feat: Add Azure external auth provider
This commit is contained in:
@@ -4,11 +4,13 @@
|
||||
|
||||
This guide walks you through configuring Microsoft Entra ID (formerly Azure Active Directory) authentication for the USDA Vision Management Dashboard using Supabase's Azure OAuth provider.
|
||||
|
||||
> **📌 Self-Hosted Supabase Users**: If you're using a self-hosted Supabase instance, see the simplified guide: [SELF_HOSTED_AZURE_SETUP.md](SELF_HOSTED_AZURE_SETUP.md). Self-hosted instances configure OAuth providers via `config.toml` and environment variables, not through the UI.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Access to Azure Portal (https://portal.azure.com)
|
||||
- Admin permissions to register applications in Azure AD
|
||||
- Access to your Supabase project dashboard
|
||||
- Access to your Supabase project (Cloud dashboard or self-hosted instance)
|
||||
- The USDA Vision application deployed and accessible via URL
|
||||
|
||||
## Step 1: Register Application in Microsoft Entra ID
|
||||
@@ -107,14 +109,16 @@ This prevents users from seeing a consent prompt on first login.
|
||||
|
||||
## Step 5: Configure Supabase
|
||||
|
||||
### 5.1 Navigate to Supabase Auth Settings
|
||||
### For Supabase Cloud (Hosted)
|
||||
|
||||
#### 5.1 Navigate to Supabase Auth Settings
|
||||
|
||||
1. Log in to your [Supabase Dashboard](https://app.supabase.com)
|
||||
2. Select your project
|
||||
3. Navigate to **Authentication** > **Providers**
|
||||
4. Find **Azure** in the provider list
|
||||
|
||||
### 5.2 Enable and Configure Azure Provider
|
||||
#### 5.2 Enable and Configure Azure Provider
|
||||
|
||||
1. Toggle **Enable Sign in with Azure** to ON
|
||||
2. Fill in the configuration:
|
||||
@@ -128,7 +132,7 @@ This prevents users from seeing a consent prompt on first login.
|
||||
|
||||
3. Click **Save**
|
||||
|
||||
### 5.3 Note the Callback URL
|
||||
#### 5.3 Note the Callback URL
|
||||
|
||||
Supabase provides the callback URL in the format:
|
||||
```
|
||||
@@ -137,6 +141,85 @@ https://<your-project-ref>.supabase.co/auth/v1/callback
|
||||
|
||||
Verify this matches what you configured in Azure (Step 1.2).
|
||||
|
||||
### For Self-Hosted Supabase
|
||||
|
||||
If you're running a self-hosted Supabase instance, OAuth providers are configured via the `config.toml` file and environment variables rather than through the UI.
|
||||
|
||||
#### 5.1 Edit config.toml
|
||||
|
||||
1. Open your `supabase/config.toml` file
|
||||
2. Find or add the `[auth.external.azure]` section:
|
||||
|
||||
```toml
|
||||
[auth.external.azure]
|
||||
enabled = true
|
||||
client_id = "env(AZURE_CLIENT_ID)"
|
||||
secret = "env(AZURE_CLIENT_SECRET)"
|
||||
redirect_uri = ""
|
||||
url = "https://login.microsoftonline.com/env(AZURE_TENANT_ID)/v2.0"
|
||||
skip_nonce_check = false
|
||||
```
|
||||
|
||||
3. Set `enabled = true` to activate Azure authentication
|
||||
|
||||
#### 5.2 Set Environment Variables
|
||||
|
||||
Create or update your environment file (`.env` or set in your deployment):
|
||||
|
||||
```bash
|
||||
# Azure AD OAuth Configuration
|
||||
AZURE_CLIENT_ID="your-application-client-id-from-azure"
|
||||
AZURE_CLIENT_SECRET="your-client-secret-from-azure"
|
||||
AZURE_TENANT_ID="common" # or your specific tenant ID
|
||||
```
|
||||
|
||||
**Important**:
|
||||
- Use `common` for multi-tenant (any Azure AD organization)
|
||||
- Use `organizations` for any Azure AD organization (excludes personal Microsoft accounts)
|
||||
- Use `consumers` for personal Microsoft accounts only
|
||||
- Use your specific tenant ID (GUID) for single-tenant applications
|
||||
|
||||
#### 5.3 Update Azure Redirect URI
|
||||
|
||||
For self-hosted Supabase, your callback URL will be:
|
||||
```
|
||||
http://<your-host>:<supabase-port>/auth/v1/callback
|
||||
```
|
||||
|
||||
For example, if your Supabase API is at `http://192.168.1.100:54321`:
|
||||
```
|
||||
http://192.168.1.100:54321/auth/v1/callback
|
||||
```
|
||||
|
||||
**Go back to Azure Portal** (Step 1.2) and add this redirect URI to your app registration.
|
||||
|
||||
#### 5.4 Restart Supabase Services
|
||||
|
||||
After making these changes, restart your Supabase services:
|
||||
|
||||
```bash
|
||||
# If using docker-compose
|
||||
docker-compose down
|
||||
docker-compose up -d
|
||||
|
||||
# Or if using the provided script
|
||||
./docker-compose.sh restart
|
||||
```
|
||||
|
||||
#### 5.5 Verify Configuration
|
||||
|
||||
Check that the auth service picked up your configuration:
|
||||
|
||||
```bash
|
||||
# View auth service logs
|
||||
docker-compose logs auth
|
||||
|
||||
# Or for specific service name
|
||||
docker-compose logs supabase-auth
|
||||
```
|
||||
|
||||
Look for log entries indicating Azure provider is enabled.
|
||||
|
||||
## Step 6: Configure Application Environment
|
||||
|
||||
### 6.1 Update Environment Variables
|
||||
|
||||
Reference in New Issue
Block a user