locked
AAD: REPLY URL issue: signin-oidc vs .auth/login/aad/callback [Azure Government] RRS feed

  • Question

  • User-1657171777 posted

    I am trying to deploy a standard ASP core MVC app to our Azure Government web service.  We want to authenticate our app using AAD.

    When I create a new project in VS, I'm selecting to use a Single Organization with our domain for authentication.  When VS finishes configuring the app, it automatically adds a new app registration in AAD along with the correct client ID and tenant ID associations in appsettings file.  The callback/reply URL is "/signin-oidc".  When running the app locally, everything seems to be working fine.  I am taken to the Microsoft login where I can authenticate against our AAD, and then it returns me to the app.

    When I deploy the app to Azure and run my app, the Microsoft login gets called as expected, but once I authenticate, it gives me the error "The reply url specified in the request does not match the reply urls configured for the application".  I check my app registration setting, and apparently it only added the localhost URL to the reply URL section, so I add a new entry "https://myapp.azurewebsites.us/signin-oidc" (Azure Govt uses the .us domain suffix).  I try to access my app again, but I get the same "reply url does not match" error.  I do some research and I come across a Microsoft tutorial that indicates the callback should be "/.auth/login/aad/callback" instead of "signin-oidc".  So I update the appsettings file and the app registration reply URL setting.  I publish my changes from VS and go to my app.  Now when I authenticate, I get a page that says "You have successfully signed in" with a link that says "Return to your website" that points to the correct URL of my site.  The URL address of this page is ".auth/login/done".  First of all, I want to automatically return to my app's home page, not this weird placeholder page letting me know I've signed in correctly.  Secondly, when I click on the link to return to my website, it just keeps looping back to this same page.

    So I am in a real bind right now to get this sorted properly.  I am not sure why everything works out of the box when using localhost, but then when going to Azure, it wants a completely different callback reply URL.  And then I'm not sure why it's taking me to this "you have successfully signed in" page instead of my  website.

    Any help is appreciated.

    Monday, May 13, 2019 2:51 PM

Answers

  • User-1657171777 posted

    I managed to get it working, but in a different manner of deployment.  With my issue, I had manually created the app service and deployed my project from VS.  As I did some testing today, I let VS create the app service during deployment, which seems to have done something slightly different, because it now works as it should.  I am having difficulty tracking down the point of my issue because comparing both app services side by side -- they are identical in all areas that matter.  There must be some obscure setting somewhere that is different though, or else I wouldn't be seeing the issue on the first app service.

    I do have my authentication working through the /signin-oidc reply-url now though, and it's not bringing me to a page that confirms I've logged in, which is good.  I'll keep poking around a bit to see if I can report the difference, but otherwise I'm just going to mark this the answer in case someone has a similar issue with manual app service deployment.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, May 13, 2019 4:52 PM

All replies

  • User753101303 posted

    Hi,

    AFAIK it should be the real location to which you want to direct users once the login process is completed so more likely it should be your authenticated user home page. Also it should be passed as a parameter from the app and match exactly what is registered in AAD (if I remember I had a problem as having a trailing slash or not made a difference).

    Also as you discover for safety reason AAD doesn't check this value against this list so that it redirects only to a legitimate location.

    For now I suspect your app doesn't pass the correct return url ?

    Monday, May 13, 2019 3:45 PM
  • User-1657171777 posted

    I managed to get it working, but in a different manner of deployment.  With my issue, I had manually created the app service and deployed my project from VS.  As I did some testing today, I let VS create the app service during deployment, which seems to have done something slightly different, because it now works as it should.  I am having difficulty tracking down the point of my issue because comparing both app services side by side -- they are identical in all areas that matter.  There must be some obscure setting somewhere that is different though, or else I wouldn't be seeing the issue on the first app service.

    I do have my authentication working through the /signin-oidc reply-url now though, and it's not bringing me to a page that confirms I've logged in, which is good.  I'll keep poking around a bit to see if I can report the difference, but otherwise I'm just going to mark this the answer in case someone has a similar issue with manual app service deployment.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, May 13, 2019 4:52 PM