Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 4. Authentication with Microsoft Azure
To authenticate users with Microsoft Azure:
4.1. Enabling authentication with Microsoft Azure
Red Hat Developer Hub includes a Microsoft Azure authentication provider that can authenticate users by using OAuth.
Prerequisites
- You have the permission to register an application in Microsoft Azure.
- You added a custom Developer Hub application configuration.
Procedure
To allow Developer Hub to authenticate with Microsoft Azure, create an OAuth application in Microsoft Azure.
In the Azure portal go to App registrations, create a New registration with the configuration:
- Name
- The application name in Azure, such as <My Developer Hub>.
On the Home > App registrations > <My Developer Hub> > Manage > Authentication page, Add a platform, with the following configuration:
- Redirect URI
-
Enter the backend authentication URI set in Developer Hub:
https://<my_developer_hub_url>/api/auth/microsoft/handler/frame - Front-channel logout URL
- Leave blank.
- Implicit grant and hybrid flows
- Leave all checkboxes cleared.
On the Home > App registrations > <My Developer Hub> > Manage > API permissions page, Add a Permission, then add the following Delegated permission for the Microsoft Graph API:
-
email -
offline_access -
openid -
profile -
User.Read Optional custom scopes for the Microsoft Graph API that you define both in this section and in the Developer Hub configuration (
app-config-rhdh.yaml).NoteYour company might require you to grant admin consent for these permissions. Even if your company does not require admin consent, you might do so as it means users do not need to individually consent the first time they access backstage. To grant administrator consent, a directory administrator must go to the admin consent page and click Grant admin consent for COMPANY NAME.
-
- On the Home > App registrations > <My Developer Hub> > Manage > Certificates & Secrets page, in the Client secrets tab, create a New client secret.
Save for the next step:
- Directory (tenant) ID
- Application (client) ID
- Application (client) secret
To add your Microsoft Azure credentials to Developer Hub, add the following key/value pairs to your Developer Hub secrets, such as
secrets-rhdh:AUTH_AZURE_TENANT_ID- Enter your saved Directory (tenant) ID.
AUTH_AZURE_CLIENT_ID- Enter your saved Application (client) ID.
AUTH_AZURE_CLIENT_SECRET- Enter your saved Application (client) secret.
Set up the Microsoft Azure authentication provider in your Developer Hub custom configuration, such as
app-config-rhdh:app-config-rhdh.yamlfragmentauth: environment: production providers: microsoft: production: clientId: ${AUTH_AZURE_CLIENT_ID} clientSecret: ${AUTH_AZURE_CLIENT_SECRET} tenantId: ${AUTH_AZURE_TENANT_ID} signInPage: microsoftenvironment: production- Mark the environment as production to hide the Guest login in the Developer Hub home page.
clientId,clientSecretandtenantId- Use the Developer Hub application information that you have created in Microsoft Azure and configured in OpenShift as secrets.
signInPage: microsoft- Enable the Microsoft Azure provider as default sign-in provider.
Optional: Consider adding following optional fields:
dangerouslyAllowSignInWithoutUserInCatalog: trueTo enable authentication without requiring to provision users in the Developer Hub software catalog.
WarningUse
dangerouslyAllowSignInWithoutUserInCatalogto explore Developer Hub features, but do not use it in production.app-config-rhdh.yamlfragment with optional field to allow authenticating users absent from the software catalogauth: environment: production providers: microsoft: production: clientId: ${AUTH_AZURE_CLIENT_ID} clientSecret: ${AUTH_AZURE_CLIENT_SECRET} tenantId: ${AUTH_AZURE_TENANT_ID} signInPage: microsoft dangerouslyAllowSignInWithoutUserInCatalog: truedomainHintOptional for single-tenant applications. You can reduce login friction for users with accounts in multiple tenants by automatically filtering out accounts from other tenants. If you want to use this parameter for a single-tenant application, uncomment and enter the tenant ID. If your application registration is multi-tenant, leave this parameter blank. For more information, see Home Realm Discovery.
