Share via

Fix "AADSTS500112" in "Azure Container App" running asp.net with Identity

Kelvin Hoover 5 Reputation points
2025-02-08T17:54:19.3966667+00:00

I am encounter error "AADSTS500112" in an asp.net running in azure container app behind an ingress which is handing SSL termination. This means that all address are coming in as https and the ingress is forwarding http to port 8080. The Azure Entra ID does not allow "http" in the reply uri, it requires "https".

'Microsoft.AspNetCore.Identity' running in a 'Azure Container App' with an ingress. When the user is returned after authenticate, its redirected to 'https://{server}/signin-microsoft' which throws Microsoft.AspNetCore.Authentication.AuthenticationFailureException with 'AADSTS500112' error. 'The reply address 'http://{server}/signin-microsoft' does not match the reply address 'https://{server}/signin-microsoft' provided when requesting Authorization code.

The following is the exception is being raised

An error was encountered while handling the remote login. OAuth token endpoint failure: invalid_client;Description=AADSTS500112: The reply address 'http://{server}/signin-microsoft' does not match the reply address 'https://{server}/signin-microsoft' provided when requesting Authorization code. Trace ID: b296cd95-e4ca-4d9b-be74-4c4ca5187700 Correlation ID: aabd6cd6-4c0b-4c23-b58f-711a74eccc89 Timestamp: 2025-02-07 23:16:00Z

Developer technologies | ASP.NET | ASP.NET Core
Developer technologies | ASP.NET | Other
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sanoop M 4,320 Reputation points Moderator
    2025-02-10T21:37:44.9733333+00:00

    Hello @Kelvin Hoover,

    Thank you for posting your query on Microsoft Q&A.

    Based on your issue description, I understand that when the user is returned after authentication, it is redirected to 'https://{server}/signin-microsoft' which throws Microsoft.AspNetCore.Authentication.AuthenticationFailureException with 'AADSTS500112' error: 'The reply address 'http://{server}/signin-microsoft' does not match the reply address 'https://{server}/signin-microsoft' provided when requesting Authorization code.

    I am providing you the detailed analysis of the Error code : AADSTS50011 below.

    Cause:

    This error occurs if the redirect URI (reply URL) configured in the application (code) and the Microsoft Entra app registration don't match.

    When a user accesses the application for authentication, the application redirects the user to Microsoft Entra ID with a predefined redirect URI. Once the user is authorized successfully, Microsoft Entra ID verifies the following values:

    • The redirect URI sent from the application
    • The redirect URI values in the registered application in Microsoft Entra ID

    If the redirect URI the application sent doesn't match any of the redirect URIs in Microsoft Entra ID, error AADSTS50011 will be returned. If the values match, Microsoft Entra ID sends the user to the redirect URI.

    Resolution:

    To fix the issue, please follow these steps to add a redirect URI in Microsoft Entra app registration.

    1. Copy the application ID from the error message.
    2. Go to the Azure portal. Make sure you sign in to the portal by using an account that has permissions to update Microsoft Entra Application registration.
    3. Navigate to Microsoft Entra ID, select App registrations, locate the application registration by using the application ID, and then open the app registration page.
    4. On the app registration page, select Authentication. In the Platform configurations section, select Add URI to add the redirect URI displayed in the error message to Microsoft Entra ID.
    5. Save the changes and wait three to five minutes for the changes to take effect, and then send the login request again. You should now be able to sign in to the application. If you don't see the Microsoft Entra login page, try clearing the password cache from your browser or use InPrivate browsing.

    Note:

    1.Redirect URIs is also referred to as Reply URLs.

    2.If the redirect URI sent from the application isn't the desired one, you should update your application code or configuration.

    For additional details about this error code : AADSTS50011, please refer to the below document for your reference.

    https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/app-integration/error-code-aadsts50011-redirect-uri-mismatch?source=recommendations#resolution

    Additionally, based on the above mentioned error, I can see that the Reply URL is configured as http://{server}/signin-microsoft.

