The project supports local auth and optional Microsoft Entra ID sign-in.
- Username/password stored in
Users. - Role mapping via
RolesandUserRoles. - Passwords hashed with bcrypt.
- Admin directory management in
admin/users.php.
Flow entrypoints:
auth/azure/start.phpauth/azure/callback.php
Required inputs:
- Tenant ID
- Client ID
- Client secret
- Redirect URI (
https://<host>/auth/azure/callback.php)
Methods:
- TOTP (authenticator apps)
- WebAuthn passkeys
Local policy:
- Admin can enforce MFA for all local accounts.
- When enabled, local users without enrolled TOTP/passkey cannot complete local password sign-in.
Enrollment and management:
account/security.php- Challenge route:
mfa/challenge.php
- Registration payloads are normalized server-side for multiple credential-manager shapes (including providers that emit base64url variants or byte-array fields).
- If registration fails, inspect
register-verifyJSON errordetailfor actionable reason (malformed_credential,credential_decode_failed, etc.).
- Uses Microsoft Graph
sendMailapp permissions (Mail.Send). - Sender mailbox configured with
RSYSLOG_GRAPH_MAIL_SENDER. - Delivery outcomes are written to
EmailLogs.
SignInLogs: local and Entra attempts (allowed/failed) with source reason and IP.AccessLogs: allow/deny decisions such as HTTPS whitelist policy blocks.- User-facing sign-in history is visible in Account -> Security.
flowchart TD
user[User] --> login[LoginPage]
login -->|local| localValidate[LocalCredentialCheck]
login -->|microsoft| entraStart[EntraOIDCStart]
entraStart --> callback[OIDCCallback]
localValidate --> mfaGate[MFAChallenge]
callback --> mfaGate
mfaGate --> session[EstablishedSession]
- Require strong secrets (
RSYSLOG_SESSION_SECRET,RSYSLOG_APP_SECRET). - Keep
RSYSLOG_AUTH_ENABLED=1unless protected by a trusted upstream auth layer. - Rotate Entra secrets if exposed.