Azure Web App Easy Auth using Reverse Proxy

Try this:

1. Update the Redirect URI: Ensure that the redirect URI in your Azure AD app registration matches the public endpoint. This means updating the redirect URI to https://contoso.com/app-one/.auth/login/aad/callback.
2. Configure Azure AD Authentication: In the Azure portal, navigate to your Azure Web App and go to the Authentication/Authorization settings. Ensure that the redirect URI is set to your public endpoint.
3. Modify the Reverse Proxy Configuration: Since you're using Azure API Management (APIM) as a reverse proxy, you need to ensure that APIM is correctly forwarding the requests and responses. You might need to rewrite the location headers in the responses to ensure they point to the public endpoint. This can be done using policies in APIM.
4. Custom Domain and SSL: Make sure your custom domain (contoso.com) is properly configured in Azure Web App and that you have an SSL certificate set up for secure communication.
5. Host Header: Ensure that the host header is preserved when the request is forwarded from APIM to the Azure Web App. This can be done by setting the preserveHostHeader attribute to true in your APIM policy.