|
1 | 1 | --- |
2 | | -title: Configure an OpenID Connect provider |
| 2 | +title: Configure an OpenID Connect Provider |
3 | 3 | description: Learn how to configure an OpenID Connect provider as an identity provider for your App Service or Azure Functions app. |
4 | | -ms.topic: article |
| 4 | +ms.topic: how-to |
5 | 5 | ms.date: 10/20/2021 |
6 | 6 | ms.reviewer: mahender |
7 | 7 | ms.custom: AppServiceIdentity |
8 | 8 | author: cephalin |
9 | 9 | ms.author: cephalin |
10 | 10 | --- |
11 | 11 |
|
12 | | -# Configure your App Service or Azure Functions app to sign in using an OpenID Connect provider |
| 12 | +# Configure your App Service or Azure Functions app to sign in by using an OpenID Connect provider |
13 | 13 |
|
14 | 14 | [!INCLUDE [app-service-mobile-selector-authentication](../../includes/app-service-mobile-selector-authentication.md)] |
15 | 15 |
|
16 | | -This article shows you how to configure Azure App Service or Azure Functions to use a custom authentication provider that adheres to the [OpenID Connect specification](https://openid.net/connect/). OpenID Connect (OIDC) is an industry standard used by many identity providers (IDPs). You don't need to understand the details of the specification in order to configure your app to use an adherent IDP. |
| 16 | +This article shows you how to configure Azure App Service or Azure Functions to use a custom authentication provider that adheres to the [OpenID Connect (OIDC) specification](https://openid.net/connect/). OIDC is an industry standard that many identity providers (IDPs) use. You don't need to understand the details of the specification in order to configure your app to use an adherent IDP. |
17 | 17 |
|
18 | | -You can configure your app to use one or more OIDC providers. Each must be given a unique alphanumeric name in the configuration, and only one can serve as the default redirect target. |
| 18 | +You can configure your app to use one or more OIDC providers. Each must have a unique alphanumeric name in the configuration, and only one can serve as the default redirect target. |
19 | 19 |
|
20 | 20 | ## <a name="register"> </a>Register your application with the identity provider |
21 | 21 |
|
22 | | -Your provider will require you to register the details of your application with it. One of these steps involves specifying a redirect URI. This redirect URI will be of the form `<app-url>/.auth/login/<provider-name>/callback`. Each identity provider should provide more instructions on how to complete these steps. `<provider-name>` will refer to the friendly name you give to the OpenID provider name in Azure. |
| 22 | +Your provider requires you to register the details of your application with it. One of these steps involves specifying a redirect URI that has the form `<app-url>/.auth/login/<provider-name>/callback`. Each identity provider should provide more instructions on how to complete the steps. The `<provider-name>` value refers to the friendly name that you give to the OpenID provider name in Azure. |
23 | 23 |
|
24 | 24 | > [!NOTE] |
25 | | -> Some providers may require additional steps for their configuration and how to use the values they provide. For example, Apple provides a private key which is not itself used as the OIDC client secret, and you instead must use it to craft a JWT which is treated as the secret you provide in your app config (see the "Creating the Client Secret" section of the [Sign in with Apple documentation](https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens)) |
26 | | -> |
27 | | -
|
28 | | -You'll need to collect a **client ID** and **client secret** for your application. |
| 25 | +> Some providers might require additional steps for their configuration and for using the values that they provide. For example, Apple provides a private key that isn't itself used as the OIDC client secret. You instead must use it to craft a JSON Web Token (JWT) that's treated as the secret that you provide in your app configuration. For more information, see [Creating a client secret](https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens) in the Apple developer documentation. |
29 | 26 |
|
30 | | -> [!IMPORTANT] |
31 | | -> The client secret is an important security credential. Don't share this secret with anyone or distribute it within a client application. |
32 | | -> |
| 27 | +You need to collect a *client ID* and a *client secret* for your application. The client secret is an important security credential. Don't share this secret with anyone or distribute it within a client application. |
33 | 28 |
|
34 | | -Additionally, you'll need the OpenID Connect metadata for the provider. This is often exposed via a [configuration metadata document](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig), which is the provider's Issuer URL suffixed with `/.well-known/openid-configuration`. Gather this configuration URL. |
