Problem:
See update at the end. This is no longer an issue.
Customer configures the following redirect URLs for his registered application in Azure AD
![clip_image001[6]](/wp-content/uploads/2018/04/clip_image00161.png "clip_image001[6]")
and issues the following request to authenticate to Azure AD:
GET https://login.microsoftonline.com/<tenant id>/oauth2/authorize?client_id=<app id>&redirect_uri=https%3a%2f%2flocalhost%3a44396%2fbac%2faad%3freqId%3dA123&response_mode=form_post&….
After logging in he is redirected to https://localhost:44396/bac/aad instead of https://localhost:44396/bac/aad?reqId=A123.
The redirected URL does not have anything after the query string.
Root Cause:
The behavior is by design. This is an Azure AD’s security feature to prevent Covert Redirect attack.
Resolution:
We recommend customer to make use of the ‘state’ parameter instead of using query string to preserve the state of the request.
Update 8/15/2019
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/whats-new
Azure AD now can accept reply URLs with query string. This can be done by modifying the manifest file in the App Registration portal like the following. This functionality is currently not available in the UI yet.
…
“publisherDomain”: “xxx.onmicrosoft.com”,
“replyUrlsWithType”: [
{
“url”: “https://localhost”,
“type”: “Web”
},
{
“url”: “https://www.contoso.com/otdsws/login?authhandler=Microsoft+OAuth”,
“type”: “Web”
}
],
“requiredResourceAccess”: [
{
..
Update 8/23/2019 – You now can enter reply URL with query string in the App Registration UI