feat: Add Azure external auth provider
This commit is contained in:
158
docs/SELF_HOSTED_AZURE_SETUP.md
Normal file
158
docs/SELF_HOSTED_AZURE_SETUP.md
Normal file
@@ -0,0 +1,158 @@
|
||||
# Self-Hosted Supabase - Microsoft Entra Setup
|
||||
|
||||
## Quick Setup Guide
|
||||
|
||||
For self-hosted Supabase instances, OAuth providers like Microsoft Entra (Azure AD) are configured through config files and environment variables, not through the UI.
|
||||
|
||||
### Step 1: Configure Azure Application
|
||||
|
||||
Follow steps 1-4 in [MICROSOFT_ENTRA_SETUP.md](MICROSOFT_ENTRA_SETUP.md) to:
|
||||
1. Register your app in Azure Portal
|
||||
2. Get your Client ID and Secret
|
||||
3. Set up API permissions
|
||||
4. Configure token claims
|
||||
|
||||
**Important**: Your redirect URI should be:
|
||||
```
|
||||
http://<your-host-ip>:<supabase-port>/auth/v1/callback
|
||||
```
|
||||
|
||||
Example: `http://192.168.1.100:54321/auth/v1/callback`
|
||||
|
||||
### Step 2: Configure Supabase
|
||||
|
||||
The Azure provider configuration is already added to `supabase/config.toml`:
|
||||
|
||||
```toml
|
||||
[auth.external.azure]
|
||||
enabled = false # Change this to true
|
||||
client_id = "env(AZURE_CLIENT_ID)"
|
||||
secret = "env(AZURE_CLIENT_SECRET)"
|
||||
redirect_uri = ""
|
||||
url = "https://login.microsoftonline.com/env(AZURE_TENANT_ID)/v2.0"
|
||||
skip_nonce_check = false
|
||||
```
|
||||
|
||||
### Step 3: Set Environment Variables
|
||||
|
||||
1. Copy the example file:
|
||||
```bash
|
||||
cp .env.azure.example .env.azure
|
||||
```
|
||||
|
||||
2. Edit `.env.azure` with your actual values:
|
||||
```bash
|
||||
AZURE_CLIENT_ID=your-application-client-id
|
||||
AZURE_CLIENT_SECRET=your-client-secret
|
||||
AZURE_TENANT_ID=common # or your specific tenant ID
|
||||
```
|
||||
|
||||
3. Source the environment file before starting Supabase:
|
||||
```bash
|
||||
source .env.azure
|
||||
```
|
||||
|
||||
Or add it to your docker-compose environment.
|
||||
|
||||
### Step 4: Enable Azure Provider
|
||||
|
||||
Edit `supabase/config.toml` and change:
|
||||
```toml
|
||||
[auth.external.azure]
|
||||
enabled = true # Change from false to true
|
||||
```
|
||||
|
||||
### Step 5: Restart Supabase
|
||||
|
||||
```bash
|
||||
docker-compose down
|
||||
docker-compose up -d
|
||||
```
|
||||
|
||||
Or if using the project script:
|
||||
```bash
|
||||
./docker-compose.sh restart
|
||||
```
|
||||
|
||||
### Step 6: Enable in Application
|
||||
|
||||
In `management-dashboard-web-app/.env`:
|
||||
```bash
|
||||
VITE_ENABLE_MICROSOFT_LOGIN=true
|
||||
```
|
||||
|
||||
### Verification
|
||||
|
||||
1. Check auth service logs:
|
||||
```bash
|
||||
docker-compose logs auth | grep -i azure
|
||||
```
|
||||
|
||||
2. You should see the Microsoft login button on your application's login page
|
||||
|
||||
3. Click it and verify you're redirected to Microsoft login
|
||||
|
||||
### Troubleshooting
|
||||
|
||||
#### Azure Provider Not Working
|
||||
|
||||
**Check logs**:
|
||||
```bash
|
||||
docker-compose logs auth
|
||||
```
|
||||
|
||||
**Verify environment variables are loaded**:
|
||||
```bash
|
||||
docker-compose exec auth env | grep AZURE
|
||||
```
|
||||
|
||||
#### Redirect URI Mismatch
|
||||
|
||||
Ensure the redirect URI in Azure exactly matches:
|
||||
```
|
||||
http://<your-host-ip>:<supabase-port>/auth/v1/callback
|
||||
```
|
||||
|
||||
Common mistake: Using `localhost` instead of the actual IP address.
|
||||
|
||||
#### Environment Variables Not Set
|
||||
|
||||
If you see errors about missing AZURE variables, make sure to:
|
||||
1. Export them in your shell before running docker-compose
|
||||
2. Or add them to your docker-compose.yml environment section
|
||||
3. Or use a .env file that docker-compose automatically loads
|
||||
|
||||
### Docker Compose Environment Variables
|
||||
|
||||
You can also add the variables directly to your `docker-compose.yml`:
|
||||
|
||||
```yaml
|
||||
services:
|
||||
auth:
|
||||
environment:
|
||||
AZURE_CLIENT_ID: ${AZURE_CLIENT_ID}
|
||||
AZURE_CLIENT_SECRET: ${AZURE_CLIENT_SECRET}
|
||||
AZURE_TENANT_ID: ${AZURE_TENANT_ID:-common}
|
||||
```
|
||||
|
||||
Then create a `.env` file in the same directory:
|
||||
```bash
|
||||
AZURE_CLIENT_ID=your-client-id
|
||||
AZURE_CLIENT_SECRET=your-secret
|
||||
AZURE_TENANT_ID=common
|
||||
```
|
||||
|
||||
### Security Notes
|
||||
|
||||
- Never commit `.env.azure` or `.env` files with real secrets to git
|
||||
- Add them to `.gitignore`
|
||||
- Use environment variable substitution in config.toml
|
||||
- Rotate client secrets regularly (before expiration)
|
||||
- Monitor sign-in logs in Azure Portal
|
||||
|
||||
### Additional Resources
|
||||
|
||||
- Full setup guide: [MICROSOFT_ENTRA_SETUP.md](MICROSOFT_ENTRA_SETUP.md)
|
||||
- Quick reference: [MICROSOFT_ENTRA_QUICKSTART.md](MICROSOFT_ENTRA_QUICKSTART.md)
|
||||
- Supabase self-hosting docs: https://supabase.com/docs/guides/self-hosting
|
||||
- Azure OAuth docs: https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow
|
||||
Reference in New Issue
Block a user