to them." I suppose I'm the "administrator" so what can I do with that "Copy info to clipboard" info to investigate the problem?

Answer 1

Is your application hosting on http (80) or https (443)? If your app service is terminating your TLS connection and handling that for you instead of your app, your sign-on will construct the redirect using the http request scheme. I hooked into the OnRedirectToIdentityProvider event to correct the scheme.

services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(options =>
    {
        Configuration.Bind("AzureAd", options);
        options.Events ??= new OpenIdConnectEvents();
        options.Events.OnRedirectToIdentityProvider += _fixRedirect;
     });

...

private async Task _fixRedirect(RedirectContext context)
{
    context.Request.Scheme = "https";
    if(!context.ProtocolMessage.RedirectUri.StartsWith("https"))
        context.ProtocolMessage.RedirectUri = 
            context.ProtocolMessage.RedirectUri.Replace("http", "https");
     await Task.CompletedTask;
}