Skip to content

Add http authentication instructions for Microsoft Entra #30

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add http authentication instructions for Microsoft Entra #30

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 48 additions & 1 deletion docs/tutorial/http-authentication.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -156,7 +156,54 @@ inlets-pro http client \
--oauth-acl [email protected]
```

You can control which users are allowed to access the tunnel by providing an email address using the `--oauth-acl` flag.
You can control which users are allowed to access the tunnel by providing an email address using the `--oauth-acl` flag.

### Example with Microsoft Entra

> To use the Microsoft Entra provider you need a commercial Inlets license.

1. Sign in to [Microsoft Entra admin center](https://entra.microsoft.com/)
2. Create an Application for Inlets.

Browse to *Identity -> Applications -> Enterprise applications -> All Applications*. In the All applications pane, select *New Application*.

This will let you browse the Microsoft Entra Gallery. Select *Create your own application*.

Fill out the app name, select the option `Register an application to integrate with Microsoft Entra ID (App you're developing)` and click *Create*

In the next form select the account types you would want to use. We will configure the redirect URI in the next step so this field can be left out for now. Click *Register* when done.

3. Configure allowed callback URLs for Inlets tunnels.

Browse to *Identity -> Applications -> App registrations*. In the All application tab select your OpenFaaS application and navigate to *Authentication*.

Under Platform configurations click *Add platform* and select Web.

Enter a redirect URI e.g. `http://tunnel.example.com/_/oauth/callback`. The callback for a tunnel is always available at `/_/oauth/callback`.

You can add more URIs later once the first one has been registered.

4. Obtain client credentials

You will need to create a client secret for the Inlets app. Navigate to *Certificates and secrets* for the app registration and add a new client secret. Save it in a convenient place so it can be used when connecting the tunnel.

To connect the client you will need the client id, client secret and authority URL from your tenant. The Authority url has the form: `https://login.microsoftonline.com/{tenant}/v2.0`.

Both the Directory (tenant) ID and Application (client) ID can be found in the overview of your app registration in the Microsoft Entra admin center.

Connect the client:

```sh
inlets-pro http client \
--upstream prometheus.demo.welteki.dev=http://127.0.0.1:9090 \
--oauth-provider microsoft-entra \
--oauth-client-id $(cat ./client-id) \
--oauth-client-secret $(cat ./client-secret) \
--oauth-authority=https://login.microsoftonline.com/1fe3798478-5987-2564-b4aa-99e587365024/v2.0 \
--oauth-acl [email protected]
```

You can control which users are allowed to access the tunnel by providing an email address using the `--oauth-acl` flag.

More providers will be added over time, based upon requests from users, so if you want to use Facebook, GitLab, etc, send us an email to help with prioritisation.

Expand Down