Wanted: Guidance debugging AAD Tutorial Demonstrating Web App Calling Azure Function

Siegfried Heintze 1,306 Reputation points
2020-04-28T00:18:37.903+00:00

I'm trying to follow the tutorial (9781484250396) in Chap03 (%SRCROOT%\DevAppWithAzureActiveDirectoryBook\WebApp-FunctionAPI\WebApp-FunctionAPI) that demonstrates using AAD to authenticate a web site that uses an Azure function. This tutorial has me hosting a web site on my local dev machine that should be calling an azure function after having authenticated using AAD.

I have used Visual Studio 2019 to check out the code here: developing-apps-w-azure-active-directory.

I've registered a new application with AAD.

I've configured a Azure function to be authenticated with Azure Active directory. This was working Friday afternoon:
HttpTrigger1

I'm thinking that URL is no longer working because I have since added AAD authentication. OK, maybe this is progress.

After carefully pasting the clientID, tenantID, the secret, my domain (sheintzehotmail.onmicrosoft.com), the resource ID (according to my bing searching, this is just clientID again) and the API Base address into file %SRCROOT%\DevAppWithAzureActiveDirectoryBook\WebApp-FunctionAPI\WebApp-FunctionAPI\appsettings.json.

See below for the stack trace. When I try to login using the sample application, I get "AADSTS700054: response_type 'id_token' is not enabled for the application."

Maybe the problem has nothing to do with the azure function or my sample application. I have done "az login", "az logout" and "az login" and twice I see this warning. Perhaps my azure account is messed up? Can someone guide me?

az : WARNING: You have logged in. Now let us find all the subscriptions to which you have access...
At line:1 char:1

  • az login
  • ~~~~~~~~
    • CategoryInfo : NotSpecified: (WARNING: You ha... have access...:String) [], RemoteException
    • FullyQualifiedErrorId : NativeCommandError

WARNING: Failed to authenticate '{'additional_properties': {}, 'id': '/tenants/1e694636-92fd-4ca7-b666-d0545514eb69', 'tenant_id': '1e694636-92fd-4ca7-b666-d0545514eb69'}' due to error 'Get
Token request returned http error: 400 and server response: {"error":"interaction_required","error_description":"AADSTS50076: Due to a configuration change made by your administrator, or
because you moved to a new location, you must use multi-factor authentication to access '797f4846-ba00-4fd7-ba43-dac1f8f63013'.\r\nTrace ID:
e2c7aca3-e581-40b9-ba16-e3b73c120d00\r\nCorrelation ID: 6bf933cf-b2f5-47da-9125-f6d40442f1d9\r\nTimestamp: 2020-04-28 00:05:45Z","error_codes":[50076],"timestamp":"2020-04-28 00:05:45Z","tra
ce_id":"e2c7aca3-e581-40b9-ba16-e3b73c120d00","correlation_id":"6bf933cf-b2f5-47da-9125-f6d40442f1d9","error_uri":"https://login.microsoftonline.com/error?code=50076","suberror":"basic_actio
n"}'
[
{
"cloudName": "AzureCloud",
"id": "acc26051-92a5-4ed1-a226-64a187bc27db",
"isDefault": true,
"name": "Azure subscription 1",
"state": "Enabled",
"tenantId": "7a838aec-0b9e-4856-a3b5-2b02613f36a2",
"user": {
"name": "sheintze@Karima ben .com",
"type": "user"
}
}
]

Thank you

Siegfried

Here is the stack trace I get when I try to run the sample code I have cloned from github.

info: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[0]
User profile is available. Using 'C:\Users\shein\AppData\Local\ASP.NET\DataProtection-Keys' as key repository and Windows DPAPI to encrypt keys at rest.
Hosting environment: Development
Content root path: c:\Users\shein\Source\Repos\DevAppWithAzureActiveDirectoryBook\WebApp-FunctionAPI\WebApp-FunctionAPI
Now listening on: https://localhost:5001
Now listening on: http://localhost:5000
Application started. Press Ctrl+C to shut down.
dbug: HttpsConnectionAdapter1
Failed to authenticate HTTPS connection.
System.IO.IOException: Authentication failed because the remote party has closed the transport stream.
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslStream.BeginAuthenticateAsServer(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken, AsyncCallback asyncCallback, Object asyncState)
at System.Net.Security.SslStream.<>c.<AuthenticateAsServerAsync>b__51_0(SslServerAuthenticationOptions arg1, CancellationToken arg2, AsyncCallback callback, Object state)
at System.Threading.Tasks.TaskFactory1.FromAsyncImpl[TArg1,TArg2](Func5 beginMethod, Func2 endFunction, Action1 endAction, TArg1 arg1, TArg2 arg2, Object state, TaskCreationOptions creationOptions)
at System.Threading.Tasks.TaskFactory.FromAsyncTArg1,TArg2
at System.Threading.Tasks.TaskFactory.FromAsyncTArg1,TArg2
at System.Net.Security.SslStream.AuthenticateAsServerAsync(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken)
at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionAdapter.InnerOnConnectionAsync(ConnectionAdapterContext context)
dbug: HttpsConnectionAdapter1
Failed to authenticate HTTPS connection.
System.IO.IOException: Authentication failed because the remote party has closed the transport stream.
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslStream.BeginAuthenticateAsServer(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken, AsyncCallback asyncCallback, Object asyncState)
at System.Net.Security.SslStream.<>c.<AuthenticateAsServerAsync>b__51_0(SslServerAuthenticationOptions arg1, CancellationToken arg2, AsyncCallback callback, Object state)
at System.Threading.Tasks.TaskFactory1.FromAsyncImpl[TArg1,TArg2](Func5 beginMethod, Func2 endFunction, Action1 endAction, TArg1 arg1, TArg2 arg2, Object state, TaskCreationOptions creationOptions)
at System.Threading.Tasks.TaskFactory.FromAsyncTArg1,TArg2
at System.Threading.Tasks.TaskFactory.FromAsyncTArg1,TArg2
at System.Net.Security.SslStream.AuthenticateAsServerAsync(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken)
at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionAdapter.InnerOnConnectionAsync(ConnectionAdapterContext context)
info: Microsoft.AspNetCore.Hosting.Internal.WebHost1
Request starting HTTP/1.1 GET https://localhost:5001/
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker3
Route matched with {action = "Index", controller = "Home"}. Executing controller action with signature Microsoft.AspNetCore.Mvc.IActionResult Index() on controller WebApp_FunctionAPI.Controllers.HomeController (WebApp-FunctionAPI).
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker1
Executing action method WebApp_FunctionAPI.Controllers.HomeController.Index (WebApp-FunctionAPI) - Validation state: Valid
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker2
Executed action method WebApp_FunctionAPI.Controllers.HomeController.Index (WebApp-FunctionAPI), returned result Microsoft.AspNetCore.Mvc.ViewResult in 4.2962ms.
info: Microsoft.AspNetCore.Mvc.ViewFeatures.ViewResultExecutor1
Executing ViewResult, running view Index.
info: Microsoft.AspNetCore.Mvc.ViewFeatures.ViewResultExecutor[4]
Executed ViewResult - view Index executed in 2145.2209ms.
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker2
Executed action WebApp_FunctionAPI.Controllers.HomeController.Index (WebApp-FunctionAPI) in 2658.9118ms
info: Microsoft.AspNetCore.Hosting.Internal.WebHost2
Request finished in 10315.1914ms 200 text/html; charset=utf-8
info: Microsoft.AspNetCore.Hosting.Internal.WebHost1
Request starting HTTP/1.1 GET https://localhost:5001/images/banner1.svg
info: Microsoft.AspNetCore.Hosting.Internal.WebHost1
Request starting HTTP/1.1 GET https://localhost:5001/lib/bootstrap/dist/js/bootstrap.js
info: Microsoft.AspNetCore.Hosting.Internal.WebHost1
Request starting HTTP/1.1 GET https://localhost:5001/images/banner2.svg
info: Microsoft.AspNetCore.Hosting.Internal.WebHost1
Request starting HTTP/1.1 GET https://localhost:5001/lib/bootstrap/dist/css/bootstrap.css
info: Microsoft.AspNetCore.Hosting.Internal.WebHost1
Request starting HTTP/1.1 GET https://localhost:5001/css/site.css
info: Microsoft.AspNetCore.Hosting.Internal.WebHost1
Request starting HTTP/1.1 GET https://localhost:5001/images/banner3.svg
info: Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware2
Sending file. Request path: '/images/banner1.svg'. Physical path: 'c:\Users\shein\Source\Repos\DevAppWithAzureActiveDirectoryBook\WebApp-FunctionAPI\WebApp-FunctionAPI\wwwroot\images\banner1.svg'
info: Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware2
Sending file. Request path: '/images/banner2.svg'. Physical path: 'c:\Users\shein\Source\Repos\DevAppWithAzureActiveDirectoryBook\WebApp-FunctionAPI\WebApp-FunctionAPI\wwwroot\images\banner2.svg'
info: Microsoft.AspNetCore.Hosting.Internal.WebHost2
Request finished in 369.4089ms 200 image/svg+xml
info: Microsoft.AspNetCore.Hosting.Internal.WebHost2
Request finished in 278.2615ms 200 image/svg+xml
info: Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware2
Sending file. Request path: '/css/site.css'. Physical path: 'c:\Users\shein\Source\Repos\DevAppWithAzureActiveDirectoryBook\WebApp-FunctionAPI\WebApp-FunctionAPI\wwwroot\css\site.css'
info: Microsoft.AspNetCore.Hosting.Internal.WebHost1
Request starting HTTP/1.1 GET https://localhost:5001/lib/jquery/dist/jquery.js
info: Microsoft.AspNetCore.Hosting.Internal.WebHost1
Request starting HTTP/1.1 GET https://localhost:5001/js/site.js?v=4q1jwFhaPaZgr8WAUSrux6hAuh0XDg9kPS3xIVq36I0
info: Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware2
Sending file. Request path: '/images/banner3.svg'. Physical path: 'c:\Users\shein\Source\Repos\DevAppWithAzureActiveDirectoryBook\WebApp-FunctionAPI\WebApp-FunctionAPI\wwwroot\images\banner3.svg'
info: Microsoft.AspNetCore.Hosting.Internal.WebHost2
Request finished in 303.7515ms 200 text/css
info: Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware2
Sending file. Request path: '/lib/bootstrap/dist/js/bootstrap.js'. Physical path: 'c:\Users\shein\Source\Repos\DevAppWithAzureActiveDirectoryBook\WebApp-FunctionAPI\WebApp-FunctionAPI\wwwroot\lib\bootstrap\dist\js\bootstrap.js'
