You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/container-apps/authentication-openid.md
+7-9Lines changed: 7 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ services: container-apps
5
5
author: craigshoemaker
6
6
ms.service: azure-container-apps
7
7
ms.topic: how-to
8
-
ms.date: 10/14/2024
8
+
ms.date: 03/30/2026
9
9
ms.author: cshoe
10
10
---
11
11
@@ -15,19 +15,17 @@ This article shows you how to configure Azure Container Apps to use a custom aut
15
15
16
16
You can configure your app to use one or more OIDC providers. Each must be given a unique alphanumeric name in the configuration, and only one can serve as the default redirect target.
17
17
18
-
## <aname="openid-register"> </a>Register your application with the identity provider
18
+
## Register your application with the identity provider
19
19
20
20
Your provider requires you to register the details of your application with it. One of these steps involves specifying a redirect URI. This redirect URI is of the form `<app-url>/.auth/login/<provider-name>/callback`. Each identity provider should provide more instructions on how to complete these steps.
21
21
22
22
> [!NOTE]
23
-
> Some providers may require additional steps for their configuration and how to use the values they provide. For example, Apple provides a private key which is not itself used as the OIDC client secret, and you instead must use it craft a JWT which is treated as the secret you provide in your app config (see the "Creating the Client Secret" section of the [Sign in with Apple documentation](https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens))
24
-
>
23
+
> Some providers require further steps for their configuration and different guidance on how to use the values they provide. For example, Apple provides a private key, which isn't used as the OIDC client secret. Instead, you must use it to craft a JSON Web Token (JWT), which is treated as the secret you provide in your app config. For more information, see the "Creating the Client Secret" section of the [Sign in with Apple documentation](https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens).
25
24
26
25
You need to collect a **client ID** and **client secret** for your application.
27
26
28
27
> [!IMPORTANT]
29
-
> The client secret is a critical security credential. Do not share this secret with anyone or distribute it within a client application.
30
-
>
28
+
> The client secret is a critical security credential. Don't share this secret with anyone or distribute it within a client application.
31
29
32
30
Additionally, you need the OpenID Connect metadata for the provider. This information is often exposed via a [configuration metadata document](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig), which is the provider's Issuer URL suffixed with `/.well-known/openid-configuration`. Make sure to gather this configuration URL.
33
31
@@ -38,7 +36,7 @@ If you're unable to use a configuration metadata document, you need to gather th
38
36
- The [OAuth 2.0 Token endpoint](https://tools.ietf.org/html/rfc6749#section-3.2) (sometimes shown as `token_endpoint`)
39
37
- The URL of the [OAuth 2.0 JSON Web Key Set](https://tools.ietf.org/html/rfc8414#section-2) document (sometimes shown as `jwks_uri`)
40
38
41
-
## <aname="openid-configure"> </a>Add provider information to your application
39
+
## Add provider information to your application
42
40
43
41
1. Sign in to the [Azure portal] and navigate to your app.
44
42
@@ -60,8 +58,8 @@ If you're unable to use a configuration metadata document, you need to gather th
60
58
61
59
Use the following guides for details on working with authenticated users.
62
60
63
-
*[Customize sign-in and sign-out](authentication.md#customize-sign-in-and-sign-out)
64
-
*[Access user claims in application code](authentication.md#access-user-claims-in-application-code)
61
+
-[Customize sign-in and signout](authentication.md#customize-sign-in-and-sign-out)
62
+
-[Access user claims in application code](authentication.md#access-user-claims-in-application-code)
* An Azure account with an active subscription. If you don't already have one, you can [can create one for free](https://azure.microsoft.com/pricing/purchase-options/azure-account?cid=msft_learn).
33
-
*[Azure CLI](/cli/azure/install-azure-cli).
32
+
- An Azure account with an active subscription. If you don't already have one, you can [can create one for free](https://azure.microsoft.com/pricing/purchase-options/azure-account?cid=msft_learn).
33
+
-[Azure CLI](/cli/azure/install-azure-cli).
