OpenID Connect with Azure Entra ID #1876

dauphinpasdroit · 2025-01-24T14:19:21Z

dauphinpasdroit
Jan 24, 2025

Hello,

I'm trying to deploy SFTPGo, behind Nginx Proxy Manager as a reverse proxy using docker compose file.

Here is the docker compose file:

services:
  sftpgo:
    image: "drakkan/sftpgo:v2.6"
    restart: unless-stopped
    expose:
      - "8080"
      - "5007"
    environment:
      SFTPGO_WEBDAVD__BINDINGS__0__PORT: 5007
      SFTPGO_DATA__PROVIDER__DRIVER: "mysql"
      SFTPGO_DATA__PROVIDER__NAME: "sftpgo"
      SFTPGO_DATA__PROVIDER__HOST: "mysql"
      SFTPGO_DATA__PROVIDER__PORT: 3306
      SFTPGO_DATA__PROVIDER__USERNAME: "${SQL_USERNAME}"
      SFTPGO_DATA__PROVIDER__PASSWORD: "${SQL_PASSWORD}"
      SFTPGO_HTTPD__BINDINGS__0__OIDC__CLIENT_ID: "${client_id}"
      SFTPGO_HTTPD__BINDINGS__0__OIDC__CLIENT_SECRET: "${client_secret}"
      SFTPGO_HTTPD__BINDINGS__0__OIDC__CONFIG_URL: "https://login.microsoftonline.com/{{ tenant_id }}/.well-known/openid-configuration"
      SFTPGO_HTTPD__BINDINGS__0__OIDC__REDIRECT_BASE_URL: "https://sfptgo.mydomain.app"
      SFTPGO_HTTPD__BINDINGS__0__OIDC__USERNAME_FIELD: "preferred_username"
    volumes:
      - ./:/srv/sftpgo
  mysql:
    image: mysql:latest
    restart: always
    environment:
      MYSQL_DATABASE: "sftpgo"
      MYSQL_USER: "${SQL_USERNAME}"
      MYSQL_PASSWORD: "${SQL_PASSWORD}"
      MYSQL_ROOT_PASSWORD: "${SQL_ROOT_PASSWORD}"
    volumes:
      - ./database:/var/lib/mysql

  npm:
    image: 'jc21/nginx-proxy-manager:latest'
    restart: unless-stopped
    ports:
      - '80:80' # Public HTTP Port
      - '443:443' # Public HTTPS Port
      - '81:81' # Admin Web Port

    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt

The fact is that I can't start the container as I always get the error:

{"level":"error","time":"2025-01-24T14:16:41.318","sender":"service","message":"could not start HTTP server: oidc: unable to initialize provider for URL \"https://login.microsoftonline.com/{{ tenant_id }}/.well-known/openid-configuration\": 404 Not Found: "}

I can't understand why, as, if I curl the address myself, I don't received a 404, I receive a 200.

Thank you for your help

Answered by stich86

Feb 1, 2025

I've configured today my SFTPGo instance to use Entra ID authentication, i've to use sts.windows.net instead of login.microsoft.com, because it gives me error.

{"level":"error","time":"2025-02-01T14:50:17.414","sender":"service","message":"could not start HTTP server: oidc: unable to initialize provider for URL \"https://login.microsoftonline.com/XXXXX.onmicrosoft.com/\": oidc: issuer did not match the issuer returned by provider, expected \"https://login.microsoftonline.com/XXXXX.onmicrosoft.com/\" got \"https://sts.windows.net/TENANT_UID/\""}

Here is my configuration, still working on how to make sftpgo_role passed into token request:

SFTPGO_HTTPD__BINDINGS__0__OIDC__CLIENT_ID="YOUR_AP…

View full answer

stich86 · 2025-02-01T15:11:51Z

stich86
Feb 1, 2025

I've configured today my SFTPGo instance to use Entra ID authentication, i've to use sts.windows.net instead of login.microsoft.com, because it gives me error.

{"level":"error","time":"2025-02-01T14:50:17.414","sender":"service","message":"could not start HTTP server: oidc: unable to initialize provider for URL \"https://login.microsoftonline.com/XXXXX.onmicrosoft.com/\": oidc: issuer did not match the issuer returned by provider, expected \"https://login.microsoftonline.com/XXXXX.onmicrosoft.com/\" got \"https://sts.windows.net/TENANT_UID/\""}

Here is my configuration, still working on how to make sftpgo_role passed into token request:

SFTPGO_HTTPD__BINDINGS__0__OIDC__CLIENT_ID="YOUR_APP_ID"
SFTPGO_HTTPD__BINDINGS__0__OIDC__CLIENT_SECRET="YOUR_APP_SECRET"
SFTPGO_HTTPD__BINDINGS__0__OIDC__CONFIG_URL="https://sts.windows.net/TENANT-UID/"
SFTPGO_HTTPD__BINDINGS__0__OIDC__REDIRECT_BASE_URL="https://YOUR_APP:8080/"
SFTPGO_HTTPD__BINDINGS__0__OIDC__USERNAME_FIELD="email"
SFTPGO_HTTPD__BINDINGS__0__OIDC__ROLE_FIELD="sftpgo_role"

2 replies

dauphinpasdroit Feb 3, 2025
Author

Hey @stich86,

Thank you for your help, it seems to be working for me now :)

Do you run your sftpgo stack using docker ?

stich86 Feb 3, 2025

Currently not, my SFTPGo isn’t public, just used internally to serve some files to my user, but I don’t want to manage credentials separately 😊

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

OpenID Connect with Azure Entra ID #1876

{{title}}

Replies: 1 comment 2 replies

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

Select a reply

OpenID Connect with Azure Entra ID #1876

dauphinpasdroit Jan 24, 2025

Replies: 1 comment · 2 replies

stich86 Feb 1, 2025

dauphinpasdroit Feb 3, 2025 Author

stich86 Feb 3, 2025

dauphinpasdroit
Jan 24, 2025

Replies: 1 comment 2 replies

stich86
Feb 1, 2025

dauphinpasdroit Feb 3, 2025
Author