Strategy for authenticating using Microsoft

This strategy builds on-top of AshAuthentication.Strategy.Oidc and assent.

It uses Microsoft's OpenID Connect discovery endpoint to automatically retrieve token, authorization, and user info URLs. User identity claims (email, name, etc.) are extracted from the ID token returned during the authorization code flow.

In order to use Microsoft you need to provide the following minimum configuration:

• client_id
• redirect_uri
• client_secret

By default the strategy uses the common tenant endpoint, which allows any Microsoft account (personal, work, or school). Multi-tenant issuer validation is handled automatically — the {tenantid} template in Microsoft's discovery document is resolved from the ID token's tid claim before validation.

To restrict sign-in to a specific Azure tenant, override base_url:

base_url "https://login.microsoftonline.com/YOUR_TENANT_ID/v2.0"

More documentation:

• The Microsoft OpenID Connect Overview.
• The Microsoft Tutorial
• The OIDC documentation