34
34
35
35
## Considerations
36
36
@@ -339,8 +339,8 @@ The following table describes the different Git backend configuration values ava
339
339
|`spring.cloud.config.server.git.password` <br/> `spring.cloud.config.server.git.repos.{repoName}.password`| Password for authentication with remote repository. |
340
340
|`spring.cloud.config.server.git.search-paths` <br/> `spring.cloud.config.server.git.repos.{repoName}.search-paths`| Search paths to use within local working copy. By default, searches only the root. |
341
341
|`spring.cloud.config.server.git.force-pull` <br/> `spring.cloud.config.server.git.repos.{repoName}.force-pull`| Flag to indicate that the repository should force pull. If `true`, discard any local changes and take from the remote repository. |
342
-
|`spring.cloud.config.server.git.default-label` <br/> `spring.cloud.config.server.git.repos.{repoName}.default-label`| The default label used for Git is **main**. If you don't set `spring.cloud.config.server.git.default-label` and a branch named **main** doesn't exist, the config server by default also tries to checkout a branch named **master**. If you'd like to disable the fallback branch behavior, you can set `spring.cloud.config.server.git.tryMasterBranch` to `false`. |
343
-
|`spring.cloud.config.server.git.try-master-branch` <br/> `spring.cloud.config.server.git.repos.{repoName}.try-master-branch`| The config server by default tries to checkout a branch named **master**. |
342
+
|`spring.cloud.config.server.git.default-label` <br/> `spring.cloud.config.server.git.repos.{repoName}.default-label`| The default label used for Git is **main**. If you don't set `spring.cloud.config.server.git.default-label` and a branch named **main** doesn't exist, the config server by default also tries to check out a branch named **master**. If you'd like to disable the fallback branch behavior, you can set `spring.cloud.config.server.git.tryMasterBranch` to `false`. |
343
+
|`spring.cloud.config.server.git.try-master-branch` <br/> `spring.cloud.config.server.git.repos.{repoName}.try-master-branch`| The config server by default tries to check out a branch named **master**. |
344
344
|`spring.cloud.config.server.git.skip-ssl-validation` <br/> `spring.cloud.config.server.git.repos.{repoName}.skip-ssl-validation`| You can disable the configuration server's validation of the Git server's TLS/SSL certificate by setting the `git.skipSslValidation` property to `true`. |
345
345
|`spring.cloud.config.server.git.clone-on-start` <br/> `spring.cloud.config.server.git.repos.{repoName}.clone-on-start`| Flag to indicate that the repository should be cloned on startup, not on demand. Generally leads to slower startup but faster first query. |
346
346
|`spring.cloud.config.server.git.timeout` <br/> `spring.cloud.config.server.git.repos.{repoName}.timeout`| Timeout in seconds for obtaining HTTP or SSH connection, if applicable. The default value is 5 seconds. |
@@ -350,7 +350,7 @@ The following table describes the different Git backend configuration values ava
350
350
|`spring.cloud.config.server.git.host-key-algorithm` <br/> `spring.cloud.config.server.git.repos.{repoName}.host-key-algorithm`| One of `ssh-dss`, `ssh-rsa`, `ssh-ed25519`, `ecdsa-sha2-nistp256`, `ecdsa-sha2-nistp384`, or `ecdsa-sha2-nistp521`. Must be set if `host-key` is also set. |
351
351
|`spring.cloud.config.server.git.strict-host-key-checking` <br/> `spring.cloud.config.server.git.repos.{repoName}.strict-host-key-checking`|`true` or `false`. If `false`, ignore errors with host key. |
352
352
|`spring.cloud.config.server.git.repos.{repoName}`| URI of remote repository. |
353
-
|`spring.cloud.config.server.git.repos.{repoName}.pattern`| The pattern format is a comma-separated list of `{application}/{profile}` names with wildcards. If `{application}/{profile}`does not match any of the patterns, it uses the default URI defined under. |
353
+
|`spring.cloud.config.server.git.repos.{repoName}.pattern`| The pattern format is a comma-separated list of `{application}/{profile}` names with wildcards. If `{application}/{profile}`doesn't match any of the patterns, it uses the default URI defined under. |
354
354
355
355
The following list describes common configurations:
356
356
@@ -366,7 +366,7 @@ The following list describes common configurations:
366
366
- You can change the priority of all overrides in the client to be more like default values, letting applications supply their own values in environment variables or System properties, by setting the `spring.cloud.config.override-none=true` flag - the default is false - in the remote repository.
367
367
368
368
-`spring.cloud.config.allow-override`
369
-
- If you enable config first bootstrap, you can allow client applications to override configuration from the config server by placing two properties within the applications configuration coming from the config server.
369
+
- If you enable config first bootstrap, you can allow client applications to override configuration from the config server. The override is done by placing two properties within the applications configuration coming from the config server.
370
370
371
371
-`spring.cloud.config.server.health.*`
372
372
- You can configure the Health Indicator to check more applications along with custom profiles and custom labels.
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments