Skip to content

thinhnd028/strapi-plugin-microsoft-auth

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
admin
admin
 
 
server
server
 
 
.eslintignore
.eslintignore
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 

Repository files navigation

Strapi Plugin Microsoft Auth

Description

This plugin provides Microsoft Entra ID (Azure AD) authentication for Strapi v5. It supports both End Users (Public API) and Admin Panel users. It handles the OAuth 2.0 Authorization Code Flow, manages tokens (including refresh tokens), and integrates cleanly with Strapi's ecosystem.

Features

  • Public API Auth: Login with Microsoft for your frontend users.
  • Admin Panel Auth: Login with Microsoft for your Strapi admins.
  • Refresh Token Support: Continuously efficient authentication with offline_access support.
  • Secure: Tokens are encrypted; refresh tokens are verified.

Setup

1. Microsoft Azure App Registration

  1. Go to Azure Portal > Microsoft Entra ID > App registrations.
  2. New Registration:
    • Name: Strapi Auth (or similar)
    • Account types: Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) or Single Tenant as per needs.
    • Redirect URI (Web): http://localhost:1337/api/auth/microsoft/callback (Adjust domain for prod).
  3. Certificates & constants:
    • Create a New Client Secret. Copy the Value.
  4. API Permissions:
    • Add default permissions: User.Read, openid, profile, email, offline_access.

2. Configuration (config/plugins.ts)

Enable the plugin in your Strapi project:

export default ({ env }) => ({
  'strapi-plugin-microsoft-auth': {
    enabled: true,
    config: {
      clientId: env('MICROSOFT_CLIENT_ID'),
      clientSecret: env('MICROSOFT_CLIENT_SECRET'),
      tenantId: env('MICROSOFT_TENANT_ID', 'common'),
      redirectUri: env('MICROSOFT_REDIRECT_URI', 'http://localhost:1337/api/auth/microsoft/callback'),
      scopes: ['openid', 'profile', 'email', 'offline_access', 'User.Read'],
    },
  },
});

3. Environment Variables (.env)

MICROSOFT_CLIENT_ID=your_client_id
MICROSOFT_CLIENT_SECRET=your_client_secret
MICROSOFT_TENANT_ID=common
MICROSOFT_REDIRECT_URI=http://localhost:1337/api/auth/microsoft/callback

Usage

Public API (Frontend)

  • Login: Redirect user to GET /api/auth/microsoft
  • Callback: The user will be redirected to your configured redirectUri (Note: Ensure your Microsoft App has this exact URI).
  • Refresh: POST /api/auth/microsoft/refresh with body { "refreshToken": "strapi_refresh_token" }.

Admin Panel

To enable the "Login with Microsoft" button on the Admin Login page, you must customize admin/app.tsx in your Strapi project (not in the plugin folder, but the host app).

Note: Strapi v5 Admin customization might slightly differ, please consult official docs if bootstrap behaves differently.

Currently, this plugin exposes a helper endpoint. Since Strapi Admin login page customization is limited to injection zones or replacing the page, most users use the separate SSO feature (Enterprise) or a custom login page.

Workaround for Integration:

  1. You can modify your Strapi Admin login page to include a link to: http://localhost:1337/api/auth/microsoft?type=admin

Upon success, it will redirect to /admin/auth/login-success?jwt=ADMIN_JWT.

Security Notes

  • Microsoft Refresh Tokens are encrypted in the database using AES-256.
  • Ensuring offline_access scope is critical for long-lived sessions.

About

Microsoft Entra ID (Azure AD) authentication for Strapi v5

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages