-
Notifications
You must be signed in to change notification settings - Fork 21.8k
Expand file tree
/
Copy pathauthentication-authorization.yml
More file actions
165 lines (128 loc) · 7.48 KB
/
authentication-authorization.yml
File metadata and controls
165 lines (128 loc) · 7.48 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
### YamlMime:HowTo
metadata:
title: Authenticate and authorize Static Web Apps
description: Learn to use different authorization providers to secure your Azure Static Web Apps.
author: cjk7989
ms.author: jikunchen
ms.date: 01/28/2025
ms.service: azure-static-web-apps
ms.topic: how-to
ms.custom:
- engagement-fy23
- ge-structured-content-pilot
title: |
Authenticate and authorize Static Web Apps
introduction: |
Azure Static Web Apps provides a streamlined authentication experience, where no extra configuration is required to use GitHub and Microsoft Entra ID for authentication. All features listed in this article are available in all Static Web Apps plans.
In this article, learn about default behavior, how to set up sign-in and sign-out, how to block an authentication provider, and more. To read the auth details for a specific use, see [Access user information](./user-information.md).
You can [register a custom provider](./authentication-custom.md), which disables all pre-configured providers.
> [!WARNING]
> Due to changes in X (formerly Twitter) API policy, support is not available as part of the pre-configured providers for your app.
> If you want to continue to use X (formerly Twitter) for authentication/authorization with your app, update your app configuration to [register a custom provider](./authentication-custom.md).
prerequisites:
summary: |
Be aware of the following defaults and resources for authentication and authorization with Azure Static Web Apps.
**Defaults:**
- Any user can authenticate with a preconfigured provider
- GitHub
- Microsoft Entra ID
- To restrict an authentication provider, [block access](#block-an-authentication-provider) with a custom route rule
- After sign-in, users belong to the `anonymous` and `authenticated` roles. For more information about roles, see [Manage roles](authentication-custom.md#manage-roles)
**Resources:**
- Define rules in the [staticwebapp.config.json file](./configuration.md) for authorized users to gain access to restricted [routes](configuration.md#routes)
- Assign users custom roles using the built-in [invitations system](authentication-custom.md#manage-roles)
- Programmatically assign users custom roles at sign-in with an [API function](apis-overview.md)
- Understand that authentication and authorization significantly overlap with routing concepts, which are detailed in the [Application configuration guide](configuration.md)
- Restrict sign-in to a specific Microsoft Entra ID tenant by [configuring a custom Microsoft Entra ID provider](authentication-custom.md?tabs=aad). The preconfigured Microsoft Entra ID provider allows any Microsoft account to sign in.
procedureSection:
- title: |
Set up sign-in
summary: |
Azure Static Web Apps uses the `/.auth` system folder to provide access to authorization-related APIs. Rather than expose any of the routes under the `/.auth` folder directly to end users, create [routing rules](configuration.md#routes) for friendly URLs.
Use the following table to find the provider-specific route.
| Authorization provider | Sign in route |
| --- | --- |
| Microsoft Entra ID | `/.auth/login/aad` |
| GitHub | `/.auth/login/github` |
For example, to sign in with GitHub, you could use a URL similar to the following example.
```html
<a href="/.auth/login/github">Login</a>
```
If you chose to support more than one provider, use a provider-specific link for each provider on your website.
Use a [route rule](./configuration.md#routes) to map a default provider to a friendly route like _/login_.
```json
{
"route": "/login",
"redirect": "/.auth/login/github"
}
```
### Set up post-sign-in redirect
You can return a user to a specific page after they sign in by providing a fully qualified URL in the `post_login_redirect_uri` query string parameter.
code: |
```html
<a href="/.auth/login/github?post_login_redirect_uri=https://zealous-water.azurestaticapps.net/success">Login</a>
```
You can also redirect unauthenticated users back to the referring page after they sign in. To add this redirect, create a [response override](configuration.md#response-overrides) rule that sets `post_login_redirect_uri` to `.referrer`, like in the following example.
```json
{
"responseOverrides": {
"401": {
"redirect": "/.auth/login/github?post_login_redirect_uri=.referrer",
"statusCode": 302
}
}
}
```
- title: |
Set up sign-out
summary: |
The `/.auth/logout` route signs users out from the website. You can add a link to your site navigation to allow the user to sign out, like in the following example.
```html
<a href="/.auth/logout">Log out</a>
```
Use a [route rule](./configuration.md#routes) to map a friendly route like _/logout_.
```json
{
"route": "/logout",
"redirect": "/.auth/logout"
}
```
### Set up post-sign-out redirect
To return a user to a specific page after they sign out, provide a URL in `post_logout_redirect_uri` query string parameter.
## Block an authentication provider
By default, all authentication providers are enabled, but you may want to restrict your app from using a provider. For instance, your app may want to only use [providers that expose email addresses](authentication-custom.md#create-an-invitation).
To block a provider, create a [route rule](configuration.md#routes) to return a `404` status code for requests to the blocked provider-specific route. For example, to restrict Entra ID (formerly Azure Active Directory, known as "aad") provider, add the following route rule.
code: |
```json
{
"route": "/.auth/login/aad",
"statusCode": 404
}
```
- title: |
Remove personal data
summary: |
When you grant consent to an application as an end user, the application has access to your email address or username, depending on the identity provider. Once this information is provided, the owner of the application can decide how to manage personal data.
End users need to contact administrators of individual web apps to revoke this information from their systems.
To remove personal data from the Azure Static Web Apps platform, and prevent the platform from providing this information on future requests, submit a request using the following URL:
code: |
```url
https://identity.azurestaticapps.net/.auth/purge/<AUTHENTICATION_PROVIDER_NAME>
```
To prevent the platform from providing this information on future requests to individual apps, submit a request using the following URL:
```url
https://<WEB_APP_DOMAIN_NAME>/.auth/purge/<AUTHENTICATION_PROVIDER_NAME>
```
If you're using Microsoft Entra ID, use `aad` as the value for the `<AUTHENTICATION_PROVIDER_NAME>` placeholder.
> [!TIP]
> For information about general restrictions and limitations, see [Quotas](quotas.md).
nextStep:
text: Use routes to set allowed roles to control page access
url: configuration.md
#relatedContent:
# - text: Manage roles with custom authentication
# url: authentication-custom.md#manage-roles
# - text: Application configuration guide, Routing concepts
# url: configuration.md
# - text: Access user authentication and authorization data
# url: user-information.md