Authentication with OAuth using Microsoft

This guide explains how to configure an external Identity Provider (IdP) using Microsoft / Azure AD for OAuth authentication in Resiliency.io.

Two methods are included: Manual (Azure Portal) and Automated (Terraform).

---

1. Identity Provider Configuration

Method 1: Manual (Azure Portal)

1. Create App Registration

1. Navigate to Azure Portal → Azure Active Directory → App registrations
2. Click New registration:
   • Name: Resiliency.io
   • Supported account types: Accounts in this organizational directory only (Single tenant)
   • Redirect URI:
     • Platform: Web
     • URI: https://<your-resiliency-domain>/oauth2/callback

2. Save Important Values

After creating the application, copy and save:

• Application (client) ID
• Directory (tenant) ID
• Object ID

3. Configure Authentication

1. Go to Authentication
2. Under Implicit grant and hybrid flows, enable:
   • ✅ Access tokens
   • ✅ ID tokens

4. Create Client Secret

1. Go to Certificates & secrets → Client secrets
2. Click New client secret:
   • Description: Resiliency.io Secret
   • Expires: 24 months (recommended)
3. ⚠️ Copy the Value immediately (only shown once)

5. Configure API Permissions

1. Go to API permissions → Add a permission → Microsoft Graph
2. Add the following permissions:

Delegated Permissions (on behalf of the signed-in user):

• User.Read - Sign in and read user profile
• email - View users' email address
• profile - View users' basic profile
• openid - Sign users in
• offline_access - Maintain access to data you have given it access to
• User.Read.All - Read all users' full profiles

Application Permissions (without a signed-in user):

• Directory.Read.All - Read directory data

6. Grant Admin Consent

1. Click Grant admin consent for [Your Organization]
2. Confirm the action

---

Method 2: Terraform Configuration

Complete Terraform Code (main.tf)

# Get current client configuration
data "azuread_client_config" "current" {}

# Create Azure AD Application
resource "azuread_application" "app" {
  display_name     = var.name
  sign_in_audience = var.audience

  web {
    homepage_url  = var.url
    redirect_uris = var.redirect_uris

    implicit_grant {
      access_token_issuance_enabled = true
      id_token_issuance_enabled     = true
    }
  }

  required_resource_access {
    resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph

    resource_access {
      id   = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read
      type = "Scope"
    }

    resource_access {
      id   = "64a6cdd6-aab1-4aaf-94b8-3cc8405e90d0" # email
      type = "Scope"
    }

    resource_access {
      id   = "37f7f235-527c-4136-accd-4a02d197296e" # openid
      type = "Scope"
    }

    resource_access {
      id   = "14dad69e-099b-42c9-810b-d002981feec1" # profile
      type = "Scope"
    }

    resource_access {
      id   = "7427e0e9-2fba-42fe-b0c0-848c9e6a8182" # offline_access
      type = "Scope"
    }

    resource_access {
      id   = "7ab1d382-f21e-4acd-a863-ba3e13f7da61" # Directory.Read.All
      type = "Role"
    }

    resource_access {
      id   = "06da0dbc-49e2-44d2-8312-53f166ab848a" # User.Read.All
      type = "Scope"
    }
  }
}

# Create Service Principal
resource "azuread_service_principal" "sp" {
  client_id                    = azuread_application.app.client_id
  app_role_assignment_required = false
  owners                       = [data.azuread_client_config.current.object_id]

  feature_tags {
    enterprise = true
    gallery    = true
    hide       = true
  }
}

# Create Client Secret
resource "azuread_application_password" "app_password" {
  application_id = azuread_application.app.id
  display_name   = var.name
  end_date       = var.client_secret_expiration_date
}

Complete Terraform Code (variables.tf)

variable "name" {
  description = "Resource name"
  type        = string
}

variable "location" {
  description = "Azure region where resources will be created"
  type        = string
  default     = "spaincentral"
}

variable "url" {
  description = "Web URL"
  type        = string
}

variable "redirect_uris" {
  description = "Redirect URIs"
  type        = list(string)
}

variable "audience" {
  description = "Audience (AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount)"
  type        = string
  default     = "AzureADMyOrg"
}

variable "client_secret_expiration_date" {
  description = "Expiration date for client_secret"
  type        = string
}

2. Create a Kubernetes Secret with credentials

The provider requires a Secret with the necessary credentials.

YAML file for Microsoft:

apiVersion: v1
kind: Secret
metadata:
  name: my-microsoft
  namespace: resiliency-system
type: Opaque
stringData:
  clientID: <your-client-id>
  clientSecret: <your-client-secret>
  tenant: <your-azure-tenant-id>

3. Apply the Secret

Once the YAML is ready, apply it with:

kubectl apply -f my-microsoft-secret.yaml

4. Get current Instance config and save to a file

kubectl get instances.core.resiliency.io resiliency-io \
  -n resiliency-system \
  -o yaml > instance.yaml

5. Edit the file

Apply the following changes to the instance.yaml:

apiVersion: core.resiliency.io/v1alpha1
kind: Instance
metadata:
  name: resiliency-io
  namespace: resiliency-system
spec:
  ...
  auth:
    ssoProviders:
    # You have to configure microsft provider

    - microsoft:
        name: Microsoft
        secretName: my-microsoft

6. Update

Apply the instance.yaml file with the following command:

kubectl apply -f instance.yaml