app-config-rhdh.yamlfragment with optionaldomainHintfieldauth: environment: production providers: microsoft: production: domainHint: ${AUTH_AZURE_TENANT_ID}additionalScopesOptional for additional scopes. To add scopes for the application registration, uncomment and enter the list of scopes that you want to add. The default and mandatory value lists:
'openid', 'offline_access', 'profile', 'email', 'User.Read'.app-config-rhdh.yamlfragment with optionaladditionalScopesfieldauth: environment: production providers: microsoft: production: additionalScopes: - Mail.Send
This step is optional for environments with outgoing access restrictions, such as firewall rules. If your environment has such restrictions, ensure that your RHDH backend can access the following hosts:
-
login.microsoftonline.com: For obtaining and exchanging authorization codes and access tokens. -
graph.microsoft.com: For retrieving user profile information (as referenced in the source code). If this host is unreachable, you might see an Authentication failed, failed to fetch user profile error when attempting to log in.
4.2. Provisioning users from Microsoft Azure to the software catalog
To authenticate users with Microsoft Azure, after Enabling authentication with Microsoft Azure, provision users from Microsoft Azure to the Developer Hub software catalog.
Prerequisites
Procedure
To enable Microsoft Azure member discovery, edit your custom Developer Hub ConfigMap, such as
app-config-rhdh, and add following lines to theapp-config-rhdh.yamlcontent:app-config.yamlfragment with mandatorymicrosoftGraphOrgfieldsdangerouslyAllowSignInWithoutUserInCatalog: false catalog: providers: microsoftGraphOrg: providerId: target: https://graph.microsoft.com/v1.0 tenantId: ${AUTH_AZURE_TENANT_ID} clientId: ${AUTH_AZURE_CLIENT_ID} clientSecret: ${AUTH_AZURE_CLIENT_SECRET}dangerouslyAllowSignInWithoutUserInCatalog: false- Allow authentication only for users in the Developer Hub software catalog.
target: https://graph.microsoft.com/v1.0- Defines the MSGraph API endpoint the provider is connecting to. You might change this parameter to use a different version, such as the beta endpoint.
tenandId,clientIdandclientSecret- Use the Developer Hub application information you created in Microsoft Azure and configured in OpenShift as secrets.
Optional: Consider adding the following optional
microsoftGraphOrg.providerIdfields:authority: https://login.microsoftonline.comDefines the authority used. Change the value to use a different authority, such as Azure US government. Default value:
https://login.microsoftonline.com.app-config.yamlfragment with optionalqueryModefieldcatalog: providers: microsoftGraphOrg: providerId: authority: https://login.microsoftonline.com/
queryMode: basic | advancedBy default, the Microsoft Graph API only provides the
basicfeature set for querying. Certain features requireadvancedquerying capabilities. See Microsoft Azure Advanced queries.app-config.yamlfragment with optionalqueryModefieldcatalog: providers: microsoftGraphOrg: providerId: queryMode: advanced
user.expandTo include the expanded resource or collection referenced by a single relationship (navigation property) in your results. Only one relationship can be expanded in a single request. See Microsoft Graph query expand parameter. This parameter can be combined with ] or xref:userFilter[.
app-config.yamlfragment with optionaluser.expandfieldcatalog: providers: microsoftGraphOrg: providerId: user: expand: manager
user.filterTo filter users. See Microsoft Graph API and Microsoft Graph API query filter parameters syntax. This parameter and ???TITLE??? are mutually exclusive, only one can be specified.
app-config.yamlfragment with optionaluser.filterfieldcatalog: providers: microsoftGraphOrg: providerId: user: filter: accountEnabled eq true and userType eq 'member'
user.loadPhotos: true | falseLoad photos by default. Set to
falseto not load user photos.app-config.yamlfragment with optionaluser.loadPhotosfieldcatalog: providers: microsoftGraphOrg: providerId: user: loadPhotos: true
user.selectDefine the Microsoft Graph resource types to retrieve.
