Skip to content

Add note on using the faas-cli with Microsoft Entra #404

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add note on using the faas-cli with Microsoft Entra #404

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 20 additions & 2 deletions docs/openfaas-pro/sso/microsoft-entra.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,9 @@ This guide covers how to configure [Microsoft Entra]() as an identity provider f

3. Configure allowed callback URL for the OpenFaaS dashboard and CLI.

Browse to *Identity -> Applications -> App registrations*. In the All application tab select your OpenFaaS application. Next, under Authentication click *Add platform* and select Web.
Browse to *Identity -> Applications -> App registrations*. In the All application tab select your OpenFaaS application and navigate to *Authentication*.

Under Platform configurations click *Add platform* and select Web.

Enter a redirect URI:

Expand All @@ -29,6 +31,8 @@ This guide covers how to configure [Microsoft Entra]() as an identity provider f

You can add more URIs later once the first one has been registered.

Next, under Implicit grant and hybrid flows, select the `ID tokens (used for implicit and hybrid flows)` checkbox.

![App registration platform configuration](/images/oidc-configuration/microsoft-entra/app-registration-platform-config.png)

4. Obtain client credentials
Expand Down Expand Up @@ -60,4 +64,18 @@ This guide covers how to configure [Microsoft Entra]() as an identity provider f
tokenExpiry: 12h
```

The `tokenExpiry` field can be used to set the expiry time of the OpenFaaS access token.
The `tokenExpiry` field can be used to set the expiry time of the OpenFaaS access token.

!!! Note "SSO with the faas-cli"

By default the faas-cli pro auth listens for OAuth callbacks on the address `http://127.0.0.1`. Entra does not support using the loopback address for redirect URIs. You need to explicitly set the flag `--redirect-host=http://localhost` to override the default value.

To login with the faas-cli when using Azure Entra as the identity provider we recommend using the Implicit Id flow.

```sh
faas-cli pro auth \
--grant=implicit-id \
--authority=https://login.microsoftonline.com/1fe3798478-5987-2564-b4aa-99e587365024/v2.0 \
--client-id=068cb5cb-8cc3-4d57-8263-d6c6ce52ddff \
--redirect-host=http://localhost
```