OAuth with Auth0 and Azure AD as identity provider¶
To be able to use Azure Active Directory as an Identity Provider, we use Auth0 as middleware to connect to Azure Active Directory.
Your Planviewer API Application uses Auth0 as authorization server, wich in turn connects to Azure Active Directory to authenticate and authorize your users.
- In this howto:
- We configure an Auth0 “Microsoft Azure AD” connection and register that as “registered app” in your Azure Active Directory.
- We create an Auth0 Application and configure that to use the “Microsoft Azure AD” connection as Identity Provider
- We configure a Planviewer Application to use Auth0 as authorization server.
Note
In this walkthrough we use Auth0 as an example. other authentication services may use a different setup.
Please consult their documentation for implementation.
The “registered app” for the Auth0 “Microsoft Azure AD” connection, needs the following “Delegated permissions” for the “Microsoft Graph” API, to operate correctly.
Microsoft API | Delegated Permissions | |
---|---|---|
Microsoft Graph | User.Read | Sign in and read user profile |
Azure Active Directory Graph | Directory.AccessAsUser.All | Access directory as the signed in user |
Azure Active Directory Graph | Directory.Read.All | Read directory data |
You need a (free) Auth0 account and an Azure portal administrative account to continue. You need an Auth0 Tenant and it’s Domain.
Note
When you create an Auth0 account, you will also get a default Tenant,
Prepare an app registration in Azure Active Directory¶
Create a new Azure AD app registration
create a new registration.
leave Redirect URI for now, we’ll create one later.
Create a Client secret to authenticate your Auth0 connection with
select the app
go to “Certificates & secrets”
create a new Client Secret
Warning
Copy the secret value, it is only shown once
Note
If you are unsure what to choose for expire, choose never
Grant the registered app API Permissions to access data in your directory
select the app
go to “API permissions”
Note
You need to have administrative permissions for this action, or have an admistrator
grant the permissions.
Even as administrator you need to grant the permissions.
Microsoft API | Delegated Permissions | |
---|---|---|
Microsoft Graph | User.Read | Sign in and read user profile |
Azure Active Directory Graph | Directory.AccessAsUser.All | Access directory as the signed in user |
Azure Active Directory Graph | Directory.Read.All | Read directory data |
Configure the registered app to accept Auth0 callback URL
Select the app
Go to Authentication
Create a new “Redirect URI”, type: Web, with value “<auth0-tenant-domain>/login/callback”
Note
The tenant can be found in Auth0.
Your default tenant domain looks like your-tenant-name.eu.auth0.com
If you have a custom domain, use that as <auth0-tenant-domain>
You can find your current domain under Tenant Settings - Custom Domains.
Connect your Planviewer Application¶
Create an Auth0 Application
Choose: Regular Web Application
Enable your Auth0 Application to use “Microsoft Azure AD” connection
Go to Connections, enable your “Microsoft Azure AD” connection configured earlier.
Configure Allowed Callback URL
Go to Planviewer Api Applications - “Algemeen en Beveiliging”
Make a note of your <application-id> it is the last number in the URL
https://planviewer.nl/my_api/applications/37
Go to your Auth0 Application - Settings
In the field “Allowed Callback URL” add the following URL with your application-id
https://www.planviewer.nl/maps_api/v2/oauth/<application-id>/callback
Configure your Planviewer Application to use Auth0
Open your Auth0 application - Settings
Select “Algemeen en Beveiliging”
Choose “Beveiliging en toegang”
Select “Bewerk OAuth gegevens”
Fill in the settings with the following values
OAuth instelling | value from Auth0 Application |
---|---|
Client Id | Client ID |
Client Secret | Client Secret |
Authorisatie URL | https://<auth0-tenant-domain>/authorize |
Access Token URL | https://<auth0-tenant-domain>/oauth/token |
Resource URL | https://example.com/resourse.json |
Note
You need to use the Client Id and the Client secret from Auth0
Note
The resource URL is a file which must be accessible on the internet, with the following structure:
{
"id": "1",
"username": "planviewer",
"email": "info@planviewer.nl"
}
And should be accessible like https://example.com/resourse.json. The values should be changed to your own values.
Configure an Auth0 “Microsoft Azure AD” Connection¶
Create an Auth0 “Microsoft Azure AD” Connection
in Auth0.com
Go to Connections
Select Enterprise
Choose Microsoft Azure AD
Select Add
Note
Can’t find “Microsoft Azure AD” connection?
It’s on the bottom of the list, sometimes it takes a few seconds to appear.
Fill in the settings with the following values
Connection setting | value from Azure AD |
---|---|
Client ID | “Application (client) ID” from Azure Active Directory registered apps |
Client Secret | Client secret value you copied |
Azure AD Domain | shown on Azure Active Directory dashboard |
Test the “Microsoft Azure AD” Connection
go to Connections -> Enterprise -> Microsoft Azure AD - Manage
Click “Try” next to your new Connection
Login with your Azure administrative account
review and authorize the requested permissions
You should see a page with a succes result
Note
An administrator must allow a connection between Azure and Auth0.
If you get an error message from azure, about not having administrative rights,
it means that the connection works and can be used with a planviewer application.
Note
For a complete guide from Auth0, see: Connect your app to Microsoft Azure Active Directory
Go to your Planviewer Application and open a Viewer, you should see a login box