cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon supabase

Support for Azure AD Single-Tenant Authentication in Supabase CLI

Open Frame1910 opened this issue 2 years ago • 0 comments

Describe the bug Azure AD auth provider doesn't take in a tenant url, and therefore cannot suport single-tenant applications. In order to authenticate with a single tenant application in Azure, the auth provider must hit the tenant-specific URL: "https://login.microsoftonline.com/<tenant_id>" rather than the /common endpoint (which is only for multi-tenant applications)

To Reproduce Steps to reproduce the behavior:

  1. Setup local development for supabase as per docs
  2. Create app registration in Azure portal as per docs, except pick the single tenant option for supported account types:

image

  1. Add config options to config.toml as per docs:
[auth.external.azure]
enabled = true
client_id = "env(SUPABASE_AZURE_CLIENT_ID)"
secret = "env(SUPABASE_AZURE_CLIENT_SECRET)"
redirect_uri = "https://localhost:3000"
  1. Try to login

Expected behavior You should be authenticated with Azure AD and the normal login flow continues. When you want to login to an internal, company-only application, single tenant is necessary for security (ie. only people with a company email address can authenticate), which is actually one of the main reasons people use Azure AD in the first place, rather than other OAuth providers.

Supabase proper already implements the tenant url: image I've verified that when using the "live" credentials that it works as expected.

Screenshots image

Desktop (please complete the following information):

  • OS: Windows 11
  • Browser: Chrome (however this issue persists across browsers)
  • Version of CLI: 1.77.9
  • Version of supabase-js: 2.26.0
  • Version of Node.js: 20.2.0

Additional context N/A

Frame1910 avatar Jul 20 '23 02:07 Frame1910