oliverkroener / ok-azure-login

Login and register frontend and backend users using Azure Entra

Maintainers

Details

github.com/oliverkroener/ok_azure_login

Type:typo3-cms-extension

pkg:composer/oliverkroener/ok-azure-login

4.0.2 2026-02-13 18:19 UTC

Requires

php: ^8.1
microsoft/kiota-authentication-phpleague: ^1
microsoft/microsoft-graph: ^2
typo3/cms-core: ^12.4 || ^13.4 || ^14.0
typo3/cms-extbase: ^12.4 || ^13.4 || ^14.0

Requires (Dev)

None

Suggests

None

Provides

None

Conflicts

None

Replaces

None

GPL-2.0-or-later 1e6bf99621e27be8aaeec2c2ba44ae3f246cbc7a

Oliver Kroener <ok.woop@oliver-kroener.de>

Authentication oauth login SSO azure microsoft typo3 Office365 graph-api entra frontend-login backend-login

dev-main
4.0.2
4.0.1
4.0.0
3.0.1
3.0.0
2.1.0
1.0.0
dev-feature/typo3-9
dev-feature/typo3-10
dev-feature/typo3-11

This package is auto-updated.

Last update: 2026-02-15 00:14:55 UTC

README

TYPO3 extension for frontend and backend login via Microsoft Entra ID (Azure AD) using the OAuth 2.0 authorization code flow and Microsoft Graph API.


Extension key	`ok_azure_login`
Composer	`oliverkroener/ok-azure-login`
TYPO3	12.4, 13.4, 14.0
PHP	^8.1

Features

Frontend login via "Sign in with Microsoft" content element
Backend login via login provider on the TYPO3 backend login screen
Per-site configuration with encrypted client secret storage
Multi-tenant support with multiple backend login buttons
OAuth 2.0 authorization code flow with HMAC-signed state parameter
User lookup by email in fe_users / be_users
Backend redirect URI auto-derived from route configuration
Frontend logout with optional Microsoft sign-out redirect
Translations: English, German, French

Quick start

Register an app in Microsoft Entra ID (see Azure setup docs)

Install the extension via Composer:

composer require oliverkroener/ok-azure-login

Configure credentials in Web > Azure Login backend module
Add the Azure Login content element to a frontend page
Register the redirect URIs from the backend module in your Azure app

Configuration

Credentials are managed per TYPO3 site via the backend module. Each site stores:

Tenant ID and Client ID from Azure App Registration
Client Secret (encrypted at rest with PHP Sodium)
Redirect URI (Frontend) -- manually configured, points to the login page
Redirect URI (Backend) -- auto-generated from route config, shown as read-only with copy button

The backend redirect URI (/typo3/azure-login/callback) is derived from Configuration/Backend/Routes.php and cannot be misconfigured.

Global credentials via Extension Configuration serve as a fallback for single-site setups.

Documentation

Full documentation is in the Documentation/ directory:

Security

Client secrets encrypted at rest (PHP Sodium sodium_crypto_secretbox)
HMAC-signed OAuth state with 10-minute TTL
Per-site credential isolation
CSRF token handling for TYPO3 v13+

Requirements

microsoft/microsoft-graph ^2
microsoft/kiota-authentication-phpleague ^1
TYPO3 encryption key must be configured