Understanding 'non_https_redirect_failed' AdalServiceException

The problem

The application gets the following AdalServiceException: Non-HTTPS url redirect is not supported in webview ErrorCode: non_https_redirect_failed

Why?

Interactive authentication in ADAL.NET has been delegated to Azure AD by having a Web browser host pages generated by Azure AD. Although the interactive portion of the authentication flow can include redirects to pages not hosted in Azure AD, those pages all must guarantee that the traffic is occurring on trusted segments - that requires every redirect done in the browser control to target HTTPS protected endpoint, using a certificate whose issuer is on the device’s trusted roots, with subject corresponding to the actual network addressable URL, and so on. Violations would make the tokens exchanged at risk of man in the middle attack, token forwarding and various other problems.

When does that occur?

The exception is typically thrown when:

• there’s a provider in the chain using HTTP: (for instance a shibboleth provider, an ADFS instance, a custom identity provider).
• another possibility is that the device is in a captive network, like in hotels, or shops, and the user didn’t grant consent to the term of usage and all traffic is redirected to a local HTTP page;
• yet another possibility is that the customer is the victim of a DNS attack and the feature is doing its job to prevent their credentials from being stolen

What to do?

There is not much the application developer can do, apart from communicating to the user.

History

HTTP redirects in the web browser were disabled in ADAL.NET v3 v3.10.305110106