Forum Discussion
Azure AD App with wild card reply urls
Were you able to find a way to supply wildcard reply URLs? In the new App registrations page, it is not possible to add wildcards, so I guess this is not really supported.
Update: I kept searching and found this:
4.1.5. Threat: Open Redirectors on Client
An open redirector is an endpoint using a parameter to automatically redirect a user agent to the location specified by the parameter value without any validation. If the authorization server allows the client to register only part of the redirect URI, an attacker can use an open redirector operated by the client to construct a redirect URI that will pass the authorization server validation but will send the authorization "code" or access token to an endpoint under the control of the attacker.
Impact: An attacker could gain access to authorization "codes" or access tokens.
Countermeasures:
o Require clients to register full redirect URI (Section 5.2.3.5)."
using oauth2 protocol this is not possible because the authentication request cannot be signed. But this could be possible using SAML protocol if AZure AD would implement the feature to validate the signature of the saml request, in this way the client app could change runtime the value of assertion consumer url contained in the saml request.
