# Self-Hosted Supabase - Microsoft Entra Setup ## Quick Setup Guide For self-hosted Supabase instances, OAuth providers like Microsoft Entra (Azure AD) are configured through config files and environment variables, not through the UI. ### Step 1: Configure Azure Application Follow steps 1-4 in [MICROSOFT_ENTRA_SETUP.md](MICROSOFT_ENTRA_SETUP.md) to: 1. Register your app in Azure Portal 2. Get your Client ID and Secret 3. Set up API permissions 4. Configure token claims **Important**: Your redirect URI should be: ``` http://:/auth/v1/callback ``` Example: `http://192.168.1.100:54321/auth/v1/callback` ### Step 2: Configure Supabase The Azure provider configuration is already added to `supabase/config.toml`: ```toml [auth.external.azure] enabled = false # Change this to true client_id = "env(AZURE_CLIENT_ID)" secret = "env(AZURE_CLIENT_SECRET)" redirect_uri = "" url = "https://login.microsoftonline.com/env(AZURE_TENANT_ID)/v2.0" skip_nonce_check = false ``` ### Step 3: Set Environment Variables 1. Copy the example file: ```bash cp .env.azure.example .env.azure ``` 2. Edit `.env.azure` with your actual values: ```bash AZURE_CLIENT_ID=your-application-client-id AZURE_CLIENT_SECRET=your-client-secret AZURE_TENANT_ID=common # or your specific tenant ID ``` 3. Source the environment file before starting Supabase: ```bash source .env.azure ``` Or add it to your docker-compose environment. ### Step 4: Enable Azure Provider Edit `supabase/config.toml` and change: ```toml [auth.external.azure] enabled = true # Change from false to true ``` ### Step 5: Restart Supabase ```bash docker-compose down docker-compose up -d ``` Or if using the project script: ```bash ./docker-compose.sh restart ``` ### Step 6: Enable in Application In `management-dashboard-web-app/.env`: ```bash VITE_ENABLE_MICROSOFT_LOGIN=true ``` ### Verification 1. Check auth service logs: ```bash docker-compose logs auth | grep -i azure ``` 2. You should see the Microsoft login button on your application's login page 3. Click it and verify you're redirected to Microsoft login ### Troubleshooting #### Azure Provider Not Working **Check logs**: ```bash docker-compose logs auth ``` **Verify environment variables are loaded**: ```bash docker-compose exec auth env | grep AZURE ``` #### Redirect URI Mismatch Ensure the redirect URI in Azure exactly matches: ``` http://:/auth/v1/callback ``` Common mistake: Using `localhost` instead of the actual IP address. #### Environment Variables Not Set If you see errors about missing AZURE variables, make sure to: 1. Export them in your shell before running docker-compose 2. Or add them to your docker-compose.yml environment section 3. Or use a .env file that docker-compose automatically loads ### Docker Compose Environment Variables You can also add the variables directly to your `docker-compose.yml`: ```yaml services: auth: environment: AZURE_CLIENT_ID: ${AZURE_CLIENT_ID} AZURE_CLIENT_SECRET: ${AZURE_CLIENT_SECRET} AZURE_TENANT_ID: ${AZURE_TENANT_ID:-common} ``` Then create a `.env` file in the same directory: ```bash AZURE_CLIENT_ID=your-client-id AZURE_CLIENT_SECRET=your-secret AZURE_TENANT_ID=common ``` ### Security Notes - Never commit `.env.azure` or `.env` files with real secrets to git - Add them to `.gitignore` - Use environment variable substitution in config.toml - Rotate client secrets regularly (before expiration) - Monitor sign-in logs in Azure Portal ### Additional Resources - Full setup guide: [MICROSOFT_ENTRA_SETUP.md](MICROSOFT_ENTRA_SETUP.md) - Quick reference: [MICROSOFT_ENTRA_QUICKSTART.md](MICROSOFT_ENTRA_QUICKSTART.md) - Supabase self-hosting docs: https://supabase.com/docs/guides/self-hosting - Azure OAuth docs: https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow