This guide explains how to configure Microsoft OAuth authentication for the DataSpace application.
A Microsoft Azure Active Directory (Azure AD) tenant
Admin access to create app registrations in Azure AD
Go to the Azure Portalarrow-up-right
Navigate to Azure Active Directory > App registrations
Click New registration
Fill in the following details:
Name: DataSpace Application (or your preferred name)
DataSpace Application
Supported account types: Choose based on your needs:
"Accounts in this organizational directory only" (single tenant)
"Accounts in any organizational directory" (multi-tenant)
"Accounts in any organizational directory and personal Microsoft accounts" (multi-tenant + personal)
Redirect URI:
Platform: Web
URI: https://your-domain.com/api/auth/microsoft-callback
https://your-domain.com/api/auth/microsoft-callback
Click Register
In your app registration, go to Authentication
Add additional redirect URIs if needed for different environments
Under Implicit grant and hybrid flows, enable:
Access tokens
ID tokens
Click Save
Go to API permissions
Click Add a permission
Select Microsoft Graph
Choose Delegated permissions
Add the following permissions:
openid (Sign users in)
openid
profile (View users' basic profile)
profile
email (View users' email address)
email
Click Add permissions
Click Grant admin consent (if you have admin rights)
Go to Certificates & secrets
Click New client secret
Add a description (e.g., "DataSpace App Secret")
Choose expiration period (recommend 24 months)
Click Add
Important: Copy the secret value immediately after creating it. It won't be shown again.
Add the following environment variables to your application:
MICROSOFT_CLIENT_ID=your-client-id-here MICROSOFT_CLIENT_SECRET=your-client-secret-here
Azure AD configuration: Check Microsoft's Azure AD documentationarrow-up-right
Security concerns: Review Microsoft's OAuth security best practicesarrow-up-right
Last updated 29 days ago
