Home

Azure AD App with wild card reply urls

%3CLINGO-SUB%20id%3D%22lingo-sub-171236%22%20slang%3D%22en-US%22%3EAzure%20AD%20App%20with%20wild%20card%20reply%20urls%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-171236%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%0A%3CP%3EI%20have%20an%20Angular%205%20app%20which%20is%20authenticated%20using%20Azure%20AD%20using%20AdalJs.%20The%20whole%20app%20is%20protected%20by%20azure%20ad%20and%20user%20needs%20to%20be%20logged%20in%20to%20be%20able%20to%20access%20any%20page.%3C%2FP%3E%0A%3CP%3ENow%20in%20my%20Azure%20Ad%20app%20I%20have%20added%20reply%20url%20as%20%22%3CSTRONG%3E%3CA%20href%3D%22https%3A%2F%2Fapp.domain.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fapp.domain.com%3C%2FA%3E%3C%2FSTRONG%3E%22.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EScenario%201%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EIn%20a%20fresh%20session%20User%20hits%26nbsp%3B%3CSTRONG%3E%3CA%20href%3D%22https%3A%2F%2Fapp.domain.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fapp.domain.com%3C%2FA%3E%20%3C%2FSTRONG%3Eand%20gets%20authenticated%20by%20azure%20ad%20and%20returns%20to%20the%20web%20site.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EScenario%202%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EIn%20a%20fresh%20session%20User%20hits%26nbsp%3B%3CSTRONG%3E%3CA%20href%3D%22https%3A%2F%2Fapp.domain.com%2Fpage1%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fapp.domain.com%2Fpage1%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3Eand%20gets%20authenticated%20by%20Azure%20AD%20and%20Azure%20AD%20does%20not%20return%20the%20user%20back%20to%20my%20website%20with%20an%20error%20%22%3CSTRONG%3E%3CA%20href%3D%22https%3A%2F%2Fapp.domain.com%2Fpage1%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fapp.domain.com%2Fpage1%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%22%20is%20not%20registered%20as%20a%20reply%20url%20in%20the%20Azure%20AD%20app.%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ENow%20if%20I%20go%20to%20my%20Azure%20AD%20app%20and%20make%20the%20reply%20URL%20as%20a%20wildcard%26nbsp%3BURL%20like%20%22%3CSTRONG%3E%3CA%20href%3D%22https%3A%2F%2Fapp.domain.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fapp.domain.com%3C%2FA%3E%2F*%22%20%3C%2FSTRONG%3Ethen%20the%20redirection%20flow%20after%20authentication%20works%20perfectly%20for%20all%20pages%20inside%20my%20website.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EI%20see%20this%20is%20one%20%3CA%20href%3D%22http%3A%2F%2Fpaulryan.com.au%2F2016%2Fazure-ad-app-wildcard-reply-url%2F%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eblog%20about%20this%20method%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%20is%20the%20wildcard%20URL%20approach%20in%20reply%20URL%20safe%20to%20be%20used%3F%20The%20blog%20above%20says%20there%20is%20some%20security%20concerns%20but%20I%20cannot%20find%20out%20what%20those%20concerns%20are%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlso%2C%20is%20the%20wildcard%20URL%20approach%20the%20correct%20approach%20here%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-171236%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-305955%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20App%20with%20wild%20card%20reply%20urls%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-305955%22%20slang%3D%22en-US%22%3E%3CP%3EWere%20you%20able%20to%20find%20a%20way%20to%20supply%20wildcard%20reply%20URLs%3F%20In%20the%20new%20App%20registrations%20page%2C%20it%20is%20not%20possible%20to%20add%20wildcards%2C%20so%20I%20guess%20this%20is%20not%20really%20supported.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EUpdate%3C%2FSTRONG%3E%3A%20I%20kept%20searching%20and%20found%20this%3A%26nbsp%3B%3C%2FP%3E%3CBLOCKQUOTE%3E%3CP%3E4.1.5.%20Threat%3A%20Open%20Redirectors%20on%20Client%3C%2FP%3E%3CP%3EAn%20open%20redirector%20is%20an%20endpoint%20using%20a%20parameter%20to%20automatically%20redirect%20a%20user%20agent%20to%20the%20location%20specified%20by%20the%20parameter%20value%20without%20any%20validation.%20If%20the%20authorization%20server%20allows%20the%20client%20to%20register%20only%20part%20of%20the%20redirect%20URI%2C%20an%20attacker%20can%20use%20an%20open%20redirector%20operated%20by%20the%20client%20to%20construct%20a%20redirect%20URI%20that%20will%20pass%20the%20authorization%20server%20validation%20but%20will%20send%20the%20authorization%20%22code%22%20or%20access%20token%20to%20an%20endpoint%20under%20the%20control%20of%20the%20attacker.%3C%2FP%3E%3CP%3EImpact%3A%20An%20attacker%20could%20gain%20access%20to%20authorization%20%22codes%22%20or%20access%20tokens.%3C%2FP%3E%3CP%3ECountermeasures%3A%3C%2FP%3E%3CP%3Eo%20Require%20clients%20to%20register%20full%20redirect%20URI%20(%3CA%20href%3D%22https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc6819%23section-5.2.3.5%22%20rel%3D%22nofollow%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3ESection%205.2.3.5%3C%2FA%3E).%22%3C%2FP%3E%3CBR%20%2F%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fstackoverflow.com%2Fquestions%2F47520604%2Fwhy-is-redirect-url-fully-qualified-in-azure-ad-b2c%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESource%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
unnie ayilliath
Contributor

Hi all,

I have an Angular 5 app which is authenticated using Azure AD using AdalJs. The whole app is protected by azure ad and user needs to be logged in to be able to access any page.

Now in my Azure Ad app I have added reply url as "https://app.domain.com". 

 

Scenario 1:

In a fresh session User hits https://app.domain.com and gets authenticated by azure ad and returns to the web site.

Scenario 2:

In a fresh session User hits https://app.domain.com/page1 and gets authenticated by Azure AD and Azure AD does not return the user back to my website with an error "https://app.domain.com/page1 " is not registered as a reply url in the Azure AD app.

 

Now if I go to my Azure AD app and make the reply URL as a wildcard URL like "https://app.domain.com/*" then the redirection flow after authentication works perfectly for all pages inside my website.

 

I see this is one blog about this method

 

So is the wildcard URL approach in reply URL safe to be used? The blog above says there is some security concerns but I cannot find out what those concerns are?

 

Also, is the wildcard URL approach the correct approach here?

 

Thanks 

1 Reply

Were you able to find a way to supply wildcard reply URLs? In the new App registrations page, it is not possible to add wildcards, so I guess this is not really supported.

 

Update: I kept searching and found this: 

4.1.5. Threat: Open Redirectors on Client

An open redirector is an endpoint using a parameter to automatically redirect a user agent to the location specified by the parameter value without any validation. If the authorization server allows the client to register only part of the redirect URI, an attacker can use an open redirector operated by the client to construct a redirect URI that will pass the authorization server validation but will send the authorization "code" or access token to an endpoint under the control of the attacker.

Impact: An attacker could gain access to authorization "codes" or access tokens.

Countermeasures:

o Require clients to register full redirect URI (Section 5.2.3.5)."



Source

Related Conversations
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
cntvertex in Discussions on
14 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
23 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
28 Replies