Skip to content

docs: document Azure AD federated identity flow #393

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nijel merged 9 commits into from
Feb 9, 2026
Merged

docs: document Azure AD federated identity flow #393

Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
a983104
docs: document Azure AD federated identity flow
mehighlow Feb 3, 2026
ab81d91
Update docs/backends/azuread.rst
mehighlow Feb 4, 2026
31a678a
Update docs/backends/azuread.rst
mehighlow Feb 4, 2026
785de4d
docs: updates "Federated identity credentials"
mehighlow Feb 5, 2026
45e9509
Merge branch 'master' into feature/azuread-fic
mehighlow Feb 5, 2026
8f78ec5
Update docs/backends/azuread.rst
mehighlow Feb 6, 2026
396aa99
docs: clarify azuread FIC precedence
mehighlow Feb 6, 2026
a74ef44
docs: clarify Azure AD federated credential flow and precedence
mehighlow Feb 6, 2026
5cd31ed
Apply suggestion from @nijel
nijel Feb 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 63 additions & 0 deletions docs/backends/azuread.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,67 @@ To enable OAuth2 support:

SOCIAL_AUTH_AZUREAD_OAUTH2_AUTHORITY_HOST = ''

- Federated identity credentials (client assertions) are supported when you do not want to use a client secret. After
adding a federated credential to your Entra ID app, point the backend at the OIDC token that your workload issues
(for example, Kubernetes service account tokens issued via Azure Workload Identity, or other OIDC tokens where you manage
writing the token to a file). Precedence: if ``SOCIAL_AUTH_AZUREAD_OAUTH2_SECRET`` is set, the backend uses the client
secret and does not send a client assertion; otherwise it prefers an explicit ``SOCIAL_AUTH_AZUREAD_OAUTH2_CLIENT_ASSERTION``;
if no assertion is provided, it reads a token file from ``AZURE_FEDERATED_TOKEN_FILE`` (or ``OAUTH2_FIC_TOKEN_FILE``) or
``SOCIAL_AUTH_AZUREAD_OAUTH2_FEDERATED_TOKEN_FILE``. The backend will automatically use a client assertion instead of
``CLIENT_SECRET`` when the secret is omitted.

Default path used by Azure Workload Identity on Kubernetes::

AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token

Or configure explicitly via the backend setting::

SOCIAL_AUTH_AZUREAD_OAUTH2_FEDERATED_TOKEN_FILE = '/path/to/oidc/token'

You can also provide a pre-built client assertion JWT (preferred when you already create the assertion yourself)::

SOCIAL_AUTH_AZUREAD_OAUTH2_CLIENT_ASSERTION = 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...'
# Optional: defaults to the standard JWT bearer URN shown here
SOCIAL_AUTH_AZUREAD_OAUTH2_CLIENT_ASSERTION_TYPE = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'

Minimal configs by approach:

- Token file (workload-issued OIDC token): leave ``SOCIAL_AUTH_AZUREAD_OAUTH2_SECRET`` unset; set either
``AZURE_FEDERATED_TOKEN_FILE`` (or ``OAUTH2_FIC_TOKEN_FILE``) or ``SOCIAL_AUTH_AZUREAD_OAUTH2_FEDERATED_TOKEN_FILE``
to the token path. ``CLIENT_ASSERTION_TYPE`` is not needed for this mode.

- Pre-built client assertion: leave ``SOCIAL_AUTH_AZUREAD_OAUTH2_SECRET`` unset; set
``SOCIAL_AUTH_AZUREAD_OAUTH2_CLIENT_ASSERTION`` (and optionally ``SOCIAL_AUTH_AZUREAD_OAUTH2_CLIENT_ASSERTION_TYPE``
if you use a non-standard type). ``FEDERATED_TOKEN_FILE`` is not read in this mode because the explicit assertion wins.

Kubernetes projected service account token volume example::

apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
serviceAccountName: myserviceaccount
containers:
- name: mycontainer
image: myimage
env:
- name: AZURE_FEDERATED_TOKEN_FILE
value: /var/run/secrets/azure/tokens/azure-identity-token
volumeMounts:
- name: azure-identity-token
mountPath: /var/run/secrets/azure/tokens
readOnly: true
volumes:
- name: azure-identity-token
projected:
sources:
- serviceAccountToken:
path: azure-identity-token
audience: api://AzureADTokenExchange
expirationSeconds: 3600

These settings apply to Azure AD/Entra ID scenarios. For more information on workload identity, see `Workload Identity Federation`_ and `Federated identity credentials (Workload Identity)`_.

Tenant Support
--------------
Expand Down Expand Up @@ -132,3 +193,5 @@ The policy should start with `b2c_`. For more information see `Azure AD B2C User
.. _Azure AD Application Registration: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
.. _Azure AD B2C User flows and custom policies overview: https://docs.microsoft.com/en-us/azure/active-directory-b2c/user-flow-overview
.. _Azure Authority Hosts: https://docs.microsoft.com/en-us/python/api/azure-identity/azure.identity.azureauthorityhosts?view=azure-python
.. _Workload Identity Federation: https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation
.. _Federated identity credentials (Workload Identity): https://azure.github.io/azure-workload-identity/docs/topics/federated-identity-credential.html