Whats wrong with my reply-url for AAD auth?

Question

I am trying to use AAD auth in my app, it works fine when I run it locally in VS and I can login, but when I publish it to a azure appservice and try to access the application I get the error message that the reply-to URL does not match.

Here is my appsettings.json part

 "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "xxxxx.me",
    "TenantId": "xxxxx",
    "ClientId": "xxxx",
    "CallbackPath": "/signin-oidc",
    "ClientSecret": "xxxxx",
    "AppIDURL": "https://xxxxx.me/yyyyyBackend",
    "ConfigView": "MVC"

In the app registration I have added the reply-URL which is the app URL from the appservice, I have also added

https://xxxxx.me/yyyyyBackend/signin-oidc

but neither works so I am a bit confused now

Is there another reply-URL I have to add?

* EDIT *

After using fiddler and also looking at the callback URL when the applictions tries to auth it turns out that it sends the following redirect URL

https://xxx.azurewebsites.net/.auth/login/aad/callback

No where in my project have I specified /.auth/login/aad/callback and if I search through my entire project in VS that string does not show up anywhere, so I am at total loss as to why it sends that redirect URL? It will never work because I dont have that anywhere in my code

After adding that URL to my reply-url in the appservice I am getting the following error message when deploying

You do not have permission to view this directory or page.

Answer 1

According to your description, I assumed that you are using OpenID Connect middleware to sign-in users from AAD tenant, here is the detailed tutorial Integrating Azure AD into an ASP.NET Core web app. For running in your local side, you may add the following reply url for your AAD app:

http(s)://localhost:{port}/signin-oidc

When deployed to azure web app, you may also need to add the following URL as Wayne Yang - MSFT commented:

https://{your-webapp-name}.azurewebsites.net/signin-oidc

After using fiddler and also looking at the callback URL when the applictions tries to auth it turns out that it sends the following redirect URL

https://xxx.azurewebsites.net/.auth/login/aad/callback

Based on your update, you also enable the built-in Authentication and authorization in Azure App Service which helps you sign in users and access data by writing minimal or no code in your MVC application. For your situation, since you have used OpenID Connect middleware in your application for authentication, you need to disable App Service Authentication, otherwise you may encounter unexpected errors.

Moreover, for troubleshooting the detailed error, you could Enable diagnostics logging for web apps in Azure App Service.