Skip to content
This repository has been archived by the owner on Jun 30, 2023. It is now read-only.

Understanding 'non_https_redirect_failed' AdalServiceException

Jump to bottom
Jean-Marc Prieur edited this page Feb 9, 2018 · 2 revisions

The problem

The application gets the following AdalServiceException: Non-HTTPS url redirect is not supported in webview ErrorCode: non_https_redirect_failed

Why?

Interactive authentication in ADAL.NET has been delegated to Azure AD by having a Web browser host pages generated by Azure AD. Although the interactive portion of the authentication flow can include redirects to pages not hosted in Azure AD, those pages all must guarantee that the traffic is occurring on trusted segments - that requires every redirect done in the browser control to target HTTPS protected endpoint, using a certificate whose issuer is on the device’s trusted roots, with subject corresponding to the actual network addressable URL, and so on. Violations would make the tokens exchanged at risk of man in the middle attack, token forwarding and various other problems.

When does that occur?

The exception is typically thrown when:

  • there’s a provider in the chain using HTTP: (for instance a shibboleth provider, an ADFS instance, a custom identity provider).
  • another possibility is that the device is in a captive network, like in hotels, or shops, and the user didn’t grant consent to the term of usage and all traffic is redirected to a local HTTP page;
  • yet another possibility is that the customer is the victim of a DNS attack and the feature is doing its job to prevent their credentials from being stolen

What to do?

There is not much the application developer can do, apart from communicating to the user.

History

HTTP redirects in the web browser were disabled in ADAL.NET v3 v3.10.305110106

Getting started with ADAL.NET

Desktop/Mobile apps

Web apps/Web APIs/daemon apps

Advanced topics

News

Contribute

FAQ

Other resources

Log messages

Clone this wiki locally