Skip to content

Commit 1607e93

Browse files
weltekialexellis
welteki
authored and
alexellis
committed
Add note on using the faas-cli with Microsoft entra
Signed-off-by: Han Verstraete (OpenFaaS Ltd) <[email protected]>
1 parent 5858cd0 commit 1607e93

File tree

1 file changed

+20
-2
lines changed

1 file changed

+20
-2
lines changed

docs/openfaas-pro/sso/microsoft-entra.md

Lines changed: 20 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,9 @@ This guide covers how to configure [Microsoft Entra]() as an identity provider f
2020

2121
3. Configure allowed callback URL for the OpenFaaS dashboard and CLI.
2222

23-
Browse to *Identity -> Applications -> App registrations*. In the All application tab select your OpenFaaS application. Next, under Authentication click *Add platform* and select Web.
23+
Browse to *Identity -> Applications -> App registrations*. In the All application tab select your OpenFaaS application and navigate to *Authentication*.
24+
25+
Under Platform configurations click *Add platform* and select Web.
2426

2527
Enter a redirect URI:
2628

@@ -29,6 +31,8 @@ This guide covers how to configure [Microsoft Entra]() as an identity provider f
2931

3032
You can add more URIs later once the first one has been registered.
3133

34+
Next, under Implicit grant and hybrid flows, select the `ID tokens (used for implicit and hybrid flows)` checkbox.
35+
3236
![App registration platform configuration](/images/oidc-configuration/microsoft-entra/app-registration-platform-config.png)
3337

3438
4. Obtain client credentials
@@ -60,4 +64,18 @@ This guide covers how to configure [Microsoft Entra]() as an identity provider f
6064
tokenExpiry: 12h
6165
```
6266
63-
The `tokenExpiry` field can be used to set the expiry time of the OpenFaaS access token.
67+
The `tokenExpiry` field can be used to set the expiry time of the OpenFaaS access token.
68+
69+
!!! Note "SSO with the faas-cli"
70+
71+
By default the faas-cli pro auth listens for OAuth callbacks on the address `http://127.0.0.1`. Entra does not support using the loopback address for redirect URIs. You need to explicitly set the flag `--redirect-host=http://localhost` to override the default value.
72+
73+
To login with the faas-cli when using Azure Entra as the identity provider we recommend using the Implicit Id flow.
74+
75+
```sh
76+
faas-cli pro auth \
77+
--grant=implicit-id \
78+
--authority=https://login.microsoftonline.com/1fe3798478-5987-2564-b4aa-99e587365024/v2.0 \
79+
--client-id=068cb5cb-8cc3-4d57-8263-d6c6ce52ddff \
80+
--redirect-host=http://localhost
81+
```

0 commit comments

Comments
 (0)