OAuth with Azure Active Directory: Azure AD returns incorrect value for the State parameter after denying admin-consent scopes -


during oauth interaction azure ad, appears azure returns incorrect value state parameter after users deny grant admin-consent scopes.

when constructing url requesting authorization code azure ad via azure ad v2.0 endpoint https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize, let specify state parameter a+b. url encoding state parameter value a%2bb , put in url requesting authorization code azure ad

if request specifies scopes require administrator consent , have not granted in past, azure returns following page expected:

app requires administrator consent

i trying verify application logic handling errors returning azure. denied consent clicking return application without granting consent link. after that, azure expectedly returned error response app's redirect uri. azure populated data in http body follows:

error response after denying admin-consent scopes

azure populated state parameter value a%252bb. not correct. expected value should a%2bb - i.e. same value specified earlier when calling azure authorization code request endpoint described earlier. looks azure somehow performed double url encoding - in other words, encoding url-encoded state parameter, changing a%2bb a%252bb. (% encoded %25. in addition strange b somehow became b)

it appears azure has issue in code path handling users clicking return application without granting consent link denying admin-consent scopes. other scenario of users denying user-consent scopes, appears azure not have issue. azure returns proper value state parameter illustrated follows:

error response after denying user-consent scopes

i tried again today. looks microsoft has removed return application without granting consent link. issue mentioned in post earlier no longer exists.

you can't access application page


Comments

Popular posts from this blog

android - InAppBilling registering BroadcastReceiver in AndroidManifest -

python Tkinter Capturing keyboard events save as one single string -

sql server - Why does Linq-to-SQL add unnecessary COUNT()? -