info: Microsoft.AspNetCore.Hosting.Internal.WebHost2
Request finished in 347.3063ms 200 image/svg+xml
info: Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware2
Sending file. Request path: '/lib/bootstrap/dist/css/bootstrap.css'. Physical path: 'c:\Users\shein\Source\Repos\DevAppWithAzureActiveDirectoryBook\WebApp-FunctionAPI\WebApp-FunctionAPI\wwwroot\lib\bootstrap\dist\css\bootstrap.css'
info: Microsoft.AspNetCore.Hosting.Internal.WebHost2
Request finished in 547.9487ms 200 application/javascript
info: Microsoft.AspNetCore.Hosting.Internal.WebHost2
Request finished in 554.5855ms 200 text/css
info: Microsoft.AspNetCore.Hosting.Internal.WebHost1
Request starting HTTP/1.1 GET https://localhost:5001/lib/bootstrap/dist/fonts/glyphicons-halflings-regular.woff2
info: Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware2
Sending file. Request path: '/js/site.js'. Physical path: 'c:\Users\shein\Source\Repos\DevAppWithAzureActiveDirectoryBook\WebApp-FunctionAPI\WebApp-FunctionAPI\wwwroot\js\site.js'
info: Microsoft.AspNetCore.Hosting.Internal.WebHost2
Request finished in 499.6928ms 200 application/javascript
info: Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware2
Sending file. Request path: '/lib/bootstrap/dist/fonts/glyphicons-halflings-regular.woff2'. Physical path: 'c:\Users\shein\Source\Repos\DevAppWithAzureActiveDirectoryBook\WebApp-FunctionAPI\WebApp-FunctionAPI\wwwroot\lib\bootstrap\dist\fonts\glyphicons-halflings-regular.woff2'
info: Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware2
Sending file. Request path: '/lib/jquery/dist/jquery.js'. Physical path: 'c:\Users\shein\Source\Repos\DevAppWithAzureActiveDirectoryBook\WebApp-FunctionAPI\WebApp-FunctionAPI\wwwroot\lib\jquery\dist\jquery.js'
info: Microsoft.AspNetCore.Hosting.Internal.WebHost2
Request finished in 682.0883ms 200 font/woff2
info: Microsoft.AspNetCore.Hosting.Internal.WebHost2
Request finished in 1109.3877ms 200 application/javascript
info: Microsoft.AspNetCore.Hosting.Internal.WebHost1
Request starting HTTP/1.1 GET https://localhost:5001/Account/SignIn
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker3
Route matched with {action = "SignIn", controller = "Account"}. Executing controller action with signature Microsoft.AspNetCore.Mvc.IActionResult SignIn() on controller WebApp_FunctionAPI.Controllers.AccountController (WebApp-FunctionAPI).
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker1
Executing action method WebApp_FunctionAPI.Controllers.AccountController.SignIn (WebApp-FunctionAPI) - Validation state: Valid
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker2
Executed action method WebApp_FunctionAPI.Controllers.AccountController.SignIn (WebApp-FunctionAPI), returned result Microsoft.AspNetCore.Mvc.ChallengeResult in 1.9844ms.
info: Microsoft.AspNetCore.Mvc.ChallengeResult1
Executing ChallengeResult with authentication schemes (OpenIdConnect).
info: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler[12]
AuthenticationScheme: OpenIdConnect was challenged.
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker2
Executed action WebApp_FunctionAPI.Controllers.AccountController.SignIn (WebApp-FunctionAPI) in 5208.946ms
info: Microsoft.AspNetCore.Hosting.Internal.WebHost2
Request finished in 5940.1812ms 302

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,707 questions
No comments
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 55,226 Reputation points
    2020-05-04T07:20:04.043+00:00

    @Siegfried Heintze Thank you for sharing the fiddler capture.

    Analysis:

    Looking at the capture, I found below parameters in the request:

    • client_id : b078e920-xxxx-xxxx-xxxx-e95c9a6f209d
    • resource : 46020346-xxxx-xxxx-xxxx-7b5d3548d1a4
    • response_type : id_token code

    This means, you are using above client_id to request an id_token and code for the above mentioned resource. In response to this request you are getting below error:

    AADSTS700054: response_type 'id_token' is not enabled for the application.

    Cause:

    The value of OAuth2AllowIdTokenImplicitFlow:false for the application with above client id (b078e920-xxxx-xxxx-xxxx-e95c9a6f209d) is false. This means the id token checkbox is not selected. The value of OAuth2AllowIdTokenImplicitFlow:false for the resource (46020346-xxxx-xxxx-xxxx-7b5d3548d1a4) is set to true, which means id token checkbox is selected for this app. I am suspecting that you have enabled id_token for resource instead of the client app.

    Action Plan:

    Select the ID token checkbox on the App with Client ID (aka App ID) b078e920-xxxx-xxxx-xxxx-e95c9a6f209d. Please refer to the steps I shared in my initial answer. Once this is done, you should not get AADSTS700054: response_type 'id_token' is not enabled for the application. error.

    -----------------------------------------------------------------------------------------------------------

    Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.


4 additional answers

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 55,226 Reputation points
    2020-04-28T05:54:38.493+00:00

    Looking at the problem statement, I can see that you are getting 2 errors:

    1. AADSTS700054: response_type 'id_token' is not enabled for the application. - To resolve this error you need to navigate to Azure Portal > Azure AD > App Registrations > select All Applications tab > Search with the Client ID you used > Open the application and go to Authentication blade > Under Implicit Grant section, select checkbox for ID Token.
    2. AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '797f4846-ba00-4fd7-ba43-dac1f8f63013'. - To resolve this, navigating to Azure Portal > Azure AD > Properties > Click on Manage Security Defaults link > Toggle Enable Security Defaults button to NO.

    I have shared more details about the 2nd error in your previous post here

    -----------------------------------------------------------------------------------------------------------

    Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

    No comments

  2. Siegfried Heintze 1,306 Reputation points
    2020-04-28T19:30:41.83+00:00

    (1) Thanks for the prompt response! I believe I successfully followed your recommendation and clicked the token check box on both this project and the other one. This effort does not appear to be successfull for either of the two projects because I'm still getting the same error (for both projects):
    AADSTS700054: response_type 'id_token' is not enabled for the application. I'm hoping you can provide some more guidance. I will confirm that I'm still getting this same error in the other application soon.

    (2) This appears to have worked. I successfully authenticated with my phone and I got the login prompt that failed with the above error message.

    After reading this link (concept-fundamentals-security-defaults) I'm still having trouble understanding what I did that caused azure to require two factor authentication (which is a nuisance for developers). I am the only one on this subscription. I did not turn it on. I don't understand what "move" means. Can you help me make adjustments so I no longer need to use my phone just to debug this app?

    Thank you!
    Siegfried


  3. Siegfried Heintze 1,306 Reputation points
    2020-05-05T00:53:22.173+00:00

    Thanks, I followed your suggestions I believe they resolved some problems and now I have new problems. I have checked the "ID Tokents" and I'm getting some different errors:

    (1) AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'b078e920-278a-4b24-8b96-e95c9a6f209d'.

    Can you help me understand what I need to specify for the redirect URL?

    When I run it via dotnet I see:
    Now listening on: https://localhost:5001
    Now listening on: http://localhost:5000

    So should not the redirect URL specified in the AAD App registration be https://localhost:5001? This does not work.

    When I run using IISExpress, I see this in the browser URL windows: https://localhost:44367 (as per the launchSettings.json file). I change the redirect URL on the AAD App registration to https://localhost:44367 and it does not work again and I get the same error.

    (2) When "dotnet run", I see a stacktrace! Maybe this is the problem! Bing searching suggests ([how-to-fix-the-error-authentication-failed-because-the-remote-party-has-closed-the-transport-stream][1]). I added this to main and it did not help:
    ServicePointManager.SecurityProtocol = /*SecurityProtocolType.Ssl3 | */ SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;

