Configure OpenID Connect with Universal.
OpenID Connect is an authentication layer on top of OAuth 2.0, an authorization framework. It is supported by many vendors and provides the ability to authenticate against systems like AzureAD.
This document will outline the steps necessary to configure AzureAD OpenID Connect and use it with Universal.
Within the Azure Portal, navigate to your Azure Active Directory blade. Next, click the App registrations node and then click New registration.
In the New registration page, enter the name of your application and the reply URL. The URL can be configured in the
appsettings.jsonfor Universal but the default value is shown below.
Next, you'll need to configure a client secret. You can click the Certificates & secrets menu and then click New client secret. This secret will need to go into the
Now, you will need to take note of your Application (client) ID GUID. This will be used in the
Finally, you will have to click the Endpoints button to open the Endpoints drawer. This contains a list of the endpoints. Make note of the OAuth 2.0 authorization endpoint URL. You will need this for the
appsettings.json. Note that you will not input the entire endpoint URL. You will need to include the portion of the URL through the GUID but without the path after oauth2 in the Authority setting below (e.g. https://login.microsoftonline.com/fffffff-4b76-4470-a736-8481d7a2ed87).
Now that we have completed the configuration of an AzureAD App Registration, we can update the
appsettings.jsonfile with the appropriate settings. For my application, it would look something like this.
Due to changes in the Chromium browser, you may need to disable the
Cookies without SameSite must be securesetting to test OpenID Connect when running on localhost without HTTPS.
chrome://flagsand search for the setting to set it to disabled.
You can use access tokens generated by an OIDC login for other services the user may have access to. Within your OIDC provider, like Azure AD, you can grant additional permissions to the token.
You will also have to enable access tokens within the authentication flow so that the token provides the necessary resource access.
Finally, within your PSU
appsettings.jsonfile, you will need to ensure that
SaveTokensis enabled, the resource type includes token and the resource you wish to access is included in the Resource setting. The URL that you specify in the resource should be listed in within the provider.
The below example adds a resource for Microsoft O365.
"ResponseType": "id_token token",
Within your dashboard, you will now have access to an
$IdTokenvariable that you can use with cmdlets that require authorization.
For example, the
Connect-AzureAdcmdlet accepts an access token.