Reputation: 11
Microsoft Graph API redirect_uri doesn't allow query strings
We're trying to move from the older WindowsLive API to the new Microsoft Graph API. In the process, we're running into difficulty with the required OAuth 2.0 redirect_uri parameter in the app.
According to the Oauth 2.0 RFC, the redirect_uri must be an absolute path but can contain a properly encoded query string.
In our Windows app, we've setup the absolute path - their application tool doesn't allow query strings to be added: https://example.com/index.php
The OAuth request we make uses a redirect_uri with URL Encoding, including query params. This is necessary, we use a CMS (Joomla) that needs to know what should handle the request:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
response_type=code&
client_id={string}&
redirect_uri=https%3A%2F%2Fexample.com%2Findex.php%3Foption%3Dcom_jfbconnect%26task%3Dauthenticate.callback%26provider%3Dwindowslive&
scope=user.read&
state={string}&
access_type=offline&
approval_prompt=auto
However, the Graph API rejects this with:
"The reply url specified in the request does not match the reply urls configured for the application"
Anyone else run into this or understand why the Graph API doesn't accept query parameters either in the app configuration or on the token requests?
Edit - 5/8 - However, the application setup area does not allow query strings in the redirect_uri setting, which is correct according to the RFC. However, the Graph API isn't respecting this note of the RFC:
The endpoint URI MAY include an "application/x-www-form-urlencoded" formatted (per Appendix B) query component ([RFC3986] Section 3.4), which MUST be retained when adding additional query parameters.
Upvotes: 1
Views: 2113
Answers (1)
Reputation: 33094
This isn't actually being rejected by Microsoft Graph. Microsoft Graph is simply an API and it doesn't generate or manage access tokens. That process is handled by Azure Active Directory.
The error you're getting is due to your redirect_uri not being configured in your app registration at https://apps.dev.microsoft.com. The URL must explicitly match the URL configured in the registration. From the documentation:
The
redirect_uriof your app, where authentication responses can be sent and received by your app. It must exactly match one of the redirect URIs you registered in the portal, except it must be url encoded.
For scenarios where you need to pass data through, you should encode those values in your state parameter. This will be returned to your redirect URI along with the authorization code.
Also note that neither access_type=offline or approval_prompt=auto are valid query parameters:
- To retrieve a
refresh_token, you addofflineto your list of scopes (user.read+offline). - To set the type of prompt the user receives you use the
promptparameter. Valid options arelogin,none, andconsent.
Upvotes: 3
Related Questions
- How to fix "AADSTS90102: 'redirect_uri' value must be a valid absolute Uri." error in Microsoft Graph
- Microsoft Graph oauth2 error AADSTS900144: the request body must contain the following parameter "grant type"
- Incorrect redirect URL address while working with Microsoft Graph API
- Pass custom arguments with redirect_uri
- REDIRECT URI not matching failure
- Microsoft Graph API Redirect successfully but Request.Authentication=false
- add query string in Microsoft oauth 2.0 redirect url for token acquisition
- Microsoft Graph Api OAuth return status code 200 instead of 302 (Not redirect to login Page)
- Azure AD OAuth2 Access Token Request Error - 400 Bad Request
- redirect_uri containing query string does not match configured redirect URL's