Error: The reply URL specified in the request does not match the reply URLs configured for the application

Question

I'm trying to figure out the cause of a certain error I am getting in the middle of the OAuth flow (with login.microsoftonline.com as IDP) in order to get access to a page.

The error is:

AADSTS50011 (The reply URL specified in the request does not match the reply URLs configured for the application: '89bee1f7-5e6e-4d8a-9f3d-ecd601259da7'.

Looking at the requests going out, I do see a request corresponding to that:

https://login.microsoftonline.com/common/oauth2/authorize?response_type=id_token&client_id=89bee1f7-5e6e-4d8a-9f3d-ecd601259da7&redirect_uri=https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fauthorize&state=XXX&client-request-id=YYY&x-client-SKU=Js&x-client-Ver=1.0.15&nonce=ZZZ&iframe-request-id=XXX

I've seen a few posts about AADSTS50011, some saying this may be a Microsoft issue and others saying the client ID in question needs to be registered. But my code is not using this mysterious client ID from anywhere and I'd like to know where it is coming from.

I'm not certain, but it seems this request may be coming from Javascript from or related to https://webshell.suite.office.com/iframe/TokenFactoryIframe.

By the way, in the exchange of requests I see what looks like the proper client ID also being used (00000002-0000-0ff1-ce00-000000000000), and authentication seems to be succeeding. I even see the page in question start to load, but then in a few seconds the error comes up.

UPDATE: Related to this question is what the first above URL is actually doing. It is a link to /authorize whose redirect URI is to the same location. This seems odd, is it to be expected in normal OAuth flow? If so, why?

Answer 1

It appears that your application is using the ADAL.js library. The ADAL.js library is designed to be used in client side JS web apps which run in a web browser such as Single Page apps. The request to https://login.microsoftonline.com is being made by ADAL.js using the OAuth 2.0 implicit flow protocol.

To answer your question about the error, you will need to set the redirect URI in your Azure AD application registration to match the redirect URI in the ADAL.js configuration. By default ADAL.js uses the application's start page as redirect URI. You will also need to set the client ID of your application in ADAL.js configuration. See this wiki for details on configuring ADAL.js. Also, you can follow the registration steps and this sample using Adal.js.

Answer 2

The error message is fairly clear. Your application needs to be registered under your AAD tenant and whatever you enter for the reply URL/Redirect URI in your code needs to match what you have set in the tenant.

Here is the guide for registering native apps, as the process is a bit different. https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-configure-native-client-application

For an app that is published under the Azure AD tenant the Client ID is the same as the Application ID. For a native app the App ID and Client ID are synonymous.