How to fix "AADSTS90102: 'redirect_uri' value must be a valid absolute Uri." error in Microsoft Graph

Question

Following this procedure: https://learn.microsoft.com/en-us/graph/auth-v2-user

I'm trying to get a refresh token from this microsoft end point: https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/authorize

Using PostAsync method from System.Net.Http.HttpClient class from nuget (asp.net core 2.2) library, I'm able to get a response back with this error: "AADSTS90102: 'redirect_uri' value must be a valid absolute Uri.":

I tried to set some redirect url in the Azure Portal including: https://automation.legroupeti.com/Configurations/GetRefreshToken/ https://automation.legroupeti.com/Configurations/GetRefreshToken https://automation.legroupeti.com/ https://automation.legroupeti.com

The post request is the following (Using PostAsync method from System.Net.Http.HttpClient class from nuget (asp.net core 2.2)):

Here are the configured redirect urls form the registred application in the Azure Portal:

I expect a valid response from the endpoint. How do I configure the redirect_uri to be valid?

EDIT 1

I fixed the redirect_uri parameter.

Drew Fleming · Answer 1 · 2021-03-10T16:16:16.117

5

I was getting this error and for me the issue was that I was encoding the redirect_uri value in the post request to the /oauth2/v2.0/token endpoint. Notice how redirect_uri is not encoded in this request.

POST /{Tenant ID}/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
Cookie: {cookie}
Content-Length: 941

client_id={Application (client) ID}
&scope=https://graph.microsoft.com/mail.read
&redirect_uri=http://localhost/myapp/
&grant_type=authorization_code
&client_secret={secret}
&code={code}

I used the Postman sample provided by Microsoft to find the root cause.

https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow#request-an-access-token

edited Mar 10 '21 at 16:16

answered Feb 23 '21 at 16:51

Drew Fleming

327
4
7

1

Thanks men, it worked!!. Also note that your url and https://learn.microsoft.com/en-us/graph/auth-v2-user#token-request show us a encoded url in the example :S – JRichardsz Apr 18 '22 at 22:23
Thank you! This was the same problem I was having! – Brandon White Aug 06 '22 at 20:39
Oh man... thanks microsoft ![ms](https://i.imgflip.com/4vtr07.jpg) – Mark Nadig Jun 12 '23 at 23:02

score 3 · Answer 2 · answered Sep 04 '19 at 14:00

3

From the screenshot, it appears that the URLEncoding is incorrect. The '/' character in the path should be encoded to %2F, while your code has %2. (After '.com' and before 'Configurations'.)

Also, have you considered the Authorization Provider from the SDK? https://learn.microsoft.com/en-us/graph/sdks/choose-authentication-providers?tabs=CS#AuthCodeProvider

answered Sep 04 '19 at 14:00

Paul Schaeflein

607
3
11

Ok, it was a good catch, I did fixed the value, see EDIT 1. Sadly, it did not fixed the problem. – Samuel Anctil Sep 04 '19 at 14:18

juunas · Accepted Answer · 2019-09-04T18:44:04.223

2

You seem to be mixing the authorize and token endpoints.

If you want the user to authenticate, you have to redirect the user to that URL, not send a POST request to it. After the user returns to your app, you need to exchange the authorisation code for tokens. Documentation: https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-web-app-call-api-overview

If you want a token just for your app without user authentication, you need to call the token endpoint. Documentation: https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-daemon-overview

edited Sep 04 '19 at 18:44

answered Sep 04 '19 at 13:59

juunas

54,244
13
113
149

I'm trying to use the https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/authorize endpoint to get an authorization code. This is why I'm doing a post resquest at https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/authorize. With the following parameters: client_id, response_type, redirect_uri, response_mode, client_secret, scope and state. As describe here: https://learn.microsoft.com/en-us/graph/auth-v2-user, the response should be a page where the user need to consent, then it should redirect to the redirect_uri after the consent. – Samuel Anctil Sep 04 '19 at 14:31
1

You can't get an authorization code with a post request. You need to redirect a user browser there. – juunas Sep 04 '19 at 14:33
1

Redirect the user instead of doing a post to the url did fix the issue. – Samuel Anctil Sep 04 '19 at 18:23

score 0 · Answer 4 · edited Aug 19 '22 at 00:26

I also faced the same problem:

AADSTS90102: 'redirect_uri' value must be a valid absolute Uri.

I tried few URL variants (with encoding, without, etc.) in Chrome, but was getting different exceptions about a wrong URL. Then I used the Safari browser and voila, I got a response code.

In the final result, I just copied the URL from the documentation, pasted tenant and client_id values from the registered application into the return_url parameter, and instead of the /myapp/ prefix I pasted %3A8080, where %3A it's the : symbol. The redirect_utl param has to be the same as URL in the registered application.

How to fix "AADSTS90102: 'redirect_uri' value must be a valid absolute Uri." error in Microsoft Graph

4 Answers4