# Implement third-party authentication

## Authentication using Auth0

This guide will describe how to set up user authentication using the third-party authentication service provider Auth0. Be aware that this only shows how to connect Appfarm to Auth0, and you need to set up an authentication provider from Auth0 yourselves.

### Step 1

Go to <https://auth0.com/> and create an account. Sign into Auth0.

### Step 2

Go to *Applications -> Applications* and click the Create Application button. Give the application an appropriate name,  select the option "Regular Web Applications" and click *Create*.

When the application is created, make sure to copy the value of *Domain,* *Client ID,* and *Client Secret* to your notepad, as we will need these later. Scroll down to *Allowed Callback URLs* and type in [*https://accounts.appfarm.io/v1/callback*](https://accounts.appfarm.io/v1/callback)*.*

Click *Save Changes.*

### Step 3

In Appfarm Create, go to *Secrets* and add a new secret. Give it a name, and paste the Client Secret you copied to your notepad into the Value input field. The Secret Type should be String.

### Step 4

Go to *Login Configs -> Custom Auth Providers* and click the plus button to add a new Auth provider. Set the following options:

* **Name:** Give the auth provider an appropriate name. E.g. "Auth0".
* **Provider:** Set this to *Auth0.*
* **Client ID:** Paste the Client ID you copied to your notepad.
* **Client Secret:** Select the secret you created for the Client Secret.
* **Tenant ID:** Paste the Domain you copied to your notepad.

### Step 5

Go to *Login Configs -> Login Config*, and under *Custom Auth* add a new Auth Provider. Give it an appropriate name, and set the *Provider* to the Auth provider you created on Step 4.

### Testing

Google login should be enabled by default, so you might test the authentication using your Google account.

***

## Authentication using Idura (Criipto)

This guide will describe how to set up user authentication using the third-party authentication service provider Idura (formerly Criipto). Authentication with BankID will be used as an example, but a similar setup might be used to set up authentication with the other authentication services Idura offers. Please note that Idura is totally independent of Appfarm, and has its own pricing for its services.

### Step 1

Go to [https://idura.eu](https://idura.eu/) and create an account. Log in.

### Step 2

Once inside, go to *Applications* and create a new application. Fill in/select the following options:

* **Name:** Give the application an appropriate name
* **Callback URLs:** Type [*https://accounts.appfarm.io/v1/callback*](https://accounts.appfarm.io/v1/callback)
* **Select e-IDs:** Select the provider you want, e.g. "NO BankID"
* **OpenID Connect:** *Enable OAuth2 Code Flow*, and set *User info response strategy* to plainJson

Make sure to copy the value of *Client ID/Realm* and *Available on domain* to your notepad, as we will need these later.

Click the *Save*-butto&#x6E;*.* A dialog box will pop up with your *client secret*. Make sure to copy the secret to your clipboard, as this value only will be available once (it can only be re-generated). You should also&#x20;

### Step 3

In Appfarm Create, go to *Secrets* and add a new secret. Give it a name, and paste the Client Secret into the Value input field. The Secret Type should be String.

### Step 4

Go to *Login Configs -> Custom Auth Providers* and click the plus button to add a new Auth provider. Set the following options:

* **Name:** Give the auth provider an appropriate name. E.g. "Idura BankID".
* **Provider:** Set this to *Custom.*
* **Client ID:** Paste the Client ID/Realm you copied to your notepad.
* **Client Secret:** Select the secret you created for the Client Secret.
* **OpenID Discovery Endpoint:** Paste the .well-known link of the connection you want. The syntax looks like this: <https://yourdomain.idura.broker/BASE64(acr_values)/.well-known/openid-configuration>. The link has two variables:&#x20;
  * Domain name (yourdomain.criipto.id), which points to your Idura/Criipto application. It should be the *Available on domain* link you copied to your notepad
  * acr\_values (BASE64(acr\_values)), which defines which login you'd like to setup. It should be a BASE64 encoded string based on the acr\_values [required by Idura for each login](https://docs.idura.app/authentication/auth0#register). For BankID, the string is *dXJuOmdybjphdXRobjpubzpiYW5raWQ=*.

### Step 5

Go to *Login Configs -> Login Config*, and under *Custom Auth* add a new Auth Provider. Give it an appropriate name, and set the *Provider* to the Auth provider you created on Step 4.

### Testing

To test the login, you can create a test user by following [this article from Idura.](https://docs.idura.app/verify/guides/test-users/)

***

## Authentication using Microsoft Entra ID (Azure AD)

Follow these steps to configure user authentication with Microsoft Entra ID (Azure AD).

### Step 1

Sign in to the Microsoft Azure [portal](https://portal.azure.com/) using an account with administrator permission.&#x20;

### Step 2

Register an application.

* Go to **Microsoft Entra ID**.
* Click **Add** -> **App registration**.
* In the **Name** field, enter a display name, for example `appfarm-auth`.
* Under **Redirect URI**, select **Web** and enter the URI `https://accounts.appfarm.io/v1/callback`.
* Click **Register**.

### Step 3

Generate and record credentials.

* Go to **Certificates & secrets**.
* Click **New client secret**.
* Enter the required details and click **Add**.
* Note down the generated client secret **Value**. This secret is required later in this process.
* Go to **Overview**.
* Note down the **Application (client) ID** and **Directory (tenant) ID** values.

### Step 4

So that Appfarm has enough information to create the user’s account, you must configure Microsoft Entra ID to provide at least one optional claim – the user's email address. You may also wish to add more.

* Go to **Token configuration**.
* Click **Add optional claim**.
* Under **Token type,** select **ID**.
* In the list that appears, select **email**. This claim is required for the authentication to function.\
  We also recommended adding **family\_name** and **given\_name** to complete the [Appfarm User object](https://docs.appfarm.io/reference/security/users).
* Click **Add**.
* A dialog will appear. Select **Turn on the Microsoft Graph email, profile permission**, and click **Add**.

<figure><img src="https://29237295-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MiLU-xcHu0eLZiTxcmZ%2Fuploads%2FicEaYMXQv7gtWPswzqQh%2FAzure%20AD%20-%20Adding%20Optional%20Claims.png?alt=media&#x26;token=a6e395de-b6e2-447e-ae61-4dc6552ec857" alt=""><figcaption><p>Screenshot from the Microsoft Azure portal showing the recommended optional claims added.</p></figcaption></figure>

### Step 5

Now, you can start configuring the authentication in Appfarm Create. First, add the client secret as a [secret](https://docs.appfarm.io/reference/security/secrets).

* In [Appfarm Create](https://create.appfarm.io), go to **Secrets**.
* Click **Create Secret**.
* In the **Name** field, enter a name for the client secret, for example `Microsoft Entra ID Client Secret`.
* In the **Value** field, enter the client secret you noted down in Step 3.
* Click **Create**.

### Step 6

Add a new [custom auth provider](https://docs.appfarm.io/reference/configuration/login/custom-auth-providers).

* Go to **Login** -> **Custom Auth Providers.**
* Click the **+** button to add a new provider.
* In the **Name** field, enter a name for the auth provider, for example `Microsoft Entra ID`.
* In the **Provider** field, select **Microsoft Entra ID (Azure AD)**.
* In the **Client ID** field, enter the Application (client) ID you noted down in Step 3.
* In the **Client Secret** field, select the secret you created in Step 5.
* In the **Tenant ID** field, enter the Directory (tenant) ID you noted down in Step 3.

The above configuration will allow users with an existing Appfarm user to log in using Microsoft Entra ID. If you also want new users without an existing Appfarm user to be able to log in, you need to configure that under **Appfarm Account Options**.

* Select the **Auto Create Account** checkbox.
* In the **Initial Roles** list, select the [role(s)](https://docs.appfarm.io/reference/security/roles) the user should be assigned on creation.&#x20;

### Step 7

Add the custom auth provider to your [login](https://docs.appfarm.io/reference/configuration/login) configuration.

* Go to **Login** -> **Login Config**.
* Select a login configuration to add the custom auth provider.
* Under **Custom Auth**, click the **+** button to add a new provider.
* In the **Name** field, enter a name for the auth provider, for example `Microsoft Entra ID`.
* In the **Provider** field, select the provider you created in Step 6.

Users should now be able to log in to the [Appfarm client](https://docs.appfarm.io/reference/appfarm-client) using their Microsoft Entra ID credentials.

Here's the guide rewritten for Azure B2C, incorporating the need to give the app permissions to the `api.read` scope and other B2C specific configurations.

***

## Authentication using Azure Active Directory B2C

Follow these steps to configure user authentication with Azure Active Directory B2C.

### Step 1

Sign in to the Azure portal using an account with administrator permission.

### Step 2

Register an application.

* Go to Azure AD B2C.
* Under Manage, click App registrations.
* Click New registration.
* In the Name field, enter a display name, for example `appfarm-b2c-auth`.
* Under Supported account types, select Accounts in any identity provider or organizational directory (for authenticating users with user flows).
* Under Redirect URI (optional), select Web and enter the URI `https://accounts.appfarm.io/v1/callback`.
* Under Permissions, ensure Grant admin consent to openid and offline\_access permissions is checked.
* Click Register.

### Step 3

Generate and record credentials.

* Go to Certificates & secrets.
* Click New client secret.
* Enter a Description (e.g., `Appfarm Client Secret`) and select an Expires duration.
* Click Add.
* Note down the generated client secret Value immediately. This secret is displayed only once and is required later in this process.
* Go to Overview.
* Note down the Application (client) ID and Directory (tenant) ID values.

### Step 4

Configure API permissions.

* Go to API permissions.
* Click Add a permission.
* Under Microsoft APIs, select Microsoft Graph.
* Select Delegated permissions.
* Under User, select `User.Read` (if not already selected by default).
* Under OpenId permissions, ensure `openid` and `offline_access` are selected (these are usually selected by default during app registration for B2C).
* Now, you need to add the `api.read` permission. Since `api.read` is typically a custom scope defined within your B2C tenant, you'll need to locate it.
  * Click Add a permission again.
  * Click on My APIs (or APIs my organization uses), and then select your B2C Application (the one you just registered).
  * Under Permissions, select the `api.read` scope. (If `api.read` isn't listed, it means it hasn't been exposed by an API within your B2C tenant, which would need to be set up separately).
  * Click Add permissions.
* Click Grant admin consent for \[Your B2C Tenant Name] and then click Yes in the confirmation dialog.

### Step 5

So that Appfarm has enough information to create the user’s account, you must configure Azure AD B2C to provide at least one optional claim – the user's email address. You may also wish to add more.

* Go to Token configuration. (Note: For Azure B2C, optional claims are typically configured within User flows, not directly on the app registration. However, you can add some basic claims here that might be exposed. If you need more complex claims, you'll configure them in your User Flows.)
* Click Add optional claim.
* Under Token type, select ID.
* In the list that appears, select `email`. This claim is required for the authentication to function. We also recommended adding `family_name` and `given_name` to complete the Appfarm User object.
* Click Add.
* A dialog will appear. Select Turn on the Microsoft Graph email, profile permission, and click Add.

### Step 6

In Appfarm Create: Go to *Login Configs -> Custom Auth Providers* and click the plus button to add a new Auth provider. Set the following options:

* **Name:** Give the auth provider an appropriate name. E.g. "Azure AD B2C".
* **Provider:** Set this to *Custom.*
* **Client ID:** Paste the Client ID you copied to your notepad.
* **Client Secret:** Select the secret you created for the Client Secret.
* **Open ID Discovery Endpoint:** Paste OpenID Connect metadata endpoint ID for your B2C tenant. This can be found in your B2C tenant at the Azure Portal, and looks like this: [https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/B2C\_1A\_SIGNUP\_SIGNIN/v2.0/.well-known/openid-configuration ](https://{tenant}.b2clogin.com/%7Btenant%7D.onmicrosoft.com/B2C_1A_SIGNUP_SIGNIN/v2.0/.well-known/openid-configuration)
* **Scope**: Add [https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/api.read](https://{tenant}.b2clogin.com/%7Btenant%7D.onmicrosoft.com/api.read)

### Step 7

Go to *Login Configs -> Login Config*, and under *Custom Auth* add a new Auth Provider. Give it an appropriate name, and set the *Provider* to the Auth provider you created in the previous step.

{% hint style="info" %}
Note that this is sufficient for login. If you want to store the access\_token, id\_token (the JWT of the "user" object) or optional claims of the id\_token (i.e. saving other claims added in Step 5) - you can create Secrets in Appfarm of type OAuth2 value. You can use these secrets when doing subsequent web requests to Azure for retrieving data based on the user's access token, or properties of the user object. Read more [here](https://docs.appfarm.io/reference/security/secrets#properties).
{% endhint %}