Add variables to reply URLs in Azure B2C

Question

I am trying to set the redirect_uri in Azure B2C. I have a language field in the Url like this:

https://mydomain/de-de/projects
https://mydomain/en-us/projects
https://mydomain/sv-se/projects 
https://mydomain/ar-sa/projects
...

and to be correctly redirected, I have to add all the possibilities to the B2C Reply URLs and I am only limited to 20 max.

Is there a way to add variables to the redirect_uri? Something like:

https://mydomain/:lang/projects

where ":lang" is a variable the could take any value.

////////////////////////////////////

Solution

The tricky solution was to manipulate the state and inject it with the returned URL due to the fact that it will be sent back after the login/signup response. createLoginUrl() method:

let url = that.loginUrl
                        + '?response_type='
                        + response_type
                        + '&client_id='
                        + encodeURIComponent(that.clientId)
                        + '&state='
                        + encodeURIComponent((state) + 'url'  + returnedUrl)
                        + '&redirect_uri='
                        + encodeURIComponent(window.location.origin)
                        + '&scope='
                        + encodeURIComponent(that.scope);

so here I split the state with 'url' word so I can read it again after the response came.

encodeURIComponent((state) + 'url' + returnedUrl)

An important details redirect_uri, it should be the same origin:

'&redirect_uri=' + encodeURIComponent(window.location.origin)

and this URL should be added to the returned URL in Azure B2C application.

Now I can split it again in tryLogin() method:

const statePartsWithUrl = (parts['state'] + '').split('url');
window.location.href = statePartsWithUrl[1];

and it works perfectly.

////-------------------------------------

Edit : 1.2.2019

const statePartsWithUrl = (parts['state'] + '').split('url');
let state = '';
let returnedUrl = '';
if (statePartsWithUrl != null) {
  state = statePartsWithUrl[0];
  returnedUrl = statePartsWithUrl[1];
}

Here is the splitting of the state to read the information from it in method tryLogin(options)

Answer 1

Yeah so as you found out, you can't currently add wildcards to reply URLs in B2C.

This may be due to security concerns defined in the OAuth 2.0 Threat Model and Security Considerations RFC. In it, the suggested counter-measure against Open Redirect Attacks is to have the client register the full redirect URI.

There is also no way to create apps programmatically: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/19975480-programmatically-register-b2c-applications.

So sadly the manual way is the only way at the moment. But be sure to go upvote the feature request on User Voice.

I actually even tried to manually edit an app via Graph Explorer:

{
    "odata.error": {
        "code": "Request_BadRequest",
        "message": {
            "lang": "en",
            "value": "Updates to converged applications are not allowed in this version."
        },
        "date": "2018-01-08T12:00:00",
        "requestId": "208e7159-d459-42ec-8bb7-000000000000",
        "values": null
    }
}

As you suggested in the comments, one way to work around this problem would be to use a single static redirect URI and keep the language/culture in the state/a cookie, and then do the redirect to the language-specific version after the user is returned to the app.