Reply address does not match the reply address provided when requesting authorization

Question

I'm getting frustrated by an error which occurs on a .netcore3.1 app I'm working on. Here's my setup:

In Startup.cs

services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftWebApp(options =>
    {
        Configuration.Bind("AzureAd", options);
        options.Events ??= new OpenIdConnectEvents();
        options.Events.OnRedirectToIdentityProvider = async ctx =>
        {
            ctx.ProtocolMessage.RedirectUri = Configuration["AzureAd:RedirectUri"];
            await Task.CompletedTask;
        };
    })
    .AddMicrosoftWebAppCallsWebApi(Configuration, new[] { "user.read" })
    .AddDistributedTokenCaches();

In my appsettings

"AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "ClientId": "ClientId",
    "TenantId": "TenantId",
    "RedirectUri": "https://mywebsite.com/signin-oidc",
    "ClientSecret": "ClientSecret"
  },

the azure app registration is configured correctly with https://mywebsite.com/signin-oidc as the redirect url. I've also added the following to allow headers to be forwarded from the proxy:

services.Configure<ForwardedHeadersOptions>(options =>
{
    options.ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
    options.KnownNetworks.Clear();
    options.KnownProxies.Clear();
});

// then in the Configure method

app.UseForwardedHeaders();

Yet I'm still getting this error which is baffling me. I thought by adding

ctx.ProtocolMessage.RedirectUri = Configuration["AzureAd:RedirectUri"];

I would overcome this but it seems to have no impact on this error.

An unhandled exception occurred","Properties":{"CorrelationId":"c3393560-6ebe-41ce-99fc-693c1a387474","Path":"/signin-oidc","Method":"POST","exceptionMessage":"An error was encountered while handling the remote login.","exception":"System.Exception: An error was encountered while handling the remote login.\n ---> MSAL.NetCore.4.16.1.0.MsalServiceException: \n\tErrorCode: invalid_client\nMicrosoft.Identity.Client.MsalServiceException: A configuration issue is preventing authentication - check the error message from the server for details.You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details.  Original exception: AADSTS500112: The reply address 'http://mywebsite.com/signin-oidc' does not match the reply address 'https://mywebsite.com/signin-oidc' provided when requesting Authorization

Answer 1

Could it be that your proxy is also terminating HTTPS, so the traffic your application is getting is HTTP?

Answer 2

According to your error message：Reply address does not match the reply address provided when requesting authorization. You must ensure that the redirect_uri configured in the Azure portal is exactly the same as the redirect_uri configured in the code.

When you visit the application url , you will be redirected to the login page. Decode the authorization request URL, you will find redirect_uri, copy the value of redirect_uri and paste it into the azure portal, and try again.

For the redirect URL, it should start with https, if you need to start with http, you must configure it as http://localhost.