Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Bug] Azure changes redirect_uri from http to https causing TcpInterceptor to fail in parsing the response

See original GitHub issue

Which Version of MSAL are you using ? 4.1

Platform netcore

What authentication flow has the issue?

Desktop / Mobile
- Interactive
- Integrated Windows Auth
- Username Password
- Device code flow (browserless)
Web App
- Authorization code
- OBO
Web API
- OBO

Other? - please describe;

Is this a new or existing app? New app

Repro

var clientId = "<CLIENT-ID>";
var authority = "https://login.windows.net/<TENANT-ID>";
var scopes = new[] { "https://vault.azure.net/.default" };
IPublicClientApplication app = PublicClientApplicationBuilder.Create(clientId)
                .WithAuthority(new Uri(authority), true)
                .WithRedirectUri("http://localhost:4001")
                .Build();

var result = app.AcquireTokenInteractive(scopes).ExecuteAsync().GetAwaiter().GetResult();

Expected behavior A token should be received

Actual behavior An exception is triggered Microsoft.Identity.Client.MsalClientException: ‘Could not extract the query from the authorization response - check Pii enabled logs for details’

Possible Solution After debugging this a bit, it turns out that while MSAL is sending the correct request to Azure (redirect_uri=http://localhost:4001), Azure then redirects to httpS://localhost:4001, which causes the TcpInterceptor to fail because it receives an ssl handshake request instead of a http request.

This might be a bug on the Azure side (why is it changing http to https?), but since this is the library which is exposing the bug I’m reporting it here.