composer require metrogistics/laravel-azure-ad-oauth
If you are using Laravel 5.5 or greater, the service provider will be detected and installed by Laravel automatically. Otherwise you will need to add the service provider and the facade (optional) to the config/app.php file:
Metrogistics\AzureSocialite\ServiceProvider::class,
// ...
'AzureUser' => Metrogistics\AzureSocialite\AzureUserFacade::class,
Publish the config and override any defaults:
php artisan vendor:publish
Add the necessary env vars:
AZURE_AD_CLIENT_ID=XXXX
AZURE_AD_CLIENT_SECRET=XXXX
The only changes you should have to make to your application are:
- You will need to make the password field in the users table nullable.
- You will need to have a
VARCHARfield on the users table that is 36 characters long to store the Azure AD ID for the user. The default name for the field isazure_idbut that can be changed in the config file:'user_id_field' => 'azure_id',.
All you need to do to make use of Azure AD SSO is to point a user to the /login/microsoft route (configurable) for login. Once a user has been logged in, they will be redirect to the home page (also configurable).
After login, you can access the basic Laravel authenticate user as normal:
auth()->user();
If you need to set additional user fields when the user model is created at login, you may provide a callback via the UserFactory::userCallback() method. A good place to do so would be in your AppServiceProvider's boot method:
\Metrogistics\AzureSocialite\UserFactory::userCallback(function($new_user){
$new_user->api_token = str_random(60);
});
- Open your browser to https://portal.azure.com/
- Navigate to
Azure Active Directory->App registrations. - Click on the blue button
Register an application - Provide a human readable name for the application.
- Select the type of accounts under
Supported account types. - Under
Redirect URI (optional)selectWeband add the url in the form
https://your.domain.name/login/microsoft/callback
Note: This must be a https address, not http.
- Click on the
Registerbutton - In the right pane, top section, locate the
Application (client) IDand copy it's value to AZURE_AD_CLIENT_ID in your .env file. - In the left menu bar under
Manageclick onCertificates & Secrets. - In the pane on the right that just opened, under "Client secrets", click on the
+ New client secretbutton. - Enter a description for the key in the
Descriptionbox - Select the expiry term you require (this authentication mechnism stops once this key expires)
- Click on the
Addbutton. The key will be displayed once only - Copy the key and add it to your .env file as the
AZURE_AD_CLIENT_SECRETvalue. - Click on
API permissionsand add any permissions that may be required - Click on
Manifestin the menu - Add roles as nessesary to the end of the exiting manifest using the following format changing the id value to a unique GUID of your choosing for each. (Don't forget to add a comma to the last item that's in the manifest before pasting)
...,
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"displayName": "Manager Role",
"id": "123459e3-8d88-4d99-b630-b9642a70f51e",
"isEnabled": true,
"description": "Manage stuff with this role",
"value": "manager"
}
]
- Change the
idvalue to a unique GUID of your choosing (ie don't use the one in the example here). - In the left menu, click on
Enterprise applicationsthen in the right pane, click on your application. - On the left, click on
Propertiesand locateUser assignment required?in the right pane. - Change
User assignment required?toYes - Click the
Savelink at the top (right pane) - In the left menu, click
Users and groupsand add users/groups as required. - In the menu area under
Securityclick onPermissions. - Click on the button
Grant admin consent for Default Directory. A new browser window will open with the Microsft login screen - Login to your admin account. It will present a window with
Permissions requested Accept for your organization. - Click on the
Acceptbutton. The browser will now close
You are now ready to log into your application using Azure AD credentials.
-
Navigate to
Azure Active Directory->App registrations. -
Create a new application
-
Choose a name
-
Select the "Web app / API" Application Type
-
Add the "Sign-on URL". This will typically be
https://domain.com/auth/login -
Click "Create"
-
Click into the newly created app.
-
The "Application ID" is what you will need for your
AZURE_AD_CLIENT_IDenv variable. -
Click into "Reply URLs". You will need to whitelist the redirection path for your app here. It will typically be
https://domain.com/login/microsoft/callback. Click "Save" -
Select the permissions required for you app in the "Required permissions" tab.
-
Add any necessary roles to the manifest:
-
Click on the "Manifest" tab.
-
Add roles as necessary using the following format:
"appRoles": [ { "allowedMemberTypes": [ "User" ], "displayName": "Manager Role", "id": "08b0e9e3-8d88-4d99-b630-b9642a70f51e",// Any unique GUID "isEnabled": true, "description": "Manage stuff with this role", "value": "manager" } ], ``` -
Click "Save"
-
In the "Keys" tab, enter a description (something like "App Secret"). Set Duration to "Never Expires". Click "Save". Copy the whole key. This will not show again. You will need this value for the
AZURE_AD_CLIENT_SECRETenv variable. -
Click on the "Managed application" link (It will be the name of the application);
-
Under the "Properties" tab, enable user sign-in. Make user assignment required. Click "Save".
-
Under the "Users and groups" tab, add users and their roles as needed.
Includes:
- pr4 by bram1028 which fixes issue #3
- pr8 by nexxai which fixes a issue #1 plus typo in readme
- pr11 by grothentor which adds params to code request link using config
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent