# Custom auth providers Appfarm supports third-party authentication by integrating with authentication providers using OAuth 2.0. Using a custom auth provider allows you to manage users in an external directory such as Microsoft Entra ID (Azure AD). To enable custom auth you must first complete any necessary setup with the provider, and then configure the provider in Appfarm Create. For detailed walkthroughs on how to configure a number of different providers, see [How to configure third-party authentication](https://docs.appfarm.io/how-to/authentication-and-access-control/third-party-authentication). ## **Checklist** Follow these steps to correctly setup and configure a custom auth provider. In your auth provider: * Create a new application. Please refer to your provider's documentation for details. * When creating an OAuth application, it will require at least one callback URL. Use `https://accounts.appfarm.io/v1/callback`. * Make note of the *Client ID* and *Client Secret* provided when you create the OAuth application. In Appfarm Create: * Add a new custom auth provider. * Enter the provided *Client ID* into **Client ID**. * Create a [secret](https://docs.appfarm.io/reference/security/secrets) to store the *Client Secret* and select it from the **Client Secret** list. * Depending on what kind of provider you are using, fill in the **Tenant ID** or **OpenID Discovery Endpoint**. * Add the custom auth provider in a login configuration under [Custom auth](https://docs.appfarm.io/reference/configuration/login/..#custom-auth). ## General settings

Setting	Description
Name	A descriptive reference used only in Appfarm Create.
Provider	The auth provider. The following options are available: Google Microsoft Entra ID (Azure AD) Auth0 Custom
Client ID	The identifier of the application created in your auth provider. Usually this is a unique application used only to authenticate users for this Appfarm solution.
Client Secret	The secret for the application as provided by your auth provider. This value must be stored in Appfarm as a secret.
Tenant ID	Only for Microsoft Entra ID (Azure AD) and Auth0. The unique identifier for your tenant. Appfarm needs this value to fetch the configuration for this auth provider. The format of this value differs depending on your provider. Microsoft Entra ID (Azure AD) The identifier can be found inside the Microsoft Azure portal. The format is typically `XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX`. Auth0 The identifier used in Auth0 is the entire hostname ending with `auth0.com`. For example: `appfarm.eu.auth0.com`.
OpenID Discovery Endpoint	Only for Custom. The URL holding the configuration of your OpenID Connect Server. For example: `https://HOST_NAME/.well-known/openid-configuration` Important: The hostname is used together with Client ID to uniquely identify this provider. If you change the host, users that have already logged in with this provider must log in again to be able to use credentials returned by this provider.
Custom Scope	By default, the following scope will be requested: openid profile email Add any additional scopes as needed. Note that if you need to save additional scopes to the User object (more than the name, email and phone - e.g. a Social Security Number), you may save these by adding user-specific secrets. Add a new Secret, and select Secret Type `OAuth2 value`. You may then use a Service to update e.g. an Employee or Person object with these secret values after login.
Remove Default Scope	Remove `openid`, `profile` and `email` from scope. When selected, only scopes entered in Custom Scope will be used.

## Appfarm account options

Setting	Description
Auto Create Account	Automatically create a user in the solution when a new user authenticates.
Initial Roles	Assign one or more roles when a new user is created.

## Advanced options

Setting	Description
Disable Same Browser Validation	Warning: This option should be used with caution and an understanding of the security implications. For added security Appfarm checks that a callback from a third-party authentication provider is made by the same browser that initiated the login. By selecting this option, that check will be disabled. This might be desirable to improve the authentication user experience. If, for example, the login flow involves a magic link sent to the user's email address, the user may not open the link in the same browser that the login was initiated from. This will normally result in the login attempt failing. By disabling same browser validation, the login attempt in this case would succeed.
Auth Timeout	The amount of time a user can spend authenticating with the provider before returning to Appfarm. Normally the default (15 minutes) will be more than sufficient. In some cases, for example when the authentication involves sending a link to email, this timeout may be too short. The default is 900 seconds (15 minutes), and the maximum is 86400 seconds (24 hours).

Setting

Description

Disable Same Browser Validation

Warning: This option should be used with caution and an understanding of the security implications.

For added security Appfarm checks that a callback from a third-party authentication provider is made by the same browser that initiated the login. By selecting this option, that check will be disabled.

This might be desirable to improve the authentication user experience. If, for example, the login flow involves a magic link sent to the user's email address, the user may not open the link in the same browser that the login was initiated from. This will normally result in the login attempt failing. By disabling same browser validation, the login attempt in this case would succeed.

Auth Timeout

The amount of time a user can spend authenticating with the provider before returning to Appfarm.

Normally the default (15 minutes) will be more than sufficient. In some cases, for example when the authentication involves sending a link to email, this timeout may be too short.

The default is 900 seconds (15 minutes), and the maximum is 86400 seconds (24 hours).