Authentication

Setting up authentication in MemberJunction (MJ) is crucial for controlling access to the GraphQL API and the MJExplorer app. Starting with v2.91.0, MemberJunction supports multiple authentication providers including MSAL (Microsoft Authentication Library), Auth0, and Okta, with the ability to configure multiple providers simultaneously.

Overview

In MJ, authentication providers manage access to both the GraphQL API and MJExplorer app. The system uses a flexible configuration that allows you to:

Configure one or multiple authentication providers
Automatically detect providers based on environment variables
Switch between providers without code changes
Support different providers for different user groups

Supported Authentication Providers

MemberJunction v2.91.0 supports three authentication providers:

MSAL (Microsoft Authentication Library) - For Azure AD/Entra ID authentication
Auth0 - For flexible, cloud-based authentication
Okta - For enterprise identity management

Configuration Overview

Authentication configuration in MemberJunction involves two main components:

Backend Configuration (mj.config.cjs) - Controls API authentication
Frontend Configuration (environment.ts) - Controls MJExplorer authentication

Backend Configuration (mj.config.cjs)

Starting with v2.91.0, authentication providers are configured using the authProviders array in your mj.config.cjs file:

const mjServerConfig = {
  // ... other configuration ...
  
  /**
   * Authentication Provider Configuration
   * Each provider encapsulates its issuer URL, audience, JWKS URI, and provider-specific config
   */
  authProviders: [
    // Microsoft Azure AD / Entra ID
    process.env.TENANT_ID && process.env.WEB_CLIENT_ID ? {
      name: 'azure',
      type: 'msal',
      issuer: `https://login.microsoftonline.com/${process.env.TENANT_ID}/v2.0`,
      audience: process.env.WEB_CLIENT_ID,
      jwksUri: `https://login.microsoftonline.com/${process.env.TENANT_ID}/discovery/v2.0/keys`,
      clientId: process.env.WEB_CLIENT_ID,
      tenantId: process.env.TENANT_ID
    } : null,
    
    // Auth0
    process.env.AUTH0_DOMAIN && process.env.AUTH0_CLIENT_ID ? {
      name: 'auth0',
      type: 'auth0',
      issuer: `https://${process.env.AUTH0_DOMAIN}/`,
      audience: process.env.AUTH0_CLIENT_ID,
      jwksUri: `https://${process.env.AUTH0_DOMAIN}/.well-known/jwks.json`,
      clientId: process.env.AUTH0_CLIENT_ID,
      clientSecret: process.env.AUTH0_CLIENT_SECRET,
      domain: process.env.AUTH0_DOMAIN
    } : null,
    
    // Okta
    process.env.OKTA_DOMAIN && process.env.OKTA_CLIENT_ID ? {
      name: 'okta',
      type: 'okta',
      issuer: `https://${process.env.OKTA_DOMAIN}/oauth2/default`,
      audience: process.env.OKTA_CLIENT_ID,
      jwksUri: `https://${process.env.OKTA_DOMAIN}/oauth2/default/v1/keys`,
      clientId: process.env.OKTA_CLIENT_ID,
      clientSecret: process.env.OKTA_CLIENT_SECRET,
      domain: process.env.OKTA_DOMAIN
    } : null,
  ].filter(Boolean), // Remove any null entries from providers that aren't configured
};

Environment Variables

For Microsoft Azure AD / Entra ID (MSAL)

TENANT_ID=your-tenant-id
WEB_CLIENT_ID=your-client-id

For Auth0

AUTH0_DOMAIN=your-domain.auth0.com
AUTH0_CLIENT_ID=your-client-id
AUTH0_CLIENT_SECRET=your-client-secret

For Okta

OKTA_DOMAIN=your-domain.okta.com
OKTA_CLIENT_ID=your-client-id
OKTA_CLIENT_SECRET=your-client-secret

Frontend Configuration (environment.ts)

Configure your Angular application's src/environments/environment.ts files to specify which authentication provider to use:

export const environment = {
  // ... other settings ...
  
  // Set to 'msal', 'auth0', or 'okta' based on your provider
  AUTH_TYPE: 'msal', // Choose your provider
  
  // For MSAL:
  CLIENT_ID: 'your-client-id',
  CLIENT_AUTHORITY: 'https://login.microsoftonline.com/your-tenant-id',
  TENANT_ID: 'your-tenant-id',
  
  // For Auth0:
  AUTH0_DOMAIN: 'your-domain.auth0.com',
  AUTH0_CLIENTID: 'your-client-id',
  
  // For Okta:
  OKTA_DOMAIN: 'your-domain.okta.com',
  OKTA_CLIENTID: 'your-client-id',
  OKTA_ISSUER: 'https://your-domain.okta.com/oauth2/default',
  OKTA_REDIRECT_URI: 'http://localhost:4200/callback',
  OKTA_SCOPES: ['openid', 'profile', 'email']
};

Provider-Specific Setup

Setting Up MSAL (Azure AD/Entra ID)

1. Register Your Application in Azure

Sign in to the Microsoft Entra admin center
Go to Identity > Applications > App registrations and select New registration
Provide a display name and choose Accounts in this organizational directory only
Register the application and note the Application (client) ID and Directory (tenant) ID

2) Configure Redirect URIs

In your app registration, go to Authentication
Add a platform configuration for Single-page application
Add redirect URIs:
- For development: http://localhost:4200
- For production: https://yourapp.com

