mirror of
https://github.com/logto-io/logto.git
synced 2025-01-06 20:40:08 -05:00
15953609bb
* feat: support prompt config for some built-in connectors * chore: adopt code review suggestions Co-authored-by: Gao Sun <gao@silverhand.io> --------- Co-authored-by: Gao Sun <gao@silverhand.io>
71 lines
4.3 KiB
Markdown
71 lines
4.3 KiB
Markdown
# Microsoft Azure AD connector
|
||
|
||
The Microsoft Azure AD connector provides a succinct way for your application to use Azure’s OAuth 2.0 authentication system.
|
||
|
||
**Table of contents**
|
||
|
||
- [Microsoft Azure AD connector](#microsoft-azure-ad-connector)
|
||
- [Set up Microsoft Azure AD in the Azure Portal](#set-up-microsoft-azure-ad-in-the-azure-portal)
|
||
- [Fill in the configuration in Logto](#fill-in-the-configuration-in-logto)
|
||
- [Client ID](#client-id)
|
||
- [Client Secret](#client-secret)
|
||
- [Cloud Instance](#cloud-instance)
|
||
- [Tenant ID](#tenant-id)
|
||
- [Prompts](#prompts)
|
||
- [References](#references)
|
||
|
||
## Set up Microsoft Azure AD in the Azure Portal
|
||
|
||
- Visit the [Azure Portal](https://portal.azure.com/#home) and sign in with your Azure account. You need to have an active subscription to access Microsoft Azure AD.
|
||
- Click the **Azure Active Directory** from the services they offer, and click the **App Registrations** from the left menu.
|
||
- Click **New Registration** at the top, enter a description, select your **access type** and add your **Redirect URI**, which will redirect the user to the application after logging in. In our case, this will be `${your_logto_endpoint}/callback/${connector_id}`. e.g. `https://foo.logto.app/callback/${connector_id}`. (The `connector_id` can be also found on the top bar of the Logto Admin Console connector details page)
|
||
> You can copy the `Callback URI` in the configuration section.
|
||
- Select Web as Platform.
|
||
|
||
## Fill in the configuration in Logto
|
||
|
||
| Name | Type |
|
||
| ------------- | -------- |
|
||
| clientId | string |
|
||
| clientSecret | string |
|
||
| tenantId | string |
|
||
| cloudInstance | string |
|
||
| prompts | string[] |
|
||
|
||
### Client ID
|
||
|
||
You may find the **Application (client) ID** in the **Overview** section of your newly created application in the Azure Portal.
|
||
|
||
### Client Secret
|
||
|
||
- In your newly created application, click the **Certificates & Secrets** to get a client secret, and click the **New client secret** from the top.
|
||
- Enter a description and an expiration.
|
||
- This will only show your client secret once. Fill the **value** to the Logto connector configuration and save it to a secure location.
|
||
|
||
### Cloud Instance
|
||
|
||
Usually, it is `https://login.microsoftonline.com/`. See [Azure AD authentication endpoints](https://learn.microsoft.com/en-us/azure/active-directory/develop/authentication-national-cloud#azure-ad-authentication-endpoints) for more information.
|
||
|
||
### Tenant ID
|
||
|
||
Logto will use this field to construct the authorization endpoints. This value is dependent on the **access type** you selected when creating the application in the Azure Portal.
|
||
|
||
- If you select **Accounts in this organizational directory only** for access type then you need to enter your **{TenantID}**. You can find the tenant ID in the **Overview** section of your Azure Active Directory.
|
||
- If you select **Accounts in any organizational directory** for access type then you need to enter **organizations**.
|
||
- If you select **Accounts in any organizational directory or personal Microsoft accounts** for access type then you need to enter **common**.
|
||
- If you select **Personal Microsoft accounts only** for access type then you need to enter **consumers**.
|
||
|
||
### Prompts
|
||
|
||
The `prompts` field is an array of strings that specifies the type of user interaction that is required. The string can be one of the following values:
|
||
|
||
- `prompt=login` forces the user to enter their credentials on that request, negating single-sign on.
|
||
- `prompt=none` is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an `interaction_required` error.
|
||
- `prompt=consent` triggers the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app.
|
||
- `prompt=select_account` interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether.
|
||
|
||
Logto will concatenate the prompts with a space as the value of `prompt` in the authorization URL.
|
||
|
||
## References
|
||
|
||
- [Web app that signs in users](https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-web-app-sign-user-overview)
|