I am trying to deploy a standard ASP core MVC app to our Azure Government web service. We want to authenticate our app using AAD.
When I create a new project in VS, I'm selecting to use a Single Organization with our domain for authentication. When VS finishes configuring the app, it automatically adds a new app registration in AAD along with the correct client ID and tenant ID associations
in appsettings file. The callback/reply URL is "/signin-oidc". When running the app locally, everything seems to be working fine. I am taken to the Microsoft login where I can authenticate against our AAD, and then it returns me to the app.
When I deploy the app to Azure and run my app, the Microsoft login gets called as expected, but once I authenticate, it gives me the error "The reply url specified in the request does not match the reply urls configured for the application".
I check my app registration setting, and apparently it only added the localhost URL to the reply URL section, so I add a new entry "https://myapp.azurewebsites.us/signin-oidc" (Azure Govt uses the .us domain suffix). I try to access my app again, but I get
the same "reply url does not match" error. I do some research and I come across a Microsoft tutorial that indicates the callback should be "/.auth/login/aad/callback" instead of "signin-oidc". So I update the appsettings file and the app registration reply
URL setting. I publish my changes from VS and go to my app. Now when I authenticate, I get a page that says "You have successfully signed in" with a link that says "Return to your website" that points to the correct URL of my
site. The URL address of this page is ".auth/login/done". First of all, I want to automatically return to my app's home page, not this weird placeholder page letting me know I've signed in correctly. Secondly, when I click on the link to return to my website,
it just keeps looping back to this same page.
So I am in a real bind right now to get this sorted properly. I am not sure why everything works out of the box when using localhost, but then when going to Azure, it wants a completely different callback reply URL. And then I'm not sure why it's taking
me to this "you have successfully signed in" page instead of my website.
AFAIK it should be the real location to which you want to direct users once the login process is completed so more likely it should be your authenticated user home page. Also it should be passed as a parameter from the app and match exactly what is registered
in AAD (if I remember I had a problem as having a trailing slash or not made a difference).
Also as you discover for safety reason AAD doesn't check this value against this list so that it redirects only to a legitimate location.
For now I suspect your app doesn't pass the correct return url ?
I managed to get it working, but in a different manner of deployment. With my issue, I had manually created the app service and deployed my project from VS. As I did some testing today, I let VS create the app service during deployment, which seems to
have done something slightly different, because it now works as it should. I am having difficulty tracking down the point of my issue because comparing both app services side by side -- they are identical in all areas that matter. There must be some obscure
setting somewhere that is different though, or else I wouldn't be seeing the issue on the first app service.
I do have my authentication working through the /signin-oidc reply-url now though, and it's not bringing me to a page that confirms I've logged in, which is good. I'll keep poking around a bit to see if I can report the difference, but otherwise I'm just
going to mark this the answer in case someone has a similar issue with manual app service deployment.
Contributor
7384 Points
1977 Posts
AAD: REPLY URL issue: signin-oidc vs .auth/login/aad/callback [Azure Government]
May 13, 2019 02:51 PM|JohnLocke|LINK
I am trying to deploy a standard ASP core MVC app to our Azure Government web service. We want to authenticate our app using AAD.
When I create a new project in VS, I'm selecting to use a Single Organization with our domain for authentication. When VS finishes configuring the app, it automatically adds a new app registration in AAD along with the correct client ID and tenant ID associations in appsettings file. The callback/reply URL is "/signin-oidc". When running the app locally, everything seems to be working fine. I am taken to the Microsoft login where I can authenticate against our AAD, and then it returns me to the app.
When I deploy the app to Azure and run my app, the Microsoft login gets called as expected, but once I authenticate, it gives me the error "The reply url specified in the request does not match the reply urls configured for the application". I check my app registration setting, and apparently it only added the localhost URL to the reply URL section, so I add a new entry "https://myapp.azurewebsites.us/signin-oidc" (Azure Govt uses the .us domain suffix). I try to access my app again, but I get the same "reply url does not match" error. I do some research and I come across a Microsoft tutorial that indicates the callback should be "/.auth/login/aad/callback" instead of "signin-oidc". So I update the appsettings file and the app registration reply URL setting. I publish my changes from VS and go to my app. Now when I authenticate, I get a page that says "" with a link that says "Return to your website" that points to the correct URL of my site. The URL address of this page is ".auth/login/done". First of all, I want to automatically return to my app's home page, not this weird placeholder page letting me know I've signed in correctly. Secondly, when I click on the link to return to my website, it just keeps looping back to this same page.
So I am in a real bind right now to get this sorted properly. I am not sure why everything works out of the box when using localhost, but then when going to Azure, it wants a completely different callback reply URL. And then I'm not sure why it's taking me to this "you have successfully signed in" page instead of my website.
Any help is appreciated.
All-Star
44030 Points
15548 Posts
Re: AAD: REPLY URL issue: signin-oidc vs .auth/login/aad/callback [Azure Government]
May 13, 2019 03:45 PM|PatriceSc|LINK
Hi,
AFAIK it should be the real location to which you want to direct users once the login process is completed so more likely it should be your authenticated user home page. Also it should be passed as a parameter from the app and match exactly what is registered in AAD (if I remember I had a problem as having a trailing slash or not made a difference).
Also as you discover for safety reason AAD doesn't check this value against this list so that it redirects only to a legitimate location.
For now I suspect your app doesn't pass the correct return url ?
Contributor
7384 Points
1977 Posts
Re: AAD: REPLY URL issue: signin-oidc vs .auth/login/aad/callback [Azure Government]
May 13, 2019 04:52 PM|JohnLocke|LINK
I managed to get it working, but in a different manner of deployment. With my issue, I had manually created the app service and deployed my project from VS. As I did some testing today, I let VS create the app service during deployment, which seems to have done something slightly different, because it now works as it should. I am having difficulty tracking down the point of my issue because comparing both app services side by side -- they are identical in all areas that matter. There must be some obscure setting somewhere that is different though, or else I wouldn't be seeing the issue on the first app service.
I do have my authentication working through the /signin-oidc reply-url now though, and it's not bringing me to a page that confirms I've logged in, which is good. I'll keep poking around a bit to see if I can report the difference, but otherwise I'm just going to mark this the answer in case someone has a similar issue with manual app service deployment.