blob: 5193438f6eb0353cde5c7c0153e5a966a1a9209b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
az login
az account show --query tenantDefaultDomain -o tsv
# Create user
az ad user create --display-name "John Doe" --user-principal-name jdoe@publicanub.onmicrosoft.com --password "P@ssw0rd123" --mail-nickname jdoe
az ad user list --output table
# Register app (OIDC)
az ad app create --display-name "testapp3" --web-redirect-uris "http://localhost:3000/callback" --sign-in-audience "AzureADMultipleOrgs"
## --web-redirect-uris: where Azure AD sends auth responses after sign-in
## --sign-in-audience: AzureADMyOrg (your tenant only) | AzureADMultipleOrgs (any tenant) | AzureADandPersonalMicrosoftAccount (any tenant + personal outlook/hotmail)
az ad app list --display-name "testapp3" --output table
# Update existing app to allow all tenants
az ad app update --id <app-id> --sign-in-audience AzureADMultipleOrgs
## can restrict to specific tenants by checking tid in your app code
az ad app update --id ec014b23-edde-4a09-9a41-36bff5630829 --sign-in-audience AzureADMultipleOrgs
# Create client secret (save the password from output)
az ad app credential reset --id <app-id> --append
az ad app credential reset --id ec014b23-edde-4a09-9a41-36bff5630829 --append
{
"appId": "ec014b23-edde-4a09-9a41-36bff5630829",
"password": "Y.Q8Q~HuoEbCsICK18eG4oAtqjMe5eGyWSilLaZI",
"tenant": "23c95e59-28bd-472a-bbd4-4e310dd8f031"
}
# instructions for demo
npm i
npm start
# go to
localhost:3000
# click on "Sign In with Azure AD", verify, follow the link, and put the created user's name and password into microsoft's login page
it should redirect back to localhost:3000 wiht a success
# how the app works
the login redirects to microsoft-hosted login page for the appid
after login, microsoft redirects back to localhost with an authorization code (not tokens directly)
the server exchanges that code + client secret for jwt tokens via a server-to-server call (so tokens never pass through the browser)
(the code alone is useless without the client secret, so intercepting it doesn't help)
the server then verifies the jwt signature with microsoft's public keys from "https://login.microsoftonline.com/common/discovery/v2.0/keys"
|
