Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Azure B2C Owin redirect_uri_mismatch when using custom domain

Copper Contributor

I have configured an MVC application using the Owin components to authenticate users against Azure B2C.  Everything works just fine when using the appname.azurewebsites.net URL.

 

Now, we've added a custom domain name (myapp.ourdomain.com) to the web application and bound an SSL certificate to the site.  I have updated the B2C application Reply URL from appname.azurewebsites.net to myapp.ourdomain.com and configured web.config to use this URI as the reply URL for authentication requests as well. 

 

When browsing to the site using the custom domain name, I am now put in an endless request loop with login.microsoftonline.com.  Using Fiddler, I can see that the request to login.microsoftonline.com has the correct redirect_uri parameter pointing to myapp.ourdomain.com.    However, the response indicates "The redirect URI https://myapp.appname.onmicrosoft.com provided in the request is not registered for the client id..."

 

Here is where the confusion is...  the URL in the error message is something that we don't have configured anywhere and doesn't exist in the request...  from what I can tell, it is formed by concatenating the hostname (myapp) with the tenant name (appname) and onmicrosoft.com.  So based on the obfuscated values I've described here, my redirect_uri sent in the request is https://myapp.ourdomain.com and the error says that https://myapp.appname.onmicrosoft.com is not registered.

 

Why is login.microsoft.com coming up with that for the redirect, and why doesn't it respect the value provided in the Azure Portal for the B2C application, along with the matching URL being sent in the request?

 

To be clear, when I revert back to using just the azurewebsites.net version of the names, it work fine.  It appears to be something with the custom domain name that is not compatible.

 

Any help would be greatly appreciated.

Thanks in advance...

 

1 Reply

UPDATE: I determined that because the B2C directory was setup with a custom domain name of ourdomain.com), there must have been an internal translation of that domain to the resource name (appname.onmicrosoft.com).  

 

myapp.ourdomain.com --> myapp.appname.onmicrosoft.com.

 

This was confirmed by sending that redirect URL in the request, but configuring the B2C application reply URL to myapp.appname.onmicrosoft.com.  There was no problem that the parameter didn't match up to the reply URL configured in B2C, but obviously I simply received a 404 since myapp.appname.onmicrosoft.com doesn't exist.

 

By creating a brand new B2C tenant/directory, and using only the appname.onmicrosoft.com resource name (no custom domain on the directory), the original problem has been resolved.