initHEAD main

author: hc <haocheng.xie@respiree.com> 2026-02-13 11:49:19 +0800
committer: hc <haocheng.xie@respiree.com> 2026-02-13 11:49:19 +0800
commit: 437cbb190787281c4be6a86014b6adaff8caef34 (patch)
tree: 18c587982eb9d92de48c13b6e73348661660f02c /docs
1 files changed, 45 insertions, 0 deletions
diff --git a/docs b/docs
new file mode 100644
index 0000000..5193438
--- /dev/null
+++ b/docs
@@ -0,0 +1,45 @@
+az login
+az account show --query tenantDefaultDomain -o tsv
+# Create user
+az ad user create --display-name "John Doe" --user-principal-name jdoe@publicanub.onmicrosoft.com --password "P@ssw0rd123" --mail-nickname jdoe
+az ad user list --output table
+# Register app (OIDC)
+az ad app create --display-name "testapp3" --web-redirect-uris "http://localhost:3000/callback" --sign-in-audience "AzureADMultipleOrgs"
+## --web-redirect-uris: where Azure AD sends auth responses after sign-in
+## --sign-in-audience: AzureADMyOrg (your tenant only) | AzureADMultipleOrgs (any tenant) | AzureADandPersonalMicrosoftAccount (any tenant + personal outlook/hotmail)
+az ad app list --display-name "testapp3" --output table
+# Update existing app to allow all tenants
+az ad app update --id <app-id> --sign-in-audience AzureADMultipleOrgs  
+## can restrict to specific tenants by checking tid in your app code
+az ad app update --id ec014b23-edde-4a09-9a41-36bff5630829 --sign-in-audience AzureADMultipleOrgs  
+# Create client secret (save the password from output)
+az ad app credential reset --id <app-id> --append
+az ad app credential reset --id ec014b23-edde-4a09-9a41-36bff5630829 --append
+{
+  "appId": "ec014b23-edde-4a09-9a41-36bff5630829",
+  "password": "Y.Q8Q~HuoEbCsICK18eG4oAtqjMe5eGyWSilLaZI",
+  "tenant": "23c95e59-28bd-472a-bbd4-4e310dd8f031"
+}
+# instructions for demo
+npm i 
+npm start
+# go to 
+localhost:3000
+# click on "Sign In with Azure AD", verify, follow the link, and put the created user's name and password into microsoft's login page
+it should redirect back to localhost:3000 wiht a success
+# how the app works
+the login redirects to microsoft-hosted login page for the appid
+after login, microsoft redirects back to localhost with an authorization code (not tokens directly)
+the server exchanges that code + client secret for jwt tokens via a server-to-server call (so tokens never pass through the browser)
+(the code alone is useless without the client secret, so intercepting it doesn't help)
+the server then verifies the jwt signature with microsoft's public keys from "https://login.microsoftonline.com/common/discovery/v2.0/keys"
author	hc <haocheng.xie@respiree.com>	2026-02-13 11:49:19 +0800
committer	hc <haocheng.xie@respiree.com>	2026-02-13 11:49:19 +0800
commit	437cbb190787281c4be6a86014b6adaff8caef34 (patch)
tree	18c587982eb9d92de48c13b6e73348661660f02c /docs

diff --git a/docs b/docs new file mode 100644 index 0000000..5193438 --- /dev/null +++ b/docs
@@ -0,0 +1,45 @@
	1
	2	az login
	3	az account show --query tenantDefaultDomain -o tsv
	4
	5	# Create user
	6	az ad user create --display-name "John Doe" --user-principal-name jdoe@publicanub.onmicrosoft.com --password "P@ssw0rd123" --mail-nickname jdoe
	7	az ad user list --output table
	8
	9	# Register app (OIDC)
	10	az ad app create --display-name "testapp3" --web-redirect-uris "http://localhost:3000/callback" --sign-in-audience "AzureADMultipleOrgs"
	11	## --web-redirect-uris: where Azure AD sends auth responses after sign-in
	12	## --sign-in-audience: AzureADMyOrg (your tenant only) \| AzureADMultipleOrgs (any tenant) \| AzureADandPersonalMicrosoftAccount (any tenant + personal outlook/hotmail)
	13	az ad app list --display-name "testapp3" --output table
	14
	15	# Update existing app to allow all tenants
	16	az ad app update --id <app-id> --sign-in-audience AzureADMultipleOrgs
	17	## can restrict to specific tenants by checking tid in your app code
	18	az ad app update --id ec014b23-edde-4a09-9a41-36bff5630829 --sign-in-audience AzureADMultipleOrgs
	19
	20	# Create client secret (save the password from output)
	21	az ad app credential reset --id <app-id> --append
	22	az ad app credential reset --id ec014b23-edde-4a09-9a41-36bff5630829 --append
	23	{
	24	"appId": "ec014b23-edde-4a09-9a41-36bff5630829",
	25	"password": "Y.Q8Q~HuoEbCsICK18eG4oAtqjMe5eGyWSilLaZI",
	26	"tenant": "23c95e59-28bd-472a-bbd4-4e310dd8f031"
	27	}
	28
	29
	30	# instructions for demo
	31	npm i
	32	npm start
	33	# go to
	34	localhost:3000
	35	# click on "Sign In with Azure AD", verify, follow the link, and put the created user's name and password into microsoft's login page
	36	it should redirect back to localhost:3000 wiht a success
	37
	38
	39	# how the app works
	40	the login redirects to microsoft-hosted login page for the appid
	41	after login, microsoft redirects back to localhost with an authorization code (not tokens directly)
	42	the server exchanges that code + client secret for jwt tokens via a server-to-server call (so tokens never pass through the browser)
	43	(the code alone is useless without the client secret, so intercepting it doesn't help)
	44	the server then verifies the jwt signature with microsoft's public keys from "https://login.microsoftonline.com/common/discovery/v2.0/keys"
	45