How To configure Okteto with Azure OpenID Connect?

Just like in title if you could provide me with instructions how to configure auth: section in Okteko config file and, a service principle on Azure side it self. So far with configuration below I got “Service unavailable error” although all pods are working.

auth:
openid:
enabled: true
clientId: 246d00c0-2b7c-41f5-a943-986480981e9e
clientSecret: ???
endpoints:
issuer: https://login.microsoftonline.com/100b3c99-f3e2-4da0-9c8a-b9d345742c36
authorization: Sign in to your account

Hey there,

When I was setting this up and getting the auth online the main issues were the endpoint and endpoint.mapping entries

    endpoints:
      issuer: https://sts.windows.net/<YOUR_TENENT_ID>/
      authorization: https://login.microsoftonline.com/<YOUR_TENENT_ID>/oauth2/v2.0/authorize
    mapping:
      externalIDKey: email

For a complete config based on one of our sample domains ‘picoserver.io’ :

email: <YOUR_EMAIL_ADDRESS>
subdomain: dev.<YOUR_DNS_ZONE>
cluster:
  endpoint: "https://<YOUR_CLUSTER_ADDRESS>:443"
auth:
  openid:
    enabled: true
    clientId: <YOUR_CLIENT_ID>
    clientSecret: <YOUR_CLIENT_SECRET>
    endpoints:
      issuer: https://sts.windows.net/<YOUR_TENENT_ID>/
      authorization: https://login.microsoftonline.com/<YOUR_TENENT_ID>/oauth2/v2.0/authorize
    mapping:
      externalIDKey: email
cloud:
  provider:
    azure:
      enabled: true
      storage:
        container: "<YOUR_CONTAINER_NAME>"
        accountName: "<YOUR_STORAGE_ACCOUNT_NAME>"
buildkit:
  ingress:
    enabled: false
  service:
    type: LoadBalancer

The tenant Id is labeled “Directory (tenant) ID” and auth.clientId is labeled “Application (client) ID” from the “App registrations” page:

The auth.clientSecret is the “Value” from the “Certificates & secrets” tab of the “App registrations” page:

Could you also share the Authentication blade for App registration ? Platform configuration (WEB or SPA), Redirect uris and which tokens to use (Access tokens or ID tokens ). ?

Hey there,

On the Authentication configuration this was configured with the platform ‘Web’ and there is a single entry under Redirect URIs set to https://okteto.dev.<YOUR_DNS_ZONE>/auth/callback
Front-channel logout URL is empty.
Neither of the Implicit grant and hybrid flows options checked.