This guide covers local authentication setup for My Learning Bank.
- Web environment template: src/learning-bank-web/.env.example
- Local web environment file (do not commit): src/learning-bank-web/.env.local
- API base config: src/LearningBank.Api/appsettings.json
Platform admin access is configured in API settings, not in web .env variables.
In src/LearningBank.Api/appsettings.json under Auth:PlatformAdmin:
- SubjectIds: array of OIDC subject IDs that should receive PlatformAdmin role.
- GroupIds: array of OIDC group or role identifiers that should receive PlatformAdmin role.
Example:
- Auth:PlatformAdmin:SubjectIds: [""]
- Auth:PlatformAdmin:GroupIds: [""]
At least one allow-list entry should be configured in non-local environments before relying on the /admin area.
- Copy src/learning-bank-web/.env.example to src/learning-bank-web/.env.local.
- Fill in all required values from this guide.
- Start the app with ./dev.ps1.
Purpose:
- Secret used by NextAuth to sign and encrypt auth/session tokens.
How to generate:
- PowerShell: [Convert]::ToBase64String((1..32 | ForEach-Object { Get-Random -Maximum 256 }))
- OpenSSL: openssl rand -base64 32
Notes:
- Use a unique value per environment.
- Rotate immediately if exposed.
Purpose:
- OAuth client identifier for Google sign-in.
How to get it:
- Open Google Cloud Console.
- Create or select a project.
- Go to APIs and Services, then Credentials.
- Create OAuth 2.0 Client ID as Web application.
- Add redirect URI: http://localhost:3000/api/auth/callback/google.
- Copy the Client ID.
Purpose:
- OAuth client secret paired with GOOGLE_CLIENT_ID.
How to get it:
- From the same Google OAuth client credential, copy Client Secret.
Purpose:
- Application client ID for Microsoft Entra sign-in.
How to get it:
- Open Azure Portal.
- Go to Microsoft Entra ID, then App registrations.
- Create or select an app registration.
- Add Web redirect URI: http://localhost:3000/api/auth/callback/microsoft-entra-id.
- Copy Application client ID.
Purpose:
- Client secret for the Microsoft Entra app registration.
How to get it:
- In the app registration, open Certificates and secrets.
- Create a new client secret.
- Copy Secret Value.
Purpose:
- Controls which Microsoft Entra tenant issuer NextAuth uses.
Common values:
- common: personal + work or school accounts.
- consumers: personal Microsoft accounts only.
- tenant GUID: single tenant sign-in.
If you see AADSTS9002346, set AZURE_AD_TENANT_ID=consumers and restart the dev server.
Purpose:
- Base URL used by the web app BFF/API client.
Default local value:
Purpose:
- Public URL where the Next.js app is reachable.
Default local value:
- OAuth consent screen configured.
- OAuth web client created.
- Redirect URI set to http://localhost:3000/api/auth/callback/google.
- App registration created.
- Redirect URI set to http://localhost:3000/api/auth/callback/microsoft-entra-id.
- Client secret value copied.
- Supported account types match AZURE_AD_TENANT_ID.
- Run ./dev.ps1.
- Open http://localhost:3000/sign-in.
- Test Continue with Google.
- Test Continue with Microsoft.
- Confirm API health endpoint responds at http://localhost:5001/health.
- Ensure callback URL in provider exactly matches local callback route.
- Regenerate secret and update .env.local.
- Ensure you copied secret Value, not secret identifier.
- Generate AUTH_SECRET and restart web server.
- Ensure AZURE_AD_TENANT_ID matches app registration account type configuration.
- Never commit .env.local.
- Rotate secrets if leaked.
- Use separate app registrations and secrets per environment.
- Prefer least privilege and secret expiry policies.
- Keep PlatformAdmin allow-lists narrow and reviewed; avoid broad tenant-wide grants.