app-config.yamlfragment with optionaluser.selectfieldcatalog: providers: microsoftGraphOrg: providerId: user: select: ['id', 'displayName', 'description']
userGroupMember.filterTo use group membership to get users. To filter groups and fetch their members. This parameter and ???TITLE??? are mutually exclusive, only one can be specified.
app-config.yamlfragment with optionaluserGroupMember.filterfieldcatalog: providers: microsoftGraphOrg: providerId: userGroupMember: filter: "displayName eq 'Backstage Users'"
userGroupMember.searchTo use group membership to get users. To search for groups and fetch their members. This parameter and ???TITLE??? are mutually exclusive, only one can be specified.
app-config.yamlfragment with optionaluserGroupMember.searchfieldcatalog: providers: microsoftGraphOrg: providerId: userGroupMember: search: '"description:One" AND ("displayName:Video" OR "displayName:Drive")'
group.expandOptional parameter to include the expanded resource or collection referenced by a single relationship (navigation property) in your results. Only one relationship can be expanded in a single request. See https://docs.microsoft.com/en-us/graph/query-parameters#expand-parameter This parameter can be combined with ] instead of xref:userFilter[.
app-config.yamlfragment with optionalgroup.expandfieldcatalog: providers: microsoftGraphOrg: providerId: group: expand: member
group.filterTo filter groups. See Microsoft Graph API query group syntax.
app-config.yamlfragment with optionalgroup.filterfieldcatalog: providers: microsoftGraphOrg: providerId: group: filter: securityEnabled eq false and mailEnabled eq true and groupTypes/any(c:c+eq+'Unified')
group.searchTo search for groups. See Microsoft Graph API query search parameter.
app-config.yamlfragment with optionalgroup.searchfieldcatalog: providers: microsoftGraphOrg: providerId: group: search: '"description:One" AND ("displayName:Video" OR "displayName:Drive")'
group.selectTo define the Microsoft Graph resource types to retrieve.
app-config.yamlfragment with optionalgroup.selectfieldcatalog: providers: microsoftGraphOrg: providerId: group: select: ['id', 'displayName', 'description']schedule.frequencyTo specify custom schedule frequency. Supports cron, ISO duration, and "human duration" as used in code.
app-config.yamlfragment with optionalschedule.frequencyfieldcatalog: providers: microsoftGraphOrg: providerId: schedule: frequency: { hours: 1 }schedule.timeoutTo specify custom timeout. Supports ISO duration and "human duration" as used in code.
app-config.yamlfragment with optionalschedule.timeoutfieldcatalog: providers: microsoftGraphOrg: providerId: schedule: timeout: { minutes: 50 }schedule.initialDelayTo specify custom initial delay. Supports ISO duration and "human duration" as used in code.
app-config.yamlfragment with optionalschedule.initialDelayfieldcatalog: providers: microsoftGraphOrg: providerId: schedule: initialDelay: { seconds: 15}
Verification
Check the console logs to verify that the synchronization is completed.
Successful synchronization example:
backend:start: {"class":"MicrosoftGraphOrgEntityProvider$1","level":"info","message":"Read 1 msgraph users and 1 msgraph groups in 2.2 seconds. Committing...","plugin":"catalog","service":"backstage","taskId":"MicrosoftGraphOrgEntityProvider:default:refresh","taskInstanceId":"88a67ce1-c466-41a4-9760-825e16b946be","timestamp":"2024-06-26 12:23:42"} backend:start: {"class":"MicrosoftGraphOrgEntityProvider$1","level":"info","message":"Committed 1 msgraph users and 1 msgraph groups in 0.0 seconds.","plugin":"catalog","service":"backstage","taskId":"MicrosoftGraphOrgEntityProvider:default:refresh","taskInstanceId":"88a67ce1-c466-41a4-9760-825e16b946be","timestamp":"2024-06-26 12:23:42"}- Log in with a Microsoft Azure account.
