Impero supports two distinct Open ID Connect authorization flows:
- Authorization code flow with PKCE: more secure and recommended per default
- Implicit flow (see below)
Due to an issue in the Azure implementation of the OIDC standard, you will need to use the implicit flow if you are using Azure AD with both:
- multi-factor authentication (MFA) enforced
- some IP ranges whitelisted (so that clients using these IPs do not need to authenticate via MFA)
The Authorization code flow should be preferred if you are not using this setup.
Setting up the OIDC flow in Azure AD
- Go to "Authentication" in the left-side menu
- Locate the field "Select the tokens you would like to be issued by the authorization endpoint" in the main panel
- The last step depends on your OIDC flow:
For Authorization code flow with PKCE, ensure that:
- The "Access tokens (issued for implicit flows)" checkbox is unticked
- The "ID tokens (used for implicit and hybrid flows)" checkboxes are unticked
- The "Access tokens (issued for implicit flows)" checkbox is ticked
- The "ID tokens (used for implicit and hybrid flows)" checkbox is ticked