3) Configure API Permissions

Go to API permissions
Add permissions for Microsoft Graph (User.Read is typically required)
Grant admin consent if required

4) Set Environment Variables

export TENANT_ID=your-tenant-id
export WEB_CLIENT_ID=your-client-id

Setting Up Auth0

1. Create an Auth0 Application

Sign in to your Auth0 Dashboard
Go to Applications and click Create Application
Choose Single Page Web Applications
Note your Domain, Client ID, and Client Secret

2) Configure Application Settings

Set Allowed Callback URLs: http://localhost:4200/callback
Set Allowed Logout URLs: http://localhost:4200
Set Allowed Web Origins: http://localhost:4200
Set Allowed Origins (CORS): http://localhost:4200

3) Set Environment Variables

export AUTH0_DOMAIN=your-domain.auth0.com
export AUTH0_CLIENT_ID=your-client-id
export AUTH0_CLIENT_SECRET=your-client-secret

Setting Up Okta

1. Create an Okta Application

Sign in to your Okta Admin Dashboard
Go to Applications > Applications and click Create App Integration
Choose OIDC - OpenID Connect and Single-Page Application
Configure your application:
- Sign-in redirect URIs: http://localhost:4200/callback
- Sign-out redirect URIs: http://localhost:4200
- Controlled access: Choose appropriate access level

2) Note Your Configuration

Copy your Client ID
Note your Okta Domain (e.g., dev-12345.okta.com)
The default authorization server is at /oauth2/default

3) Set Environment Variables

export OKTA_DOMAIN=your-domain.okta.com
export OKTA_CLIENT_ID=your-client-id
export OKTA_CLIENT_SECRET=your-client-secret  # If using confidential client

Multiple Provider Configuration

You can configure multiple authentication providers simultaneously. This is useful for:

Supporting different authentication methods for different user groups
Gradual migration between providers
Multi-tenant applications

Example configuration with multiple providers:

authProviders: [
  // Azure AD for internal employees
  {
    name: 'azure-internal',
    type: 'msal',
    issuer: `https://login.microsoftonline.com/${process.env.TENANT_ID}/v2.0`,
    audience: process.env.WEB_CLIENT_ID,
    jwksUri: `https://login.microsoftonline.com/${process.env.TENANT_ID}/discovery/v2.0/keys`,
    clientId: process.env.WEB_CLIENT_ID,
    tenantId: process.env.TENANT_ID
  },
  // Auth0 for external customers
  {
    name: 'auth0-customers',
    type: 'auth0',
    issuer: `https://${process.env.AUTH0_DOMAIN}/`,
    audience: process.env.AUTH0_CLIENT_ID,
    jwksUri: `https://${process.env.AUTH0_DOMAIN}/.well-known/jwks.json`,
    clientId: process.env.AUTH0_CLIENT_ID,
    clientSecret: process.env.AUTH0_CLIENT_SECRET,
    domain: process.env.AUTH0_DOMAIN
  }
]

Migrating from Legacy Configuration

If you're upgrading from a version prior to v2.91.0, you'll need to migrate from the legacy authentication configuration to the new authProviders array structure.

Legacy Configuration (Pre-v2.91.0)

Previously, authentication was configured with individual fields:

// Old configuration style
const mjServerConfig = {
  webClientID: 'your-client-id',
  tenantID: 'your-tenant-id',
  auth0Domain: 'your-domain.auth0.com',
  auth0ClientID: 'your-client-id',
  // ... etc
}

New Configuration (v2.91.0+)

Replace the legacy fields with the authProviders array as shown in the Backend Configuration section above. The environment variables remain the same, so no changes to your .env file are required.

Verification and Testing

After configuring authentication:

Update npm packages to v2.91.0 or later:

npm update @memberjunction/server @memberjunction/core @memberjunction/ng-auth-services

Restart your API server

Check the console output for confirmation:

Registered auth provider: msal with issuer: https://login.microsoftonline.com/your-tenant/v2.0
Registered auth provider: msal (type: msal)

Test authentication by:
- Accessing MJExplorer
- Logging in with your configured provider
- Verifying you can access protected resources

Troubleshooting

Common Issues and Solutions

"No authentication providers configured"

Ensure environment variables are set correctly
Check that the authProviders array is properly formatted
Verify .filter(Boolean) is present to remove null entries

"Unsupported authentication provider"

Check that the type field matches exactly: 'msal', 'auth0', or 'okta'
Ensure the issuer URL is correct for your provider

Frontend not authenticating

Verify AUTH_TYPE in Angular environment matches your provider
Check that frontend environment variables match backend configuration
Ensure redirect URIs are correctly configured in your identity provider

Token validation failures

Verify the JWT issuer matches the configured issuer
Check that the audience claim matches your client ID
Ensure the JWKS URI is accessible from your server

Security Best Practices

Never commit credentials to source control
Use environment variables for all sensitive configuration
Implement proper CORS settings in production
Use HTTPS in production environments
Regularly rotate client secrets when using confidential clients
Implement proper token expiration and refresh strategies
Restrict redirect URIs to only necessary domains

Additional Resources

Support

If you encounter issues:

Check the MemberJunction GitHub Issues
Review the authentication implementation in the source code
Contact the MemberJunction support team