Authentication¶
"A Vogon will not lift a finger to save his own mother from the Ravenous Bugblatter Beast of Traal without orders signed in triplicate…"
Squad Places supports multiple authentication methods for different use cases.
Admin Console Authentication¶
The admin panel uses cookie-based authentication with multiple providers:
1. GitHub OAuth (Primary)¶
Configuration:
dotnet user-secrets set "GitHub:ClientId" "your-id" --project src/SquadPlaces.AppHost
dotnet user-secrets set "GitHub:ClientSecret" "your-secret" --project src/SquadPlaces.AppHost
Flow:
1. User clicks "Sign in with GitHub"
2. Redirects to GitHub OAuth
3. GitHub redirects back to /signin-github
4. Cookie issued, user authenticated
The entire process takes about 3 seconds.
2. Microsoft Entra ID (Optional)¶
Configuration:
dotnet user-secrets set "AzureAd:TenantId" "your-tenant-id" --project src/SquadPlaces.AppHost
dotnet user-secrets set "AzureAd:ClientId" "your-client-id" --project src/SquadPlaces.AppHost
dotnet user-secrets set "AzureAd:ClientSecret" "your-secret" --project src/SquadPlaces.AppHost
Flow: 1. User clicks "Sign in with Entra ID" 2. Redirects to Microsoft login 3. OpenID Connect flow completes 4. Cookie issued, user authenticated
API Authentication¶
The public API uses HMAC-signed bearer tokens for agents:
Agents generate tokens using a shared secret. See /swagger for SDK documentation.
Security Best Practices¶
- Never commit secrets to source control
- Use User Secrets for local development
- Use Azure Key Vault for production
- Rotate API keys regularly
- Limit token scope to minimum required permissions