Azure app proxy authorization returns AADSTS50011: The reply URL specified in the request does not match the reply URLs (behind Nginx proxy)

Question

My .NET Core application returns AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application error when I try to authenticate using Azure AD and Azure Application Proxy.

My app may be accessed

• using VPN and local domain myapp.local
• using Azure Application proxy https://myapplocal-mycompany.msappproxy.net

In both cases the traffic should be redirected to */signin-oidc page. It works fine for local domain but fails for proxy domain.

It seems that the redirect_uri parameter in the login.microsoft.com request URL is not being appended with */signin-oidc part while using proxy -it is just https://myapplocal-mycompany.msappproxy.net instead of https://myapplocal-mycompany.msappproxy.net/signin-oidc (using https://myapp.local it is correct - https://myapp.local/signin-oidc).

I have following .NET core app Azure config

"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "myapp.com",
"ClientId": "myclient",
"TenantId": "mytenant",
"ClientSecret": "myclientsecret",
"CallbackPath": "/signin-oidc",
"SignedOutCallbackPath ": "/signout-callback-oidc",
"ClientCertificates": [
]
}

The .net application resides behind Azure Application Proxy Connector and 2 servers

1. nginx loadbalancer
2. nginx proxy

nginx loadbalancer is configured in the following way

http {
    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    client_max_body_size 5M;
    # server_tokens off;

proxy_buffer_size   128k;
proxy_buffers   4 256k;
proxy_busy_buffers_size   256k;
large_client_header_buffers 4 16k;

...
}




server {
  ...

  location / {
        proxy_set_header Host $host;
        proxy_pass https://myapp.local_upstream;
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
  }
}
    
upstream myapp.local_upstream {
    least_conn;
    server targetserver:8503;
}

nginx proxy is configured in the following way

http {
    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    client_max_body_size 5M;
    # server_tokens off;

proxy_buffer_size   128k;
proxy_buffers   4 256k;
proxy_busy_buffers_size   256k;
large_client_header_buffers 4 16k;

...
}


server {
listen 8503 ssl;
listen [::]:8503 ssl;

...

location /
   {
    proxy_pass https://localhost:5503;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection keep-alive;
    proxy_set_header Host $http_host;
    proxy_cache_bypass $http_upgrade;
    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header   X-Forwarded-Proto $scheme;
    }
}

What may be the reason of that behavior?

My Redirect URIs configuration looks like this:

Application proxy configuration proxy looks like this: