Skip to content

Update selfhosted auth docs: Entra ID support and new auth block pattern#925

Closed
mhotan wants to merge 1 commit intopeeter/selfhosted-docsfrom
mike/selfhosted-auth-docs
Closed

Update selfhosted auth docs: Entra ID support and new auth block pattern#925
mhotan wants to merge 1 commit intopeeter/selfhosted-docsfrom
mike/selfhosted-auth-docs

Conversation

@mhotan
Copy link
Copy Markdown
Contributor

@mhotan mhotan commented Apr 20, 2026

Summary

  • Replace deprecated globals (OIDC_BASE_URL, OIDC_CLIENT_ID, CLI_CLIENT_ID) with the new adminServer.auth block pattern in authentication.md
  • Add provider-specific tabs (Okta / Entra ID / Generic OIDC) for both authorization server setup and control plane configuration
  • Document Entra ID specifics: scope separation, SP Object ID as sub claim, idtyp optional claim, common AADSTS errors
  • Update authorization.md: type: "Union" now preferred over "UserClouds"
  • Add provider note about sub claim differences for service account permissions

Based on peeter/selfhosted-docs. These changes align the docs with helm-charts PRs #348#354 and cloud PR #15134.

Context

While adding Entra ID support to the selfhosted stack, we consolidated auth config from scattered globals into the adminServer.auth block. The docs needed to reflect this new pattern and cover Entra ID as a first-class IdP alongside Okta.

Test Plan

  • make dev with variant = "selfmanaged" renders correctly
  • Tabs render properly for Okta/Entra ID/Generic sections
  • Internal links resolve
  • YAML examples match actual helm chart configuration

🤖 Generated with Claude Code

@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented Apr 20, 2026
edited
Loading

Deploying docs with  Cloudflare Pages  Cloudflare Pages

Latest commit: ee13bc5
Status: ✅  Deploy successful!
Preview URL: https://bfe7504b.docs-dog.pages.dev
Branch Preview URL: https://mike-selfhosted-auth-docs.docs-dog.pages.dev

View logs

@mhotan mhotan force-pushed the mike/selfhosted-auth-docs branch 3 times, most recently from a1bd69e to 8ade61d Compare April 20, 2026 18:55
@mhotan @claude
Update selfhosted auth docs for Entra ID and new auth block pattern
ee13bc5 
- Replace deprecated globals (OIDC_BASE_URL, OIDC_CLIENT_ID, CLI_CLIENT_ID)
  with adminServer.auth block configuration
- Add provider-specific tabs: Okta, Entra ID, Generic OIDC
- Document Entra ID specifics: scope separation (/.default vs /all),
  SP Object ID as sub claim, idtyp optional claim, AADSTS errors
- Add subjectClaimNames and identityTypeClaimsForApps configuration
- Update authorization.md: type "Union" is now preferred over "UserClouds"
- Add provider note about sub claim differences in authz service accounts
- Add Entra-specific troubleshooting sections
- Remove TODO comment

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@mhotan mhotan force-pushed the mike/selfhosted-auth-docs branch from 8ade61d to ee13bc5 Compare April 20, 2026 18:56
@mhotan mhotan mentioned this pull request Apr 20, 2026
Closed
3 tasks
@ppiegaze
Copy link
Copy Markdown
Collaborator

ppiegaze commented Apr 22, 2026

Superseded by #933, which adapts this content to the new flyte/union variant structure (stacked on #932).

@ppiegaze ppiegaze closed this Apr 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@EngHabu EngHabu Awaiting requested review from EngHabu EngHabu is a code owner

@ppiegaze ppiegaze Awaiting requested review from ppiegaze ppiegaze is a code owner

@cosmicBboy cosmicBboy Awaiting requested review from cosmicBboy cosmicBboy is a code owner

@kumare3 kumare3 Awaiting requested review from kumare3 kumare3 is a code owner

@samhita-alla samhita-alla Awaiting requested review from samhita-alla samhita-alla is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mhotan @ppiegaze