    Please note that the Reply URLs or Redirect URIs must begin with the scheme https, with exceptions for some localhost redirect URIs.

    Please refer to the below document for your reference.

    https://learn.microsoft.com/en-us/entra/identity-platform/reply-url#what-are-the-restrictions-of-redirect-uris-for-microsoft-entra-applications

    I hope this above information provided is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Thanks and Regards,

    Sanoop Mohan

    1 person found this answer helpful.
  2. Bruce (SqlWork.com) 79,101 Reputation points Volunteer Moderator
    2025-02-20T17:04:18.8933333+00:00

    your issue is that identity builds the reply url based on the actual runtime url. you need to configure your asp.net site to know its behind a proxy that uses ssl. generally proxys include proxy headers that pass the url information. so you just add the middleware that that supports these headers:

    https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-9.0

    0 comments
  3. Raymond Huynh (WICLOUD CORPORATION) 620 Reputation points Microsoft External Staff
    2025-08-12T03:17:57.81+00:00

    Hello @Kelvin Hoover ,

    Thank you for sharing the detailed error information and screenshots. I can see you're experiencing the classic AADSTS500112 error where there's a protocol mismatch between your registered redirect URI (HTTPS) and what Azure AD receives during the authentication flow (HTTP).

    Based on your Azure Container Apps setup with ingress handling SSL termination, I'd like to suggest an alternative approach that focuses on the application-level configuration within your ASP.NET Core application.

    Solution: Configure HTTPS Scheme Detection

    The core issue is that your application doesn't recognize it should generate HTTPS URLs when behind the Azure Container Apps ingress. Here's what I recommend:

    1. Update your Program.cs or Startup.cs

    Add this configuration before your authentication middleware:

    // Configure the application to trust proxy headers
builder.Services.Configure<ForwardedHeadersOptions>(options =>
{
    options.ForwardedHeaders = ForwardedHeaders.XForwardedHost | 
                              ForwardedHeaders.XForwardedProto;
    options.KnownNetworks.Clear();
    options.KnownProxies.Clear();
});
 
// Ensure HTTPS scheme is used for redirect URIs
builder.Services.AddAuthentication()
    .AddMicrosoftAccount(options =>
    {
        // Your existing configuration
        options.Events.OnRedirectToAuthorizationEndpoint = context =>
        {
            // Force HTTPS in redirect URI construction
            context.HttpContext.Request.Scheme = "https";
            return Task.CompletedTask;
        };
    });
    2. Environment-Specific Configuration

    Since you're in Azure Container Apps, you can also set these environment variables in your container configuration:

    ASPNETCORE_FORWARDEDHEADERS_ENABLED=true
ASPNETCORE_URLS=http://+:80
    3. Alternative Approach: Manual Redirect URI Override

    If the above doesn't resolve the issue, you can explicitly override the redirect URI construction:

    services.AddAuthentication()
    .AddMicrosoftAccount(options =>
    {
        options.CallbackPath = "/signin-microsoft";
        options.Events.OnRedirectToAuthorizationEndpoint = context =>
        {
            // Explicitly construct HTTPS redirect URI
            var httpsUri = context.RedirectUri.Replace("http://", "https://");
            context.RedirectUri = httpsUri;
            return Task.CompletedTask;
        };
    });
    Why This Happens

    Azure Container Apps ingress acts as a reverse proxy, terminating SSL connections and forwarding HTTP traffic to your container. Your ASP.NET Core application, running inside the container, only sees HTTP requests and constructs redirect URIs accordingly. The above solutions ensure your application generates HTTPS URLs that match your Azure AD app registration.

    Testing the Fix

    After implementing these changes:

    1. Redeploy your container
    2. Test the Microsoft authentication flow
    3. Monitor the redirect URI in browser developer tools to confirm it's using HTTPS

    Let me know if you need clarification on any of these steps or if you encounter any issues during implementation.

    Best regards

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.