Azure AD (OIDC) login failed when Redirect URI is not set correctly
Environment
- Azure Red Hat OpenShift [ARO]
- 4.x
Issue
- Cluster Oauth login using Azure AD(OpenID Connect) failed with AADSTS50011 error
Resolution
- Get the application ID in Azure AD from the error message
the request does not match the redirect URIs configured for the application '09d97a70-a13b-481f-94b4-fdfcd33eba4a'.
- Verify the openshift oauth URI from the error message
The redirect URI 'https://oauth-openshift.apps.rfm6otw7.eastus.aroapp.io/oauth2callback/ADD2'
- Verify the Redirect URIs in Azure AD (identify that the URI is not matching openshift oauth URI above)
$ az ad app show --id 09d97a70-a13b-481f-94b4-fdfcd33eba4a | jq -r .web.redirectUriSettings
[
{
"index": null,
"uri": "https://oauth-openshift.apps.byh4kqxx.eastus.aroapp.io/oauth2callback/AAD3"
}
]
- Update Redirect URIs in Azure AD Microsoft_AAD_RegisteredApps Authentication page to match the openshift oauth URI
- Verify the Redirect URIs in Azure AD again
$ az ad app show --id 09d97a70-a13b-481f-94b4-fdfcd33eba4a | jq -r .web.redirectUriSettings
[
{
"index": null,
"uri": "https://oauth-openshift.apps.rfm6otw7.eastus.aroapp.io/oauth2callback/AAD2"
}
]
- Login using AAD2 again
Root Cause
- When Redirect URIs in Azure AD is not matching openshift oauth URI , the AADSTS50011 error will happen
Diagnostic Steps
Got the below error in openshfit login page using AD
Message: AADSTS50011: The redirect URI 'https://oauth-openshift.apps.rfm6otw7.eastus.aroapp.io/oauth2callback/ADD2' specified in the request does not match the redirect URIs configured for the application '09d97a70-a13b-481f-94b4-fdfcd33eba4a'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal.
Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments