[PR #5039] [CLOSED] auth: add support for EntraID method #5110

New issue

Closed

opened 2026-05-05 14:54:55 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 14:54:55 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/fatedier/frp/pull/5039
Author: @Saancreed
Created: 10/31/2025
Status: ❌ Closed

Base: dev ← Head: pr/entraid-auth

📝 Commits (3)

b0374d5 auth: prepare configuration for EntraID method support
fbc0739 auth: add support for EntraID method
dfa6309 auth: enable EntraID method

📊 Changes

9 files changed (+236 additions, -17 deletions)

View changed files

📝 go.mod (+10 -1)
📝 go.sum (+29 -4)
📝 pkg/auth/auth.go (+7 -2)
➕ pkg/auth/entraid.go (+157 -0)
📝 pkg/config/v1/client.go (+10 -2)
📝 pkg/config/v1/common.go (+3 -2)
📝 pkg/config/v1/server.go (+13 -5)
📝 pkg/config/v1/validation/validation.go (+1 -0)
📝 server/service.go (+6 -1)

📄 Description

WHY

At LeanCode, we're using frp internally for exposing local development environments for external connections. There, we have a need to authenticate developers to cloud-hosted frps instance in a way that integrates with our existing authentication schemes while being as seamless for them as possible. To this end, we have implemented support for custom token-based authentication method that relies specifically on Microsoft Entra ID.

This method is similar in nature to existing OIDC method but has some additional benefits, namely:

On the server side, we can easily restrict access by limiting it to users that can sign in to a specific Entra Application (representing frps) and optionally, only from specific Azure tenant.
On the client side, we can retrieve the token credential using Azure Identity / MSAL, which allows us to authenticate using one of its many supported methods without having to pass any client credentials to frpc, most importantly Azure CLI.

Would there be any interest in accepting this, well, very vendor-specific piece of code? We think there's a chance others may also find some use for it.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/fatedier/frp/pull/5039 **Author:** [@Saancreed](https://github.com/Saancreed) **Created:** 10/31/2025 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `pr/entraid-auth` --- ### 📝 Commits (3) - [`b0374d5`](https://github.com/fatedier/frp/commit/b0374d59e87608635ea74b04728820a7a3673b9d) auth: prepare configuration for EntraID method support - [`fbc0739`](https://github.com/fatedier/frp/commit/fbc0739b5937b90182e2647c707e642c1b4343d4) auth: add support for EntraID method - [`dfa6309`](https://github.com/fatedier/frp/commit/dfa6309adbee9069966f2fcb802603081965d9a5) auth: enable EntraID method ### 📊 Changes **9 files changed** (+236 additions, -17 deletions) <details> <summary>View changed files</summary> 📝 `go.mod` (+10 -1) 📝 `go.sum` (+29 -4) 📝 `pkg/auth/auth.go` (+7 -2) ➕ `pkg/auth/entraid.go` (+157 -0) 📝 `pkg/config/v1/client.go` (+10 -2) 📝 `pkg/config/v1/common.go` (+3 -2) 📝 `pkg/config/v1/server.go` (+13 -5) 📝 `pkg/config/v1/validation/validation.go` (+1 -0) 📝 `server/service.go` (+6 -1) </details> ### 📄 Description ### WHY At LeanCode, we're using frp internally for exposing local development environments for external connections. There, we have a need to authenticate developers to cloud-hosted frps instance in a way that integrates with our existing authentication schemes while being as seamless for them as possible. To this end, we have implemented support for custom token-based authentication method that relies specifically on Microsoft Entra ID. This method is similar in nature to existing OIDC method but has some additional benefits, namely: * On the server side, we can easily restrict access by limiting it to users that can sign in to a specific Entra Application (representing frps) and optionally, only from specific Azure tenant. * On the client side, we can retrieve the token credential using Azure Identity / MSAL, which allows us to authenticate using one of its many supported methods without having to pass any client credentials to frpc, most importantly Azure CLI. Would there be any interest in accepting this, well, very vendor-specific piece of code? We think there's a chance others may also find some use for it. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>