Skip to content

docs: add provider guide for entra #7977

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
arkodg merged 3 commits into from
Feb 3, 2026
Merged

docs: add provider guide for entra #7977

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
4caff94
docs: add provider guide for entra
oliverbaehler Jan 16, 2026
e410a09
Update site/content/en/latest/tasks/security/oidc.md
oliverbaehler Jan 19, 2026
6038d82
docs: add provider guide for entra
oliverbaehler Jan 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 59 additions & 0 deletions site/content/en/latest/tasks/security/oidc.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -541,6 +541,65 @@ Additional connection settings for the OIDC provider can be configured in the [b

For more information about [Backend] and [BackendTLSPolicy], refer to the [Backend Routing][backend-routing] and [Backend TLS: Gateway to Backend][backend-tls] tasks.


## Providers

Guides to integrate with specific OIDC providers.

### Azure Entra

This guide demonstrates how to configure Envoy Gateway to use [Azure Entra](https://entra.microsoft.com/) as the OIDC provider with additional JWT authorization. To get OAuth 2.0 compatible tokens you must register a Scope for your application as described in the [Microsoft Documentation](https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent). In this example the resulting scope is `api://custom/EnvoyGateway.OIDC`.

```yaml
---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
name: entra-example
spec:
targetRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: eg
oidc:
clientID: "${CLIENT_ID}"
clientSecret:
name: "my-app-client-secret"
redirectURL: "https://www.example.com:8443/myapp/oauth2/callback"
logoutPath: "/myapp/logout"

cookieDomain: "example.com"
cookieNames:
accessToken: "azure-access-token"

Copy link
Copy Markdown
Member

@zhaohuabing zhaohuabing Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: can we remove the empty lines in the yaml?

provider:
issuer: "https://login.microsoftonline.com/<AZURE_TENANT_ID>/v2.0"
scopes:
- api://custom/EnvoyGateway.OIDC
authorization:
defaultAction: Deny
rules:
- name: "allow-jwt-claim"
action: Allow
principal:
jwt:
provider: entra
claims:
- name: roles
valueType: "StringArray"
values:
- "administrators"
jwt:
providers:
- name: entra
issuer: "https://login.microsoftonline.com/<AZURE_TENANT_ID>/v2.0"
remoteJWKS:
Copy link
Copy Markdown

@kyfrankie kyfrankie Jan 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A bit of a random question as I am trying to setup similar thing using Zitadel. I assume the Idp should have attached the jwt after oidc step, so do we still need to have issuer or remoteJWKS configured, or can we rely on only extractFrom? Thanks.

Copy link
Copy Markdown
Contributor Author

@oliverbaehler oliverbaehler Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can't just rely on extractFrom. Because the oidc flow and jwt flow are two seperate things. The jwt essentially does not trust the token extract from the cookie, so you need to reevaluate. However you don't need to set the issuer property. But i would strongly suggest you do.

uri: https://login.microsoftonline.com/<AZURE_TENANT_ID>/discovery/v2.0/keys
extractFrom:
cookies:
- "azure-access-token"
```

## Clean-Up

Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway and the example manifest.
Expand Down
Loading