usda-vision/docs/SELF_HOSTED_AZURE_SETUP.md

# Self-Hosted Supabase - Microsoft Entra Setup

## Quick Setup Guide

For self-hosted Supabase instances, OAuth providers like Microsoft Entra (Azure AD) are configured through config files and environment variables, not through the UI.

### Step 1: Configure Azure Application

Follow steps 1-4 in [MICROSOFT_ENTRA_SETUP.md](MICROSOFT_ENTRA_SETUP.md) to:
1. Register your app in Azure Portal
2. Get your Client ID and Secret
3. Set up API permissions
4. Configure token claims

**Important**: Your redirect URI should be:
```
http://<your-host-ip>:<supabase-port>/auth/v1/callback
```

Example: `http://192.168.1.100:54321/auth/v1/callback`

### Step 2: Configure Supabase

The Azure provider configuration is already added to `supabase/config.toml`:

```toml
[auth.external.azure]
enabled = false  # Change this to true
client_id = "env(AZURE_CLIENT_ID)"
secret = "env(AZURE_CLIENT_SECRET)"
redirect_uri = ""
url = "https://login.microsoftonline.com/env(AZURE_TENANT_ID)/v2.0"
skip_nonce_check = false
```

### Step 3: Set Environment Variables

1. Copy the example file:
   ```bash
   cp .env.azure.example .env.azure
   ```

2. Edit `.env.azure` with your actual values:
   ```bash
   AZURE_CLIENT_ID=your-application-client-id
   AZURE_CLIENT_SECRET=your-client-secret
   AZURE_TENANT_ID=common  # or your specific tenant ID
   ```

3. Source the environment file before starting Supabase:
   ```bash
   source .env.azure
   ```

   Or add it to your docker-compose environment.

### Step 4: Enable Azure Provider

Edit `supabase/config.toml` and change:
```toml
[auth.external.azure]
enabled = true  # Change from false to true
```

### Step 5: Restart Supabase

```bash
docker-compose down
docker-compose up -d
```

Or if using the project script:
```bash
./docker-compose.sh restart
```

### Step 6: Enable in Application

In `management-dashboard-web-app/.env`:
```bash
VITE_ENABLE_MICROSOFT_LOGIN=true
```

### Verification

1. Check auth service logs:
   ```bash
   docker-compose logs auth | grep -i azure
   ```

2. You should see the Microsoft login button on your application's login page

3. Click it and verify you're redirected to Microsoft login

### Troubleshooting

#### Azure Provider Not Working

**Check logs**:
```bash
docker-compose logs auth
```

**Verify environment variables are loaded**:
```bash
docker-compose exec auth env | grep AZURE
```

#### Redirect URI Mismatch

Ensure the redirect URI in Azure exactly matches:
```
http://<your-host-ip>:<supabase-port>/auth/v1/callback
```

Common mistake: Using `localhost` instead of the actual IP address.

#### Environment Variables Not Set

If you see errors about missing AZURE variables, make sure to:
1. Export them in your shell before running docker-compose
2. Or add them to your docker-compose.yml environment section
3. Or use a .env file that docker-compose automatically loads

### Docker Compose Environment Variables

You can also add the variables directly to your `docker-compose.yml`:

```yaml
services:
  auth:
    environment:
      AZURE_CLIENT_ID: ${AZURE_CLIENT_ID}
      AZURE_CLIENT_SECRET: ${AZURE_CLIENT_SECRET}
      AZURE_TENANT_ID: ${AZURE_TENANT_ID:-common}
```

Then create a `.env` file in the same directory:
```bash
AZURE_CLIENT_ID=your-client-id
AZURE_CLIENT_SECRET=your-secret
AZURE_TENANT_ID=common
```

### Security Notes

- Never commit `.env.azure` or `.env` files with real secrets to git
- Add them to `.gitignore`
- Use environment variable substitution in config.toml
- Rotate client secrets regularly (before expiration)
- Monitor sign-in logs in Azure Portal

### Additional Resources

- Full setup guide: [MICROSOFT_ENTRA_SETUP.md](MICROSOFT_ENTRA_SETUP.md)
- Quick reference: [MICROSOFT_ENTRA_QUICKSTART.md](MICROSOFT_ENTRA_QUICKSTART.md)
- Supabase self-hosting docs: https://supabase.com/docs/guides/self-hosting
- Azure OAuth docs: https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow