Check out v4 of the Fauna CLI
v4 of the Fauna CLI is now in beta. The new version introduces enhancements to the developer experience, including an improved authentication workflow. To get started, check out the CLI v4 quick start. |
Microsoft Entra integration
This guide covers how to use Microsoft Entra to authenticate with a Fauna database.
When set up, Entra issues a JWT when end users log into your application. The JWT contains a Fauna token's authentication secret for the user in a private claim. Your application can use the secret to run queries on the user’s behalf.
Before you start
To complete this guide, you’ll need:
-
A Microsoft Azure account.
-
Familiarity with Microsoft Entra and Azure Functions.
Authentication flow
In this guide, you’ll set up an Azure function that creates a Fauna token when Entra issues a JWT. You’ll configure Entra to use a custom claim provider to add the token’s secret as a claim to the JWT.
The setup uses the following authentication flow:
-
The client sends a request to Microsoft Entra. Entra invokes an Azure Function in the token (JWT) issuance phase.
-
The Azure Function generates a Fauna token and includes the token’s secret in a private
fauna_token_secret
claim in the payload of the JWT issued by Entra. -
Entra returns the JWT to the client application. The client application uses the token secret to authenticate Fauna queries on the user’s behalf.
For more on the general flow and setup, see Create a REST API for a token issuance start event in Azure Functions in the Microsoft Entra docs.
Configure Fauna
-
Log in to the Fauna Dashboard and select your database.
-
In the Dashboard Shell, run the following FQL query to create a key with the
server
role:Key.create({ role: "server" })
{ id: "404130885316640841", coll: Key, ts: Time("2099-07-22T17:08:15.803Z"), role: "server", secret: "fn..." }
Copy the key’s
secret
. You’ll use it later. -
Create a collection to store identity documents for your application’s end users.
Edit the collection’s schema to include an
email
field or similar identifier used to uniquely identify users. For example:collection Customer { unique [.email] index byEmail { terms [.email] } }
-
Create one or more user-defined roles.
Edit the role’s schema to include the previous collection in the role’s
membership
property. For example:role customer { membership Customer privileges Product { read } ... }
Create a REST API in Azure
Use an Azure Function to create a REST API. The API creates a Fauna token for an end user.
Create a Azure functions app
-
Sign in to the Azure Portal.
-
From the Home page, select Create a resource.
-
Search for and select Function App. Then select Create > Function App.
-
Create a function app with the following settings:
Settings Value Description Plan
Consumption (Serverless)
Hosting plan that defines how resources are allocated to your function app.
Subscription
Your subscription
The subscription under which the new function app will be created.
Function App name
Enter a unique name
A unique name that identifies your new function app.
Runtime
Node.js
This guide uses Node.js. You can use any runtime with a supported Fauna driver.
Version
20 LTS
Region
Your preferred region
Operating System
Windows
-
Select Review + create and then select Create. It may take a few minutes for Azure to deploy the function app.
-
Once deployed, select Go to resource.
Set up environment variables
-
In the Azure Portal, navigate to your function app.
-
In the function app’s Overview page, click Settings > Environment variables in the left navigation.
-
Click Add.
-
In the Add/Edit application setting pane, enter the following:
-
Name:
FAUNA_SECRET
-
Value: The Fauna key’s
secret
you copied earlier.
-
-
Click Apply.
-
On the Environment variables page, click Apply. Then click Confirm.
Create an HTTP trigger function
Create an HTTP trigger function in the Azure function app. The HTTP trigger lets you invoke a function with an HTTP request and is referenced by your Microsoft Entra custom authentication extension.
-
Navigate to the function app’s Overview page.
-
. In the Functions tab, and select Create function under Create in Azure portal.
-
Select the HTTP trigger template and select Next.
-
Enter a Function name and leave the Authorization level as Function. Then click Create.
-
Add the following code to the function:
const { Client, fql, FaunaError } = require("fauna"); module.exports = async function (context, req) { // Read the request body const requestBody = req.body; // Parse the request body const data = requestBody ? JSON.parse(requestBody) : null; const email = data?.data?.authenticationContext?.user.mail; const client = new Client({ secret: process.env.FAUNA_SECRET, }); const fauna_response = await client.query(fql` // If a Customer document with the email exists, get it. // Otherwise, create a Customer document. let user = Customer.byEmail(${email}).first() ?? Customer.create({email: ${email}}) // Create a token for the Customer document. let token = Token.create({ document: user, ttl: Time.now().add(30, 'minutes') }) // Return the Customer document's ID and the // token's secret. let payload = { userId: user!.id, token: token.secret } payload `); // Prepare the response object const response = { data: { '@odata.type': 'microsoft.graph.onTokenIssuanceStartResponseData', actions: [ { '@odata.type': 'microsoft.graph.tokenIssuanceStart.provideClaimsForToken', claims: { FaunaTokenSecret: fauna_response.data.token, } } ] } }; // Return the response context.res = { status: 200, body: response }; };
-
Save the function.
-
Click Get function URL.
-
Copy the default (Function key) URL.
Install the Fauna driver
-
Navigate to the function app’s Overview page.
-
In the left navigation, select Development Tools > Console.
-
Navigate to the http trigger function’s directory. For example:
cd HttpTrigger1
-
In the directory, run the following commands to install the Fauna driver:
npm init -y npm install fauna --save
Register a custom authentication extension
-
In the top navigation, click Home.
-
Search for and select Microsoft Entra ID.
-
From the Entra Overview page, select Enterprise applications > Custom authentication extensions > Create a custom extension.
-
In the Basics tab, select the TokenIssuanceStart event type and click Next.
-
In the Endpoint Configuration tab, enter the following:
-
Name: Enter a name for the custom extension.
-
Target URL: The Azure function URL you copied earlier.
-
-
Select Next.
-
In API Authentication tab, you will be presented with an option to select a app registration type. Select Create new app registration.
-
Enter an application Name and select Next.
-
In the Claims tab, enter the following claim:
-
FaunaTokenSecret
-
-
Select Next and then click Create.
It may take a few minutes for Azure to create the application and custom extension. Once created, you’ll navigate to the custom extension’s Overview page.
Configure an OpenID Connect app
To get a token and test the custom authentication extension, you can use the https://jwt.ms app from Microsoft.
Register a test web app
-
In the top navigation, click Home.
-
Search for and select Microsoft Entra ID.
-
In left navigation, select App registrations > New registration.
-
Enter a Name for the application. For example,
My test application
. -
Under Supported account types, select Accounts in this organizational directory only.
-
Under Redirect URI, select Web and enter https://jwt.ms as the URL.
-
Click Register.
-
In the app registration’s Overview page, copy the:
-
Application (client) ID
-
Directory (tenant) ID
-
Enable implicit flow
-
From the app registration’s Overview page, navigate to Manage > Authentication.
-
Under Implicit grant and hybrid flows, check ID tokens.
-
Click Save.
Enable claims mapping policy
-
In the left navigation, navigate to Manage > Manifest.
-
In the manifest, locate the
acceptMappedClaims
attribute, and set the value totrue
. -
Set the
accessTokenAcceptedVersion
to2
. -
Select Save to save the changes.
The following JSON snippet demonstrates how to configure these properties.
{
"acceptMappedClaims": true,
"accessTokenAcceptedVersion": 2
// .... rest of the manifest
}
Assign a custom claims provider to your app
-
In the top navigation, click Home.
-
Search for and select Microsoft Entra ID.
-
In the left navigation, select Manage > Enterprise applications.
-
Find and select the application you created from the list.
-
From the Overview page, select Manage >Single sign-on in the left navigation.
-
Next to Attributes & Claims, select Edit.
-
Expand Advanced settings.
-
Next to Custom claims provider, select Configure
-
In the Customer claims provider pane, select the custom claims provider you created earlier.
-
Click Save.
Next, assign the attributes from the custom claims provider, which should be issued into the token as claims:
-
On the Attributes & Claims page, select Add new claim.
-
Enter a Name of
FaunaTokenSecret
. -
Select a Source of Attribute.
-
Select a Source attribute of
"customClaimsProvider.FaunaTokenSecret"
. -
Select Save.
Protect your Azure Function
The custom authentication extension uses a server-to-server flow to obtain an
access token. The token is sent in the HTTP Authorization
header to your Azure
function.
Use the following steps to add Microsoft Entra as an identity provider to your Azure Function app:
-
In the top navigation, click Home. app you previously published.
-
From the Home page, find and select the function app you created earlier.
-
In the left navigation, select Settings > Authentication.
-
Select Add identity provider.
-
Select an Identity provider of Microsoft.
-
Select a tenant type of Workforce configuration.
-
Under App registration, select an App registration type of Pick an existing app registration. Then select the custom authentication extension app you created earlier.
-
Enter the following issuer URL, https://login.microsoftonline.com/<TENANT_ID>/v2.0, where
<TENANT_ID>
is the Entra application’s tenant ID you copied earlier. -
Select a Unauthenticated requests of HTTP 401 Unauthorized .
-
Uncheck Token store.
-
Select Add.
Test the application
-
Open a new private browser and navigate and sign-in through the following URL.
https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/authorize?client_id=<CLIENT_ID>&response_type=id_token&redirect_uri=https://jwt.ms&response_mode=form_post&scope=openid&state=12345&nonce=678910
-
Replace:
-
<TENANT_ID>
with the Entra application tenant ID you copied earlier. -
<CLIENT_ID>
with the Entra application’s client ID you copied earlier.
-
-
After logging in, you’ll be presented with your decoded token at https://jwt.ms. The decoded token will contain the
FaunaTokenSecret
claim field.
Is this article helpful?
Tell Fauna how the article can be improved:
Visit Fauna's forums
or email docs@fauna.com
Thank you for your feedback!