Documentation
Server & Infrastructure
Authorization
Microsoft Entra ID

Microsoft Entra ID

Setup guide for using Microsoft Entra ID as the OIDC provider for the FDK server.

App Registration

  1. Navigate to Azure Portal > Microsoft Entra ID > App registrations > New registration.
  2. Name: Choose a name (e.g., fdk-server).
  3. Supported account types: Choose based on your requirements (single tenant or multitenant).
  4. Redirect URI: Set platform to Single-page application (SPA) and URI to https://<your-server-domain>/api/auth/callback.
  5. Note the Application (client) ID and Directory (tenant) ID.

Authentication Settings

  1. Go to Authentication.
  2. Under Implicit grant and hybrid flows, enable ID tokens.
  3. Under Advanced settings, set Allow public client flows to Yes.

API Permissions

Add the following under Microsoft Graph > Delegated permissions:

  • openid – Sign users in
  • profile – View users’ basic profile
  • email – View users’ email address
  • offline_access – Maintain access to data you have given it access to

Token Configuration

  1. Go to Token configuration > Add optional claim.
  2. Token type: ID.
  3. Add: email, preferred_username.

Group Claims

  1. Select Add groups claim.
  2. Choose Security groups.
  3. Emit as: Group ID.

Server Configuration 

AUTH__ISSUER=https://login.microsoftonline.com/<tenant-id>/v2.0
AUTH__CLIENT_ID=<application-client-id>
The issuer URL must include /v2.0 to use the v2.0 OIDC endpoint. The server discovers all endpoints from .well-known/openid-configuration automatically.
Keycloak