From 437cbb190787281c4be6a86014b6adaff8caef34 Mon Sep 17 00:00:00 2001 From: hc Date: Fri, 13 Feb 2026 11:49:19 +0800 Subject: init --- docs | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 docs (limited to 'docs') diff --git a/docs b/docs new file mode 100644 index 0000000..5193438 --- /dev/null +++ b/docs @@ -0,0 +1,45 @@ + +az login +az account show --query tenantDefaultDomain -o tsv + +# Create user +az ad user create --display-name "John Doe" --user-principal-name jdoe@publicanub.onmicrosoft.com --password "P@ssw0rd123" --mail-nickname jdoe +az ad user list --output table + +# Register app (OIDC) +az ad app create --display-name "testapp3" --web-redirect-uris "http://localhost:3000/callback" --sign-in-audience "AzureADMultipleOrgs" +## --web-redirect-uris: where Azure AD sends auth responses after sign-in +## --sign-in-audience: AzureADMyOrg (your tenant only) | AzureADMultipleOrgs (any tenant) | AzureADandPersonalMicrosoftAccount (any tenant + personal outlook/hotmail) +az ad app list --display-name "testapp3" --output table + +# Update existing app to allow all tenants +az ad app update --id --sign-in-audience AzureADMultipleOrgs +## can restrict to specific tenants by checking tid in your app code +az ad app update --id ec014b23-edde-4a09-9a41-36bff5630829 --sign-in-audience AzureADMultipleOrgs + +# Create client secret (save the password from output) +az ad app credential reset --id --append +az ad app credential reset --id ec014b23-edde-4a09-9a41-36bff5630829 --append +{ + "appId": "ec014b23-edde-4a09-9a41-36bff5630829", + "password": "Y.Q8Q~HuoEbCsICK18eG4oAtqjMe5eGyWSilLaZI", + "tenant": "23c95e59-28bd-472a-bbd4-4e310dd8f031" +} + + +# instructions for demo +npm i +npm start +# go to +localhost:3000 +# click on "Sign In with Azure AD", verify, follow the link, and put the created user's name and password into microsoft's login page +it should redirect back to localhost:3000 wiht a success + + +# how the app works +the login redirects to microsoft-hosted login page for the appid +after login, microsoft redirects back to localhost with an authorization code (not tokens directly) +the server exchanges that code + client secret for jwt tokens via a server-to-server call (so tokens never pass through the browser) +(the code alone is useless without the client secret, so intercepting it doesn't help) +the server then verifies the jwt signature with microsoft's public keys from "https://login.microsoftonline.com/common/discovery/v2.0/keys" + -- cgit