3

I created a web application which is working with an Azure Active Directory authentification.

Everything works fine on localhost, but I'm getting the following error when I publish the application into Azure:

AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: '656cc46c-f858-4a45-bf83-698791e052f1'.

What I tried:

In Azure, I configured the Reply URL of the application in question to be:

http://gp-rh.azurewebsites.net/signin-oidc

Here is my appsetting.json:

{
  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "legroupeti.com",
    "TenantId": "7c6ff5e2-0660-4b65-9b64-7a78df412819",
    "ClientId": "656cc46c-f858-4a45-bf83-698791e052f1",
    "CallbackPath": "/signin-oidc"
  },
  "Logging": {
    "IncludeScopes": false,
    "LogLevel": {
      "Default": "Warning"
    }
  }
}

In my application, the controller that does the login is set like this:

[HttpGet]
public IActionResult SignIn() {
    var redirectUrl = Url.Action("Index", "Dashboard",
        new { date = DateTime.Now, anchor = "period" });
    return Challenge(
        new AuthenticationProperties { RedirectUri = redirectUrl },
        OpenIdConnectDefaults.AuthenticationScheme);
}

The default page for my application is / which redirect to /Dashboard.

I don't know where I went wrong, but it still does not work.

Marc LaFleur
  • 31,987
  • 4
  • 37
  • 63
Samuel Anctil
  • 139
  • 1
  • 3
  • 11

1 Answers1

3

The redirect_uri must match one of your registered URIs exactly, including the scheme (http://, https://).

In general, you should only use an unsecured scheme (http) for development purposes. For test/stage/production, you should always use a secure connection (https). In this case, there is absolutely no reason to not use https://gp-rh.azurewebsites.net/signin-oidc since azurewebsites.net supports HTTPS by default.

Marc LaFleur
  • 31,987
  • 4
  • 37
  • 63
  • Is there a way to determine what reply URL is being used? My reply URLs are generated in the code based on the request. I'm at the point now where I'm adding every possible URL, but still getting the error. This is infuriating. – Ross Brasseaux Nov 02 '18 at 20:18
  • You're going about this the wrong way. Your `redirect_uri` _should always be the same_. Any information you to pass through the authorization endpoint should be encoded and passed via the `state` parameter`. The purpose of `state` is to handle _your application's state_. – Marc LaFleur Nov 02 '18 at 20:59
  • What about if you load one set of components for one domain and a different set of components for a different domain. In production I can use https but for local dev I need to add the two domains to my hosts file in windows and log in appropriately. How come I can't specify a non localhost domain to log in insecurely for local dev? – Dmitri Larionov Nov 13 '18 at 02:54
  • Because there is no way to denote "dev" vs. "not dev" and securing the end user's data takes precedence over any inconvenience imposed by editing a hosts file. – Marc LaFleur Nov 13 '18 at 16:34