Instructions to config access token in Azure (#906) (#971)

Cherry-picked from #906
neo4j · Aug 15, 2023 · dcfcc82 · dcfcc82
1 parent fd7c3ca
commit dcfcc82
Show file tree

Hide file tree

Showing 2 changed files with 73 additions and 3 deletions.
diff --git a/modules/ROOT/images/sso-configuration-tutorials/azure-id.svg b/modules/ROOT/images/sso-configuration-tutorials/azure-id.svg
diff --git a/modules/ROOT/pages/tutorial/tutorial-sso-configuration.adoc b/modules/ROOT/pages/tutorial/tutorial-sso-configuration.adoc
@@ -128,9 +128,60 @@ image::sso-configuration-tutorials/okta-sign-on-tab.svg[title="Okta's sign-on ta
 
 == Azure Active Directory (AAD)
 
+=== Access token
+
+This example shows how to configure AAD for authentication and authorization using an access token.
+
+. Set parameters to be `access_token`:
++
+[source, properties]
+----
+dbms.security.oidc.azure.config=principal=unique_name;code_challenge_method=S256;token_type_principal=access_token;token_type_authentication=access_token
+----
+
+. Add the following parameter:
++
+[source, properties]
+----
+dbms.security.oidc.azure.token_endpoint=https://login.microsoftonline.com/54e85725-ed2a-49a4-a19e-11c8d29f9a0f/oauth2/v2.0/token
+----
++
+[NOTE]
+====
+The GUID is the directory (tenant) ID.
+You can find it on the app registration page:
+
+image::sso-configuration-tutorials/azure-id.svg[]
+====
+
+. Include the issuer:
++
+[source, properties]
+----
+dbms.security.oidc.azure.issuer=https://sts.windows.net/54e85725-ed2a-49a4-a19e-11c8d29f9a0f/
+----
++
+[NOTE]
+====
+As previously mentioned, the GUID here is also the directory (tenant) ID.
+Make sure you add the trailing slash (`/`) at the end or this operation might fail.
+====
+
+. Go to the "Expose an API" tab and click "Add a Scope" to include the following statement:
++
+[source, properties]
+----
+dbms.security.oidc.azure.params=client_id=4376dc8b-b5af-424f-9ada-c1c1b2d416b9;response_type=code;scope=openid profile email api://4376dc8b-b5af-424f-9ada-c1c1b2d416b9/access-token
+----
+
+. Add the value in the scope column to the scopes in the configuration.
+Note that the audience parameter for access tokens are typically set with` api://` at the front.
+
+=== ID token
+
 This example shows how to configure AAD for authentication and authorization using ID tokens.
 
-=== Register the application
+==== Register the application
 
 . Log in to the https://portal.azure.com/#home[Azure portal].
 . Navigate to *Azure Active Directory > Overview*.
@@ -141,7 +192,7 @@ The redirect URI `http://localhost:7474/browser/?idp_id=azure&auth_flow_step=red
 . Click *Register*.
 
 
-=== Configure Neo4j
+==== Configure Neo4j
 . After the successful app creation, on the app's *Overview* page, find the Application (client) ID value. Use it to configure the following properties in the _neo4j.conf_ file.
 +
 [source, properties]
@@ -183,7 +234,7 @@ For details, see https://learn.microsoft.com/en-us/azure/active-directory/develo
 dbms.security.oidc.azure.claims.username=sub
 ----
 
-=== Map Azure groups to Neo4j roles
+==== Map Azure groups to Neo4j roles
 
 Decide whether you want to use Azure AD Groups directly or Azure App Roles.