Login loop with Azure OAuth2

I’m trying to configure my k8s v2 deployment environment with authentication via Azure OAuth2.

Here is my halconfig:

  security:
    apiSecurity:
      ssl:
        enabled: false
      overrideBaseUrl: https://ci.domain.io/gate
      corsAccessPattern: https://ci.domain.io
    uiSecurity:
      ssl:
        enabled: false
      overrideBaseUrl: https://ci.domain.io
    authn:
      oauth2:
        enabled: true
        client:
          clientId: client
          clientSecret: secret
          accessTokenUri: https://login.microsoftonline.com/${azureTenantId}/oauth2/token
          userAuthorizationUri: https://login.microsoftonline.com/${azureTenantId}/oauth2/authorize?resource=https://graph.windows.net
          clientAuthenticationScheme: query
          scope: profile
          preEstablishedRedirectUri: https://ci.domain.io/gate/login
          useCurrentUri: false
        resource:
          userInfoUri: https://graph.windows.net/me?api-version=1.6
        userInfoMapping:
          email: userPrincipalName
          firstName: givenName
          lastName: surname
        provider: AZURE

I’m currently exposing this through k8s Ingress resources with TLS; Deck is exposed at ci.domain.io and Gate is exposed through ci.domain.io/gate via the internal API_HOST variable in my deck.yml settings.

In the Azure docs, it says my redirect URL should be https://<gate>/login, so I set my redirect URI to be https://ci.domain.io/gate/login. I can hit https://ci.domain.io, it sends me to Gate, which redirects me to the Azure OAuth login page. I can log in successfully, but it immediately redirects me back to the Azure login page.

What is the proper reply URI/redirect URL that I need to give Azure so I stop getting a redirect loop?