How does Microsoft redirect to client application with Post method when SSO with Azure AD

Question

Our web application has SSO feature using Azure AD. The workflow is:

1. User access our web application.
2. On login screen, user click Sign in with Microsoft button.
3. User will be redirected to Microsoft Login screen.
4. User enters his Microsoft credentials, click Login button.
5. User complete MFA if enabled.
6. After authenticated, Microsoft will redirect user back to our web application, pass the id_token in form_data with POST method.

So, my question is, how Microsoft can redirect user with POST method and pass the id_token in form_data? As I know, we can only redirect user with GET method, and cannot pass the form data.

Below image illustrates what I saw.

Answer 1

Azure AD returns an HTML page that auto-submits a form which targets your URL.

As you said, a redirect cannot use POST method, only GET. But an HTML form can use the POST method.

You'll see this form if you look at the response of the previous request.