Reply URLs vs PostLogoutRedirectURIs in Azure Active Directory (AAD)
Over 300 people have asked questions on Stack Overflow about how to configure Reply URLs for .NET web apps in the Azure Portal. Reply URLs are a very simple concept, but their setup in the Azure Portal is not necessarily intuitive.
When you register an Azure AD application you are required to configure a reply URL, which by default takes its value from the sign-on URL entered during the app registration.
In Azure AD, the difference between the Reply URL and the PostLogoutRedirectURI is subtle. The official Microsoft documentation defines the Reply URL as follows:
“In the case of a web API or web application, the Reply URL is the location to which Azure AD will send the authentication response, including a token if the authentication was successful.”
On the other hand, the PostLogoutRedirectURI in the web.config is the unique identifier to which Azure AD will redirect the user-agent in an OAuth 2.0 request.
When you publish a new application, the PostLogoutRedirectURI and the ReplyURL must match in order for the users to be authenticated. This pairing is a security measure to ensure that other users do not try to authenticate their own applications using stolen Azure AD application coordinates.
One important note about the Azure Portal configuration is that it is necessary to change the Reply URL from localhost to the main website URL where the user must be directed after the application has been published.
To create the link between the PostLogoutRedirectURI and the Reply URL, first set the PostLogoutRedirectURI in the app configuration. Then register the application and click into the application registration. Go to Settings > Reply URLs and set the URL to the page where the user will be directed after logging in.
For more information on this topic, see my video “Reply URLs Explained”:
https://www.youtube.com/watch?v=A9U1VGyztEM&t=9s
See also:
https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect
