AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: ''

Question

I have a .NET Core 2 app template that is configured to use Azure AD out of the box.

The configuration is:

{
  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "lautaroarinolive.onmicrosoft.com",
    "TenantId": "67cb2dfd-ebd5-40d8-829b-378340981a17",
    "ClientId": "50819a7a-e018-4c1d-bf0a-18c8fce5c600",
    "CallbackPath": "/signin-oidc"
  },
  "Logging": {
    "IncludeScopes": false,
    "LogLevel": {
      "Default": "Warning"
    }
  }
}

In my portal, I have an Azure app registration with the same id as ClientId. It has the reply URL [APP-URL]/signin-oidc.

The localhost app works only if I set the reply URL to [LocalhostURL]/signin-oidc, even though I've learned that the configuration should not affect log in on localhost.

The Azure app does not work in any case.

In both apps when it doesn't work I get this error:

AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: '50819a7a-e018-4c1d-bf0a-18c8fce5c600'

1. Is it correct that a localhost app should not need a configured reply URL?

2. Why do I get the "reply url not configured" error?

Answer 1

You can refer to this Sample to rebuild your .NET core App and publish to the Azure.

There are some NOTES you need to pay attention to :

1. you need to change the port from 5000 to the effective one. Currently, it should be 61659. So, when you do a test in your localhost, you can set the reply URL in the AAD App with http://localhost:61659/signin-oidc

2. Update these URLs if you configure the app for production use or If you publish the App to Azure Web App, you should change the Reply URL in both App config file and AAD Application to be <AppURL>/signin-oidc

For example, https://www.contoso.com/signin-oidc or https://Myapp.azurewebsites.net/signout-oidc.

Answer 2

I had a similar problem with a .NET 4.6.1 web application. I had to configure the Reply URL for my app in azure similar to the accepted answer, however the callback url was different.

Select Azure Active Directory -> App Registrations -> <your app>
Select Settings -> Reply URLs

Add your apps URL + '/.auth/login/aad/callback' For Example: https://somesite.azurewebsites.net/.auth/login/aad/callback

Answer 3

Check your redirect uri in your Microsoft sign in page

redirect_uri=https://localhost:8443/login&response_type=code&scope=openid%20profile&state=7GsiHb

And make sure that you have added the same URI to redirect URI list in your registered application (Active Directory -> App Registration -> Your Application). As mentioned in other answers may need to change supported account type as "Multiple Organizations".

Answer 4

Just got the same error. My app is a .NET 5 ASP.NET Core app running in a Linux docker container inside of a web app. Troubleshooting using Fiddler has shown that in calls to login.microsoft.com the value of a redirect_uri query string variable was starting with "http://" and not with "https://" as I would expect despite my attempts to enforce TLS-only on the web app itself. That led to URL mismatch and to the error AADSTS50011.

Setting the environment variable ASPNETCORE_FORWARDEDHEADERS_ENABLED=true on the web app has fixed the issue. Microsoft has documented it here: https://devblogs.microsoft.com/aspnet/forwarded-headers-middleware-updates-in-net-core-3-0-preview-6/

Answer 5

Make sure services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1); must below the Authentication configuration.

services.AddAuthentication(options =>
{
    options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
    options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddOpenIdConnect(options =>
{
    options.Authority = "";
    options.ClientId = "";
    options.ResponseType = OpenIdConnectResponseType.IdToken;
    options.CallbackPath = "";
    options.SignedOutRedirectUri = "";
    options.TokenValidationParameters.NameClaimType = "name";
})
.AddCookie();

I was facing the same error due to having added AddMvc() before the AddAuthentication() extension method.

Answer 6

In some case, azure to use the 'www' on the url, even if you especific the url on the portal without 'www'. Use "https://www.mysite.co/signin-oidc" instead "https://mysite.co/signin-oidc" in your redirectUri variable.

Answer 7

Small thing, but at the Web Tenant, at custom domains settings HTTPS Only option should be turned on depending on URLs used by the site. I had the same problem, as at the login, the redrect_uri=http://sitename was concatenated instead of https. Enabling this option resolved my authentication issue.

Answer 8

If you are signing in from AAD you should use app-base-url/sigin-aad.

Answer 9

If you use React- Native. Able to check the web portal: https://portal.azure.com/.

iOS: {YOUR_BUNDLE_IDENTIFIER}://{YOUR_BUNDLE_IDENTIFIER}/ios/callback

Android: {YOUR_APP_PACKAGE_NAME}://{YOUR_APP_PACKAGE_NAME}/android/callback

pls refer with image below.

enter image description here

Answer 10

The only solution for me: in the Azure portal https://portal.azure.com, navigate to "app registrations" -> select your application -> "authentication" from the left sidebar menu -> "mobile and desktop applications" redirect URIs -> and click "Add URI" -> type the following

ms-appx-web://microsoft.aad.brokerplugin/{Your_Application's_Client_ID}

Example: ms-appx-web://microsoft.aad.brokerplugin/5r3257qe-7jci-3501-38k0-3791h90542m7