Azure Active Directory Authentication
Azure AD B2C Compatibility Note
Microsoft Azure AD B2C auth product is compatible with this auth provider. See below for additional configuration details.
Installation
The following CLI command will install required packages and generate boilerplate code and files for Redwood Projects:
yarn rw setup auth azureActiveDirectory
If you prefer to manually install the package and add code, run the following command and then add the required code provided in the next section.
cd web
yarn add @azure/msal-browser
Setup
To get your application credentials, create an App Registration using your Azure Active Directory tenant and make sure you configure as a MSAL.js 2.0 with auth code flow registration. Take a note of your generated Application ID (client), and the Directory ID (tenant).
Learn more about authorization code flow.
Redirect URIs
Enter allowed redirect urls for the integrations, e.g. http://localhost:8910/login
. This will be the AZURE_ACTIVE_DIRECTORY_REDIRECT_URI
environment variable, and suggestively AZURE_ACTIVE_DIRECTORY_LOGOUT_REDIRECT_URI
.
Authority
The Authority is a URL that indicates a directory that MSAL can request tokens from which you can read about here. However, you most likely want to have e.g. https://login.microsoftonline.com/<tenant>
as Authority URL, where <tenant>
is the Azure Active Directory tenant id. This will be the AZURE_ACTIVE_DIRECTORY_AUTHORITY
environment variable.
import { AuthProvider } from '@redwoodjs/auth'
import { PublicClientApplication } from '@azure/msal-browser'
import { FatalErrorBoundary } from '@redwoodjs/web'
import { RedwoodApolloProvider } from '@redwoodjs/web/apollo'
import FatalErrorPage from 'src/pages/FatalErrorPage'
import Routes from 'src/Routes'
import './index.css'
const azureActiveDirectoryClient = new PublicClientApplication({
auth: {
clientId: process.env.AZURE_ACTIVE_DIRECTORY_CLIENT_ID,
authority: process.env.AZURE_ACTIVE_DIRECTORY_AUTHORITY,
redirectUri: process.env.AZURE_ACTIVE_DIRECTORY_REDIRECT_URI,
postLogoutRedirectUri:
process.env.AZURE_ACTIVE_DIRECTORY_LOGOUT_REDIRECT_URI,
},
})
const App = () => (
<FatalErrorBoundary page={FatalErrorPage}>
<AuthProvider client={azureActiveDirectoryClient} type="azureActiveDirectory">
<RedwoodApolloProvider>
<Routes />
</RedwoodApolloProvider>
</AuthProvider>
</FatalErrorBoundary>
)
export default App
Integration
Roles
To setup your App Registration with custom roles and have them exposed via the roles
claim, follow this documentation.
Login Options
Options in method logIn(options?)
is of type RedirectRequest and is a good place to pass in optional scopes to be authorized. By default, MSAL sets scopes
to /.default which is built in for every application that refers to the static list of permissions configured on the application registration. Furthermore, MSAL will add openid
and profile
to all requests. In the example below we explicit include User.Read.All
in the login scope.
await logIn({
scopes: ['User.Read.All'], // becomes ['openid', 'profile', 'User.Read.All']
})
See loginRedirect, PublicClientApplication class and Scopes Behavior for more documentation.
getToken Options
Options in method getToken(options?)
is of type RedirectRequest. By default, getToken
will be called with scope ['openid', 'profile']
. As Azure Active Directory apply incremental consent, we can extend the permissions from the login example by including another scope, for example Mail.Read
.
await getToken({
scopes: ['Mail.Read'], // becomes ['openid', 'profile', 'User.Read.All', 'Mail.Read']
})
See acquireTokenSilent, Resources and Scopes or full class documentation for more documentation.
Azure AD B2C specific configuration
Using Azure AD B2C with hosted user flows requires 2 extra settings
Update the .env file:
- MS Documentation about B2C JWT Issuer
- MS Documentation about MSAL, Azure B2C (authority|known authorities) parameters
AZURE_ACTIVE_DIRECTORY_AUTHORITY=https://{your-microsoft-tenant-name}.b2clogin.com/{{your-microsoft-tenant-name}}.onmicrosoft.com/{{your-microsoft-user-flow-id}}
AZURE_ACTIVE_DIRECTORY_JWT_ISSUER=https://{{your-microsoft-tenant-name}}.b2clogin.com/{{your-microsoft-tenant-id}}/v2.0/
AZURE_ACTIVE_DIRECTORY_KNOWN_AUTHORITY=https://{{your-microsoft-tenant-name}}.b2clogin.com
Here are some example values
AZURE_ACTIVE_DIRECTORY_AUTHORITY=https://rwauthtestb2c.b2clogin.com/rwauthtestb2c.onmicrosoft.com/B2C_1_signupsignin1
AZURE_ACTIVE_DIRECTORY_JWT_ISSUER=https://rwauthtestb2c.b2clogin.com/775527ef-8a37-4307-8b3d-cc311f58d922/v2.0/
AZURE_ACTIVE_DIRECTORY_KNOWN_AUTHORITY=https://rwauthtestb2c.b2clogin.com
Update const activeDirectoryClient instance
This lets the MSAL (Microsoft Authentication Library) web side client know about our new B2C allowed authority that we defined in the .env file
const azureActiveDirectoryClient = new PublicClientApplication({
auth: {
clientId: process.env.AZURE_ACTIVE_DIRECTORY_CLIENT_ID,
authority: process.env.AZURE_ACTIVE_DIRECTORY_AUTHORITY,
redirectUri: process.env.AZURE_ACTIVE_DIRECTORY_REDIRECT_URI,
postLogoutRedirectUri:
process.env.AZURE_ACTIVE_DIRECTORY_LOGOUT_REDIRECT_URI,
knownAuthorities: [process.env.AZURE_ACTIVE_DIRECTORY_KNOWN_AUTHORITY]
},
})
Now you can call the login and logout functions from useAuth(), and everything should just work®