Pull issuer from AZURE_AUTH_ENDPOINT and dynamically generate Azure redirect_uri from request.

ajkiessl · ajkiessl · commit 10f7f509c355 · 2026-03-16T16:05:46.000-04:00
diff --git a/.envrc.sample b/.envrc.sample
@@ -15,8 +15,7 @@ export ADMIN_USERS_GROUP=
 export AUTHORIZED_USERS_GROUP=
 export AZURE_CLIENT_ID=
 export AZURE_CLIENT_SECRET=
-export AZURE_TENANT_ID=
-export AZURE_REDIRECT_URI=
+export AZURE_AUTH_ENDPOINT
 
 #---------------------------------
 # The below configurations are not
diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb
@@ -2,18 +2,30 @@
 
 OmniAuth.config.allowed_request_methods = [:post]
 
+azure_auth_endpoint = ENV.fetch('AZURE_AUTH_ENDPOINT', nil)
+
+issuer =
+  azure_auth_endpoint&.sub(%r{/oauth2/v2\.0/authorize$}, '/v2.0')
+
 Rails.application.config.middleware.use OmniAuth::Builder do
   provider :openid_connect,
            name: :azure_oauth,
            scope: [:openid, :email, :profile],
            response_type: :code,
-           issuer: "https://login.microsoftonline.com/#{ENV.fetch('AZURE_TENANT_ID', nil)}/v2.0",
+           issuer: issuer,
            discovery: true,
            client_auth_method: :query,
            uid_field: 'email',
+           setup: lambda { |env|
+             # Set redirect_uri dynamically at runtime to handle different hosts/FQDNs
+             req = Rack::Request.new(env)
+             strategy = env['omniauth.strategy']
+             callback_path = Rails.application.routes.url_helpers.auth_azure_oauth_callback_path
+             redirect_uri = "#{req.scheme}://#{req.host_with_port}#{callback_path}"
+             strategy.options[:client_options][:redirect_uri] = redirect_uri
+           },
            client_options: {
              identifier: ENV.fetch('AZURE_CLIENT_ID', nil),
-             secret: ENV.fetch('AZURE_CLIENT_SECRET', nil),
-             redirect_uri: ENV.fetch('AZURE_REDIRECT_URI', nil)
+             secret: ENV.fetch('AZURE_CLIENT_SECRET', nil)
            }
 end
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -14,10 +14,9 @@ x-web_env: &web_env
   LLM_MODEL: "${LLM_MODEL}"
   AZURE_CLIENT_ID: ${AZURE_CLIENT_ID}
   AZURE_CLIENT_SECRET: ${AZURE_CLIENT_SECRET}
-  AZURE_TENANT_ID: ${AZURE_TENANT_ID}
+  AZURE_AUTH_ENDPOINT: ${AZURE_AUTH_ENDPOINT}
   AUTHORIZED_USERS_GROUP: ${AUTHORIZED_USERS_GROUP}
   ADMIN_USERS_GROUP: ${ADMIN_USERS_GROUP}
-  AZURE_REDIRECT_URI: ${AZURE_REDIRECT_URI}
 services:
   web:
     user: 3000:3000