    Here is the stack trace:

    dbug: HttpsConnectionAdapter[1]
    Failed to authenticate HTTPS connection.
    System.IO.IOException: Authentication failed because the remote party has closed the transport stream.
    at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
    at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
    at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
    at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
    at System.Net.Security.SslStream.BeginAuthenticateAsServer(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken, AsyncCallback asyncCallback, Object asyncState)
    at System.Net.Security.SslStream.<>c.<AuthenticateAsServerAsync>b__51_0(SslServerAuthenticationOptions arg1, CancellationToken arg2, AsyncCallback callback, Object state)
    at System.Threading.Tasks.TaskFactory1.FromAsyncImpl[TArg1,TArg2](Func5 beginMethod, Func2 endFunction, Action1 endAction, TArg1 arg1, TArg2 arg2, Object state, TaskCreationOptions creationOptions)
    at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2](Func5 beginMethod, Action1 endMethod, TArg1 arg1, TArg2 arg2, Object state, TaskCreationOptions creationOptions)
    at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2](Func5 beginMethod, Action1 endMethod, TArg1 arg1, TArg2 arg2, Object state)
    at System.Net.Security.SslStream.AuthenticateAsServerAsync(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken)
    at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionAdapter.InnerOnConnectionAsync(ConnectionAdapterContext context)
    info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
    Request starting HTTP/1.1 GET https://localhost:5001/

    (3) If I ignore this tack trace I get the same error: AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'b078e920-278a-4b24-8b96-e95c9a6f209d'.

    Why don't I see this stack trace when I run with IISExpress?

    Thank you
    Siegfried

    No comments

  4. Siegfried Heintze 1,306 Reputation points
    2020-05-05T00:53:54.913+00:00

    Thanks, I followed your suggestions I believe they resolved some problems and now I have new problems. I have checked the "ID Tokents" and I'm getting some different errors:

    (1) AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'b078e920-278a-4b24-8b96-e95c9a6f209d'.

    Can you help me understand what I need to specify for the redirect URL?

    When I run it via dotnet I see:
    Now listening on: https://localhost:5001
    Now listening on: http://localhost:5000

    So should not the redirect URL specified in the AAD App registration be https://localhost:5001? This does not work.

    When I run using IISExpress, I see this in the browser URL windows: https://localhost:44367 (as per the launchSettings.json file). I change the redirect URL on the AAD App registration to https://localhost:44367 and it does not work again and I get the same error.

    (2) When "dotnet run", I see a stacktrace! Maybe this is the problem! Bing searching suggests ([how-to-fix-the-error-authentication-failed-because-the-remote-party-has-closed-the-transport-stream][1]). I added this to main and it did not help:
    ServicePointManager.SecurityProtocol = /*SecurityProtocolType.Ssl3 | */ SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;

    Here is the stack trace:

    dbug: HttpsConnectionAdapter[1]
    Failed to authenticate HTTPS connection.
    System.IO.IOException: Authentication failed because the remote party has closed the transport stream.
    at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
    at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
    at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
    at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
    at System.Net.Security.SslStream.BeginAuthenticateAsServer(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken, AsyncCallback asyncCallback, Object asyncState)
    at System.Net.Security.SslStream.<>c.<AuthenticateAsServerAsync>b__51_0(SslServerAuthenticationOptions arg1, CancellationToken arg2, AsyncCallback callback, Object state)
    at System.Threading.Tasks.TaskFactory1.FromAsyncImpl[TArg1,TArg2](Func5 beginMethod, Func2 endFunction, Action1 endAction, TArg1 arg1, TArg2 arg2, Object state, TaskCreationOptions creationOptions)
    at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2](Func5 beginMethod, Action1 endMethod, TArg1 arg1, TArg2 arg2, Object state, TaskCreationOptions creationOptions)
    at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2](Func5 beginMethod, Action1 endMethod, TArg1 arg1, TArg2 arg2, Object state)
    at System.Net.Security.SslStream.AuthenticateAsServerAsync(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken)
    at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionAdapter.InnerOnConnectionAsync(ConnectionAdapterContext context)
    info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
    Request starting HTTP/1.1 GET https://localhost:5001/

    (3) If I ignore this tack trace I get the same error: AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'b078e920-278a-4b24-8b96-e95c9a6f209d'.

    Why don't I see this stack trace when I run with IISExpress?

    Thank you
    Siegfried