Authentication of Applications with Azure Active Directory

23530 VIEWS
by
5 years ago

In Application Development

Using oauth2_proxy and Azure Active Directory, you can add limited user authentication to your Azure account and applications. This article will demonstrate how to configure the authentication of a web application with NGINX, oauth2_proxy and Azure.

Creating application registration in Azure Active Directory

The first step is to create an application registration in Azure Active Directory. To do this, first access Azure Active Directory, then click on App registrations and then New application registration.

In the next step, fill in the form with the name of the application; choose Web app / API under application type, and add the URL of your application in Azure. The application used in this configuration was configured in a common virtual machine with Linux, and the URL is the access for this restricted application.

After creation, the following result will appear:

Click the name of the application, and on the next screen, click on Keys.

Now, we need to define the name and the duration of key expiration. After this is filled in, click Save and copy the key shown in the Value field. I recommend that you save the information in a secure place, because we will use this in the next steps of this configuration.

To complete this Azure configuration, we need to add the allowed users who can access our application. But in the new Azure portal, it is not possible to add users. To add them, we need first to access the old portal in https://manage.windowsazure.com.
Authorization of users

Now, in the old portal, click on Active Directory, and click on your directory.

Next, click on Applications, and then on your application info created at the beginning of this article.

To finish, click on Users. Select the users that will have access to the application and click Assign in the bottom menu bar.

That’s all there is to it! Now our application has been configured in Azure, and we are ready to configure the oauth2_proxy and NGINX server.

Configuring NGINX

In the configuration file of your application (inside /etc/nginx/sites-enabled/default), add the following location directives:

location /oauth2 {
        proxy_pass http://localhost:4180;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_connect_timeout 1;
        proxy_send_timeout 30; 
        proxy_read_timeout 30; 
}   

location / { 
        auth_request /oauth2/auth;
        error_page 401 = /oauth2/sign_in;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_pass http://upstream_name;
}

This configuration is necessary to integrate the oauth2_proxy and NGINX, and the directives define the reverse proxy to access the oauth2_proxy before redirect to the application.

Configuring oauth2_proxy

The oauth2_proxy is a reverse proxy that provides authentication for Azure.

To install the oauth2_proxy, go to Download on the releases page and copy the link to get inside your server.

$ wget https://github.com/bitly/oauth2_proxy/releases/download/v2.2/oauth2_proxy-2.2.0.linux-amd64.go1.8.1.tar.gz

Then, extract the folder:

$ tar -xvf oauth2_proxy-2.2.0.linux-amd64.go1.8.1.tar.gz

And copy the oauth2_proxy to /etc:
$ cp oauth2_proxy-2.2.0.linux-amd64.go1.8.1/oauth2_proxy /etc

Now, we need an executable file to run the oauth2_proxy with the parameters to associate with our application in Azure. To do this, create a oauth2proxy.sh in /init.d file and add the lines below:

#!/bin/bash

oauth2_proxy -email-domain=domain.com -upstream=http://0.0.0.0:3000 -cookie-secret=12345678
-client-id=0aff987623-121ab87cc9
-client-secret=avqCDvXEVGgtOfDEQaTupoh
-provider=azure
-cookie-secure=false
-cookie-expire=0h15m0s &

service nginx restart

The client-id is the Application ID. You can get the Application ID inside the application properties. Client-secret is the key created. The upstream is the address and port from where your application is running. We need to restart NGINX after initiating the oauth2_proxy.

And turn this file as executable:

$ chmod +x /init.d/oauth2proxy.sh

To improve this configuration, you can add the necessary script to start your server. Now, if you try to access the URL app, you will see the authentication page.

When you click the sign-in button, you will be redirected to the Azure authentication page to log in and authorize access (if you are not logged in). If you are already logged in, you will be redirected to the application page.

Conclusion

It’s fairly straightforward to configure this authentication mode. It’s important to provide access to applications only to users based in the Active Directory and to create separate rules to log in. The oauth2_proxy is a very useful open source tool that can be configured to work with multiple providers for authentication login.


Brena Monteiro is a Tech Lead passionate about mentoring new developers. A professional who has experience in the hire, mentoring, and leader development teams, and building scalable APIs and integrates it with partners and cloud services. Enthusiastic about architectural improvement using cloud services.

Discussion

Click on a tab to select how you'd like to leave your comment

Leave a Comment

Your email address will not be published. Required fields are marked *

Menu
Skip to toolbar