OpenID with Azure Entra
- Go to the Azure Portal and sign in with your account.
- In the search box, type "Azure Entra" and click on it.
- On the left menu, click on App registrations and then on New registration.
- Give your app a name and select Web as the platform type.
-
In the Redirect URI field, enter
http://localhost:3080/oauth/openid/callbackand click on Register.
- You will see an Overview page with some information about your app. Copy the Application (client) ID and the Directory (tenant) ID and save them somewhere.
- On the left menu, click on Authentication and check the boxes for Access tokens and ID tokens under Implicit grant and hybrid flows.
- On the left menu, click on Certificates & Secrets and then on New client secret. Give your secret a name and an expiration date and click on Add. You will see a Value column with your secret. Copy it and save it somewhere. Don't share it with anyone!
- If you want to restrict access by groups you should add the groups claim to the token. To do this, go to Token configuration and click on Add group claim. Select the groups you want to include in the token and click on Add.
- Open the .env file in your project folder and add the following variables with the values you copied:
DOMAIN_CLIENT=https://your-domain.com # use http://localhost:3080 if not using a custom domain
DOMAIN_SERVER=https://your-domain.com # use http://localhost:3080 if not using a custom domain
OPENID_CLIENT_ID=Your Application (client) ID
OPENID_CLIENT_SECRET=Your client secret
OPENID_ISSUER=https://login.microsoftonline.com/Your Directory (tenant ID)/v2.0/
OPENID_SESSION_SECRET=Any random string
OPENID_SCOPE=openid profile email #DO NOT CHANGE THIS
OPENID_CALLBACK_URL=/oauth/openid/callback # this should be the same for everyone
# If you want to restrict access by groups
OPENID_REQUIRED_ROLE_TOKEN_KIND=id
OPENID_REQUIRED_ROLE_PARAMETER_PATH="roles"
OPENID_REQUIRED_ROLE="Your Group Name"
Note: If using docker, run
docker compose up -dto apply the .env configuration changes