|
| 1 | +## Configure Microsoft Entra |
| 2 | + |
| 3 | +This guide covers how to configure [Microsoft Entra]() as an identity provider for OpenFaaS IAM. |
| 4 | + |
| 5 | +1. Sign in to [Microsoft Entra admin center](https://entra.microsoft.com/) |
| 6 | + |
| 7 | +2. Create a new Application for OpenFaaS |
| 8 | + |
| 9 | + Browse to *Identity -> Applications -> Enterprise applications -> All Applications*. In the All applications pane, select *New Application*. |
| 10 | + |
| 11 | + This will let you browse the Microsoft Entra Gallery. Select *Create your own application*. |
| 12 | + |
| 13 | + Fill out the app name, select the option `Register an application to integrate with Microsoft Entra ID (App you're developing)` and click *Create* |
| 14 | + |
| 15 | +  |
| 16 | + |
| 17 | + In the next form select the account types you would want to use. We will configure the redirect URI in the next step so this field can be left out for now. Click *Register* when done. |
| 18 | + |
| 19 | +  |
| 20 | + |
| 21 | +3. Configure allowed callback URL for the OpenFaaS dashboard and CLI. |
| 22 | + |
| 23 | + Browse to *Identity -> Applications -> App registrations*. In the All application tab select your OpenFaaS application. Next, under Authentication click *Add platform* and select Web. |
| 24 | + |
| 25 | + Enter a redirect URI: |
| 26 | + |
| 27 | + - `http://localhost:31111/oauth/callback` for the CLI. |
| 28 | + - If you are deploying the OpenFaaS dashboard, you can add the redirect URI for your dashboard e.g `https://dashboard.openfaas.example.com/auth/callback`. |
| 29 | + |
| 30 | + You can add more URIs later once the first one has been registered. |
| 31 | + |
| 32 | +  |
| 33 | + |
| 34 | +4. Obtain client credentials |
| 35 | + |
| 36 | + You will need to create a client secret for the OpenFaaS app. Navigate to *Certificates and secrets* for the OpenFaaS app registration and add a new client secret. |
| 37 | + |
| 38 | +5. Register Microsoft Entra as a JwtIssuer with OpenFaaS |
| 39 | + |
| 40 | + Create a JwtIssuer object in the `openfaas` namespace to register Microsoft Entra as a trusted issuer from OpenFaaS IAM. |
| 41 | + |
| 42 | + The `iss` field needs to be set to the authority url of your app registration. The Authority url has the form: `https://login.microsoftonline.com/{tenant}/v2.0`. |
| 43 | + |
| 44 | + The `aud` field contains a set of accepted audiences. For Microsoft Entra this is the application ID of your app registration. |
| 45 | + |
| 46 | + Both the Directory (tenant) ID and Application (client) ID can be found in the overview of your app registration in the Microsoft Entra admin center. |
| 47 | + |
| 48 | + Example issuer for Entra: |
| 49 | + |
| 50 | + ```yaml |
| 51 | + apiVersion: iam.openfaas.com/v1 |
| 52 | + kind: JwtIssuer |
| 53 | + metadata: |
| 54 | + name: login.microsoftonline.com |
| 55 | + namespace: openfaas |
| 56 | + spec: |
| 57 | + iss: https://login.microsoftonline.com/1fe3798478-5987-2564-b4aa-99e587365024/v2.0 |
| 58 | + aud: |
| 59 | + - 068cb5cb-8cc3-4d57-8263-d6c6ce52ddff |
| 60 | + tokenExpiry: 12h |
| 61 | + ``` |
| 62 | +
|
| 63 | + The `tokenExpiry` field can be used to set the expiry time of the OpenFaaS access token. |
0 commit comments