OpenID Connect setup for App Service through Bicep

Question

I have successfully setup OpenID Connect Authentication for an App Service through the Azure Portal, but I have trouble doing so through a Bicep script.

Has anyone have success doing so? I've tried following authsettingsv2, but I cannot figure out how the customOpenIdConnectProviders should be configured.

It is for authentication against Identity Server, if that helps .

Answer 1

It seems that we did not find detailed information abount customOpenIdConnectProviders from the bicep template document, but we can achieve it following below steps:

1. manually add a OpenID Connect in app Authencation

2. using web app - Get Auth Settings V2 rest api to get the setting details

3. get the value and fill-back-into your bicep file.

Answer 2

After a whole lot of digging througout the night, I found this description how the customopenidconnectprovider should be constructed.

So I ended up with a module containing these bicep resources:

resource existingWebApp 'Microsoft.Web/sites@2022-09-01' existing = {
  name: web_app_name
}

resource config 'Microsoft.Web/sites/config@2023-01-01' = {
  name: 'authsettingsV2'
  parent: existingWebApp
  properties: {
    globalValidation: {
      requireAuthentication: true
      unauthenticatedClientAction: 'Return401'
    }

    identityProviders: {
      customOpenIdConnectProviders: {
        registration: {
          enabled: true
          registration: {
            clientId: client_id
            clientCredential: empty(client_secret_setting_name)
              ? {}
              : {
                  clientSecretSettingName: client_secret_setting_name
                }
            openIdConnectConfiguration: {
              wellKnownOpenIdConfiguration: well_known_openid_configuration
            }
          }
        }
      }
    }
  }
}

I am not sure if this is the best way to do it, but it works for our usage at least.