You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This article shows you how to configure Azure App Service or Azure Functions to use a custom authentication provider that adheres to the [OpenID Connect (OIDC) specification](https://openid.net/connect/). OIDC is an industry standard that many identity providers use. You don't need to understand the details of the specification for your app to use an OIDC identity provider.
17
+
This article shows you how to configure Azure App Service or Azure Functions to use a custom authentication provider that adheres to the [OpenID Connect (OIDC) specification](https://openid.net/connect/). OIDC is an industry standard that many identity providers use. You don't need to understand the details of the specification to use an OIDC identity provider for your app.
18
18
19
19
You can configure your app to use one or more OIDC providers. You must give each OIDC provider a unique friendly name in the configuration. Only one provider can serve as the default redirect target.
20
20
21
21
## <aname="register"> </a>Register your app with the OIDC identity provider
22
22
23
-
Your provider requires you to register your application by specifying a redirect URI in the form `<app-url>/.auth/login/<provider-name>/callback`. The`<provider-name>`is a friendly name you give the OpenID provider in Azure.
23
+
Your provider requires you to register your application by specifying a redirect URI in the form `<app-url>/.auth/login/<provider-name>/callback`. Replace`<provider-name>`with the friendly name you give the OpenID provider in Azure.
24
24
25
25
> [!NOTE]
26
26
> The OpenID provider name can't contain a hyphen `-`, because an App Service application setting is created based on this name, and application settings don't support hyphens. You can use an underscore `_` instead.
27
27
28
-
You need to collect a *client ID* for your application. You also need to provide a *client secret* if you want the user to acquire access tokens using the interactive authorization code flow. If you don't want to acquire access tokens, you don't need to use a secret.
28
+
When you register your app, you need to collect a *client ID*and a *client secret*for your application. You need to provide the client secret if you want the user to acquire access tokens using the interactive authorization code flow. If you don't want to acquire access tokens, you don't need to use a secret.
29
29
30
-
The client secret is an important security credential. Don't share this secret with anyone or distribute it in a client application.
30
+
> [!IMPORTANT]
31
+
> The **App Secret** value is an important security credential. Don't share this secret with anyone or distribute it within a client application.
31
32
32
-
Each identity provider should provide instructions on how to complete the registration steps. Some providers might require extra steps for their configuration and for using the values that they provide.
33
+
Each identity provider should provide instructions on how to complete the registration steps. Some providers might require extra steps for their configuration and for using the values that they provide. For example, Apple provides a private key that you use to create a JSON Web Token (JWT), which you provide as the secret in your app configuration. For more information, see [Creating a client secret](https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens).
33
34
34
-
For example, Apple provides a private key that you use to create a JSON Web Token (JWT). You provide the JWT as the secret in your app configuration. For more information, see [Creating a client secret](https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens).
35
-
36
-
You also need the OIDC metadata for the provider. This metadata is often exposed in a [configuration metadata document](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig) that you can get at the path formed by appending `/.well-known/openid-configuration` to the provider's issuer URL.
35
+
You also need the provider's OIDC metadata. This metadata is often exposed in a [configuration metadata document](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig) that you can get at the path formed by appending `/.well-known/openid-configuration` to the provider's issuer URL.
37
36
38
37
If you can't use a configuration metadata document, get the following values separately:
0 commit comments