Azure AD (OIDC) login failed when Redirect URI is not set correctly

Solution Verified - Updated -

Environment

  • Azure Red Hat OpenShift [ARO]
    • 4.x

Issue

  • Cluster Oauth login using Azure AD(OpenID Connect) failed with AADSTS50011 error

Login error

Login error

Resolution

  • Get the application ID in Azure AD from the error message
the request does not match the redirect URIs configured for the application '09d97a70-a13b-481f-94b4-fdfcd33eba4a'.
  • Verify the openshift oauth URI from the error message
 The redirect URI 'https://oauth-openshift.apps.rfm6otw7.eastus.aroapp.io/oauth2callback/ADD2'
  • Verify the Redirect URIs in Azure AD (identify that the URI is not matching openshift oauth URI above)
$ az ad app show --id 09d97a70-a13b-481f-94b4-fdfcd33eba4a | jq -r .web.redirectUriSettings
[
  {
    "index": null,
    "uri": "https://oauth-openshift.apps.byh4kqxx.eastus.aroapp.io/oauth2callback/AAD3"
  }
]

Azure AD Redirect URIs

  • Verify the Redirect URIs in Azure AD again
$ az ad app show --id 09d97a70-a13b-481f-94b4-fdfcd33eba4a | jq -r .web.redirectUriSettings
[
  {
    "index": null,
    "uri": "https://oauth-openshift.apps.rfm6otw7.eastus.aroapp.io/oauth2callback/AAD2"
  }
]
  • Login using AAD2 again

Root Cause

  • When Redirect URIs in Azure AD is not matching openshift oauth URI , the AADSTS50011 error will happen

error-code-aadsts50011-reply-url-mismatch

Diagnostic Steps

Got the below error in openshfit login page using AD

Message: AADSTS50011: The redirect URI 'https://oauth-openshift.apps.rfm6otw7.eastus.aroapp.io/oauth2callback/ADD2' specified in the request does not match the redirect URIs configured for the application '09d97a70-a13b-481f-94b4-fdfcd33eba4a'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal.

Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments