Skip to content

Authentication

Autotask Mirror supports OpenID Connect (OIDC) authentication, which works with any standards-compliant identity provider. When authentication is not configured, the application runs without sign-in requirements.

Warning

Without authentication enabled, anyone with network access to the application can view your mirrored Autotask data and modify settings. It is strongly recommended to enable authentication for any deployment accessible beyond your local network.

Supported Providers

Any OpenID Connect compliant provider works, including:

  • Microsoft Entra ID (Azure AD)
  • Okta
  • Google Workspace
  • Keycloak
  • ADFS
  • Auth0

Configuration

Authentication is configured in appsettings.json under the Authentication section:

{
  "Authentication": {
    "Authority": "",
    "ClientId": "",
    "CallbackPath": "/signin-oidc"
  }
}
Setting Required Description
Authority Yes The OIDC issuer URL for your identity provider. Leave empty to disable authentication.
ClientId Yes The OAuth 2.0 application/client ID.
ClientSecret No The client secret. Not needed if using certificate or PKCE-only authentication.
ClientCertificatePath No Path to a PKCS#12 (.pfx/.p12) certificate file for client authentication.
ClientCertificatePassword No Password for the certificate file.
ClientCertificateThumbprint No Thumbprint of a certificate in the Windows certificate store or Azure App Service certificate.
CallbackPath No OAuth redirect path. Defaults to /signin-oidc.
DangerousAcceptAnyTlsCertificate No Set to true for on-premises identity providers with self-signed TLS certificates.

Credential priority: If multiple credential types are provided, the application uses them in this order: Certificate (path or thumbprint) > Client Secret > PKCE-only.

Provider Setup Guides

Microsoft Entra ID

  1. In the Azure Portal, go to Microsoft Entra ID > App registrations > New registration
  2. Set the name (e.g., "Autotask Mirror")
  3. Under Redirect URI, select Web and enter: https://your-app-url/signin-oidc
  4. Click Register
  5. Copy the Application (client) ID — this is your ClientId
  6. Copy the Directory (tenant) ID — you'll need this for the Authority URL
  7. Under Certificates & secrets, create a new client secret and copy its value

Configure appsettings.json:

{
  "Authentication": {
    "Authority": "https://login.microsoftonline.com/{tenant-id}/v2.0",
    "ClientId": "your-application-id",
    "ClientSecret": "your-client-secret"
  }
}

Tip

Replace {tenant-id} with your actual Azure AD tenant ID. For multi-tenant apps, use common instead.

Okta

  1. In the Okta Admin Console, go to Applications > Create App Integration
  2. Select OIDC - OpenID Connect and Web Application
  3. Set the sign-in redirect URI to: https://your-app-url/signin-oidc
  4. Copy the Client ID and Client Secret
{
  "Authentication": {
    "Authority": "https://your-domain.okta.com",
    "ClientId": "your-client-id",
    "ClientSecret": "your-client-secret"
  }
}

Google Workspace

  1. In the Google Cloud Console, go to APIs & Services > Credentials > Create Credentials > OAuth client ID
  2. Select Web application
  3. Add https://your-app-url/signin-oidc to Authorized redirect URIs
  4. Copy the Client ID and Client Secret
{
  "Authentication": {
    "Authority": "https://accounts.google.com",
    "ClientId": "your-client-id.apps.googleusercontent.com",
    "ClientSecret": "your-client-secret"
  }
}

Keycloak

{
  "Authentication": {
    "Authority": "https://your-keycloak-server/realms/your-realm",
    "ClientId": "your-client-id",
    "ClientSecret": "your-client-secret"
  }
}

ADFS (On-Premises)

{
  "Authentication": {
    "Authority": "https://your-adfs-server/adfs",
    "ClientId": "your-client-id",
    "DangerousAcceptAnyTlsCertificate": "true"
  }
}

Warning

Only use DangerousAcceptAnyTlsCertificate for on-premises servers with self-signed TLS certificates. Never enable this in production with public-facing identity providers.

How It Works

When authentication is enabled:

  • All pages require sign-in — unauthenticated requests are redirected to your identity provider
  • The application requests openid, profile, and email scopes
  • Sessions are managed via cookies
  • The sign-in prompt always shows the account picker for easy account switching
  • Sign out is available from the user menu

When authentication is not configured (Authority is empty):

  • All pages are accessible without sign-in
  • A warning banner is displayed at the top of every page

Applying Changes

Authentication settings are read from appsettings.json at application startup. Changes to authentication configuration require an application restart to take effect.

For Azure App Service deployments, you can set these values as Application Settings in the Azure Portal (under Settings > Environment variables), which will override appsettings.json values. Use double-underscore notation for nested keys:

App Setting Name Value
Authentication__Authority https://login.microsoftonline.com/{tenant-id}/v2.0
Authentication__ClientId your-application-id
Authentication__ClientSecret your-client-secret