OAuth with Azure Active Directory: Azure AD returns incorrect value for the State parameter after denying admin-consent scopes -
during oauth interaction azure ad, appears azure returns incorrect value state parameter after users deny grant admin-consent scopes.
when constructing url requesting authorization code azure ad via azure ad v2.0 endpoint https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
, let specify state parameter a+b
. url encoding state parameter value a%2bb
, put in url requesting authorization code azure ad
if request specifies scopes require administrator consent , have not granted in past, azure returns following page expected:
i trying verify application logic handling errors returning azure. denied consent clicking return application without granting consent
link. after that, azure expectedly returned error response app's redirect uri. azure populated data in http body follows:
azure populated state parameter value a%252bb
. not correct. expected value should a%2bb
- i.e. same value specified earlier when calling azure authorization code request endpoint described earlier. looks azure somehow performed double url encoding - in other words, encoding url-encoded state parameter, changing a%2bb
a%252bb
. (%
encoded %25
. in addition strange b
somehow became b
)
it appears azure has issue in code path handling users clicking return application without granting consent
link denying admin-consent scopes. other scenario of users denying user-consent scopes, appears azure not have issue. azure returns proper value state parameter illustrated follows:
i tried again today. looks microsoft has removed return application without granting consent
link. issue mentioned in post earlier no longer exists.
Comments
Post a Comment