I have a .NET Core 2 app template that is configured to use Azure AD out of the box.

The configuration is:

{
  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "lautaroarinolive.onmicrosoft.com",
    "TenantId": "67cb2dfd-ebd5-40d8-829b-378340981a17",
    "ClientId": "50819a7a-e018-4c1d-bf0a-18c8fce5c600",
    "CallbackPath": "/signin-oidc"
  },
  "Logging": {
    "IncludeScopes": false,
    "LogLevel": {
      "Default": "Warning"
    }
  }
}

In my portal, I have an Azure app registration with the same id as ClientId. It has the reply URL [APP-URL]/signin-oidc.

The localhost app works only if I set the reply URL to [LocalhostURL]/signin-oidc, even though I've learned that the configuration should not affect log in on localhost.

The Azure app does not work in any case.

In both apps when it doesn't work I get this error:

AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: '50819a7a-e018-4c1d-bf0a-18c8fce5c600'

1. Is it correct that a localhost app should not need a configured reply URL?

2. Why do I get the "reply url not configured" error?

You can refer to this Sample to rebuild your .NET core App and publish to the Azure.

There are some NOTES you neeed to pay attention to :

1. you need to change the port from 5000 to the effective one. Currently, it should be 61659.So, when you do a test in your local host, you can set the reply url in the AAD App with http://localhost:61659/signin-oidc

2. Update these URLs if you configure the app for production use or If you publish the App to Azure Web App, you should change the Reply url in both App config file and AAD Applicaiton to be <AppURL>/signin-oidc

For example, https://www.contoso.com/signin-oidc or https://Myapp.azurewebsites.net/signout-oidc.

I had a similar problem with a .NET 4.6.1 web application. I had to configure the Reply URL for my app in azure similar to the accepted answer, however the callback url was different.

Select Azure Active Directory -> App Registrations -> <your app>
Select Settings -> Reply URLs

Add your apps URL + '/.auth/login/aad/callback' For Example: https://somesite.azurewebsites.net/.auth/login/aad/callback

Make sure services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1); must below the Authentication configuration.

services.AddAuthentication(options =>
{
    options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
    options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddOpenIdConnect(options =>
{
    options.Authority = "";
    options.ClientId = "";
    options.ResponseType = OpenIdConnectResponseType.IdToken;
    options.CallbackPath = "";
    options.SignedOutRedirectUri = "";
    options.TokenValidationParameters.NameClaimType = "name";
})
.AddCookie();

I was facing the same error due to having added AddMvc() before the AddAuthentication() extension method.

Besides the reply urls in Authentication settings, another setting is the "Supported account types" (which is readonly after created).

You should choose option as below when you created APP Registration

Then you should have the account type as below

Rather than this, it doesn't work

In some case, azure to use the 'www' on the url, even if you especific the url on the portal without 'www'. Use "https://www.mysite.co/signin-oidc" instead "https://mysite.co/signin-oidc" in your redirectUri variable.

Small thing, but at the Web Tenant, at custom domains settings HTTPS Only option should be turned on depending on URLs used by the site. I had the same problem, as at the login, the redrect_uri=http://sitename was concatenated instead of https. Enabling this option resolved my authentication issue.