| 29 | +Additionally, you need the OIDC metadata for the provider. This metadata is often exposed in a [configuration metadata document](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig), which is the provider's issuer URL suffixed with `/.well-known/openid-configuration`. Gather this configuration URL. |
35 | 30 |
|
36 | | -If you're unable to use a configuration metadata document, you'll need to gather the following values separately: |
| 31 | +If you can't use a configuration metadata document, gather the following values separately: |
37 | 32 |
|
38 | 33 | - The issuer URL (sometimes shown as `issuer`) |
39 | | -- The [OAuth 2.0 Authorization endpoint](https://tools.ietf.org/html/rfc6749#section-3.1) (sometimes shown as `authorization_endpoint`) |
40 | | -- The [OAuth 2.0 Token endpoint](https://tools.ietf.org/html/rfc6749#section-3.2) (sometimes shown as `token_endpoint`) |
41 | | -- The URL of the [OAuth 2.0 JSON Web Key Set](https://tools.ietf.org/html/rfc8414#section-2) document (sometimes shown as `jwks_uri`) |
| 34 | +- The [OAuth 2.0 authorization endpoint](https://tools.ietf.org/html/rfc6749#section-3.1) (sometimes shown as `authorization_endpoint`) |
| 35 | +- The [OAuth 2.0 token endpoint](https://tools.ietf.org/html/rfc6749#section-3.2) (sometimes shown as `token_endpoint`) |
| 36 | +- The URL of the [OAuth 2.0 JSON Web Key set](https://tools.ietf.org/html/rfc8414#section-2) document (sometimes shown as `jwks_uri`) |
42 | 37 |
|
43 | 38 | ## <a name="configure"> </a>Add provider information to your application |
44 | 39 |
|
45 | | -1. Sign in to the [Azure portal] and navigate to your app. |
46 | | -1. Select **Authentication** in the menu on the left. Select **Add identity provider**. |
47 | | -1. Select **OpenID Connect** in the identity provider dropdown. |
48 | | -1. Provide the unique alphanumeric name selected earlier for **OpenID provider name**. |
49 | | -1. If you have the URL for the **metadata document** from the identity provider, provide that value for **Metadata URL**. Otherwise, select the **Provide endpoints separately** option and put each URL gathered from the identity provider in the appropriate field. |
50 | | -1. Provide the earlier collected **Client ID** and **Client Secret** in the appropriate fields. |
51 | | -1. Specify an application setting name for your client secret. Your client secret will be stored as an app setting to ensure secrets are stored in a secure fashion. You can update that setting later to use [Key Vault references](./app-service-key-vault-references.md) if you wish to manage the secret in Azure Key Vault. |
52 | | -1. Press the **Add** button to finish setting up the identity provider. |
| 40 | +1. Sign in to the [Azure portal] and go to your app. |
53 | 41 |
|
54 | | -> [!NOTE] |
55 | | -> The OpenID provider name can't contain symbols like "-" because an appsetting will be created based on this and it doesn't support it. Use "_" instead. |
| 42 | +1. On the left menu, select **Authentication**. Then select **Add identity provider**. |
| 43 | + |
| 44 | +1. In the dropdown list for identity providers, select **OpenID Connect**. |
| 45 | + |
| 46 | +1. For **OpenID provider name**, provide the unique alphanumeric name that you selected earlier. |
| 47 | + |
| 48 | +1. If you have the URL for the metadata document from the identity provider, provide that value for **Metadata URL**. Otherwise, select the **Provide endpoints separately** option and put each URL gathered from the identity provider in the appropriate field. |
| 49 | + |
| 50 | +1. Provide the values that you collected earlier for **Client ID** and **Client Secret**. |
| 51 | + |
| 52 | +1. Specify an application setting name for your client secret. Your client secret is stored as an app setting to ensure that secrets are stored in a secure fashion. You can update that setting later to use [Azure Key Vault references](./app-service-key-vault-references.md) if you want to manage the secret in Key Vault. |
| 53 | + |
| 54 | +1. Select **Add** to finish setting up the identity provider. |
56 | 55 |
|
57 | 56 | > [!NOTE] |
58 | | -> Azure requires "openid," "profile," and "email" scopes. Make sure you've configured your App Registration in your ID Provider with at least these scopes. |
| 57 | +> The OpenID provider name can't contain a hyphen (-) because an app setting is created based on this name, and the app setting doesn't support hyphens. Use an underscore (_) instead. |
| 58 | +> |
| 59 | +> Azure requires `openid`, `profile`, and `email` scopes. Make sure that you configured your app registration in your ID provider with at least these scopes. |
59 | 60 |
|
60 | | -## <a name="related-content"> </a>Next steps |
| 61 | +## <a name="related-content"> </a>Related content |
61 | 62 |
|
62 | 63 | [!INCLUDE [app-service-mobile-related-content-get-started-users](../../includes/app-service-mobile-related-content-get-started-users.md)] |
63 | 64 |
|
|
0 commit comments