Skip to main content
Version: Next

Azure

Config Options

FlagToml FieldTypeDescriptionDefault
--azure-tenantazure_tenantstringgo to a tenant-specific or common (tenant-independent) endpoint."common"
--resourceresourcestringThe resource that is protected (Azure AD only)

Usage

  1. Add an application: go to https://portal.azure.com, choose Azure Active Directory, select App registrations and then click on New registration.
  2. Pick a name, check the supported account type(single-tenant, multi-tenant, etc). In the Redirect URI section create a new Web platform entry for each app that you want to protect by the oauth2 proxy(e.g. https://internal.yourcompanycom/oauth2/callback). Click Register.
  3. Next we need to add group read permissions for the app registration, on the API Permissions page of the app, click on Add a permission, select Microsoft Graph, then select Application permissions, then click on Group and select Group.Read.All. Hit Add permissions and then on Grant admin consent (you might need an admin to do this).
    IMPORTANT: Even if this permission is listed with "Admin consent required=No" the consent might actually be required, due to AAD policies you won't be able to see. If you get a "Need admin approval" during login, most likely this is what you're missing!
  4. Next, if you are planning to use v2.0 Azure Auth endpoint, go to the Manifest page and set "accessTokenAcceptedVersion": 2 in the App registration manifest file.
  5. On the Certificates & secrets page of the app, add a new client secret and note down the value after hitting Add.
  6. Configure the proxy with:
   --provider=azure
--client-id=<application ID from step 3>
--client-secret=<value from step 5>
--azure-tenant={tenant-id}
--oidc-issuer-url=https://sts.windows.net/{tenant-id}/
   --provider=azure
--client-id=<application ID from step 3>
--client-secret=<value from step 5>
--azure-tenant={tenant-id}
--oidc-issuer-url=https://login.microsoftonline.com/{tenant-id}/v2.0

Notes: