Microsoft Graph API redirect_uri doesn't allow query strings

Question

We're trying to move from the older WindowsLive API to the new Microsoft Graph API. In the process, we're running into difficulty with the required OAuth 2.0 redirect_uri parameter in the app.

According to the Oauth 2.0 RFC , the redirect_uri must be an absolute path but can contain a properly encoded query string.

In our Windows app, we've setup the absolute path - their application tool doesn't allow query strings to be added: https://example.com/index.php

The OAuth request we make uses a redirect_uri with URL Encoding, including query params. This is necessary, we use a CMS (Joomla) that needs to know what should handle the request:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
 response_type=code&
 client_id={string}&    
 redirect_uri=https%3A%2F%2Fexample.com%2Findex.php%3Foption%3Dcom_jfbconnect%26task%3Dauthenticate.callback%26provider%3Dwindowslive&
 scope=user.read&
 state={string}&
 access_type=offline&
 approval_prompt=auto

However, the Graph API rejects this with:

"The reply url specified in the request does not match the reply urls configured for the application"

Anyone else run into this or understand why the Graph API doesn't accept query parameters either in the app configuration or on the token requests?

Edit - 5/8 - However, the application setup area does not allow query strings in the redirect_uri setting, which is correct according to the RFC. However, the Graph API isn't respecting this note of the RFC:

The endpoint URI MAY include an "application/x-www-form-urlencoded" formatted (per Appendix B) query component ([RFC3986] Section 3.4), which MUST be retained when adding additional query parameters.

Answer 1

This isn't actually being rejected by Microsoft Graph. Microsoft Graph is simply an API and it doesn't generate or manage access tokens. That process is handled by Azure Active Directory.

The error you're getting is due to your redirect_uri not being configured in your app registration at https://apps.dev.microsoft.com . The URL must explicitly match the URL configured in the registration. From the documentation :

The redirect_uri of your app, where authentication responses can be sent and received by your app. It must exactly match one of the redirect URIs you registered in the portal, except it must be url encoded.

For scenarios where you need to pass data through, you should encode those values in your state parameter. This will be returned to your redirect URI along with the authorization code.

Also note that neither access_type=offline or approval_prompt=auto are valid query parameters:

• To retrieve a refresh_token , you add offline to your list of scopes ( user.read+offline ).
• To set the type of prompt the user receives you use the prompt parameter. Valid options are login , none , and consent .