This guide covers authentication options for UnitOne AgentGateway deployed on Azure Container Apps.
AgentGateway supports multiple authentication methods:
| Method | Use Case | Configuration |
|---|---|---|
| Azure Easy Auth | Web UI, OAuth providers | Terraform + Azure Portal |
| Anonymous | Development, E2E testing | allow_anonymous_access = true |
| API Keys | Service-to-service | Key Vault + Gateway config |
Easy Auth provides OAuth 2.0 authentication with minimal code changes.
- Microsoft (Azure AD) - Enterprise SSO, recommended for internal use
- Google - Consumer/workspace accounts
- GitHub - Developer authentication
- Go to Azure Portal → Azure Active Directory → App registrations
- Click New registration
- Configure:
- Name:
UnitOne AgentGateway - Supported account types: Choose based on your needs
- Redirect URI:
https://<your-app>.azurecontainerapps.io/.auth/login/aad/callback
- Name:
- After creation, note the Application (client) ID
- Go to Certificates & secrets → New client secret
- Note the secret value (shown only once)
- Go to Google Cloud Console → APIs & Services → Credentials
- Click Create Credentials → OAuth client ID
- Configure:
- Application type: Web application
- Authorized redirect URIs:
https://<your-app>.azurecontainerapps.io/.auth/login/google/callback
- Note the Client ID and Client Secret
- Go to GitHub Settings → OAuth Apps → New OAuth App
- Configure:
- Application name:
UnitOne AgentGateway - Homepage URL:
https://<your-app>.azurecontainerapps.io - Authorization callback URL:
https://<your-app>.azurecontainerapps.io/.auth/login/github/callback
- Application name:
- Note the Client ID and generate a Client Secret
Add OAuth credentials to your terraform.tfvars:
# Enable Easy Auth
configure_auth = true
allow_anonymous_access = false
# Microsoft (Azure AD)
microsoft_client_id = "your-azure-ad-client-id"
microsoft_client_secret = "your-azure-ad-client-secret"
# Google (optional)
google_client_id = "your-google-client-id"
google_client_secret = "your-google-client-secret"
# GitHub (optional)
github_client_id = "your-github-client-id"
github_client_secret = "your-github-client-secret"After terraform apply, complete the setup in Azure Portal:
- Go to Container Apps → Your app → Authentication
- Click Add identity provider
- Select provider (Microsoft, Google, or GitHub)
- Enter the Client ID and Secret
- Configure Allowed token audiences if needed
- Set Restrict access to "Require authentication"
- Save
# Should redirect to login
curl -I https://<your-app>.azurecontainerapps.io/ui
# After login, check user info
curl https://<your-app>.azurecontainerapps.io/.auth/me \
-H "Cookie: <your-auth-cookie>"For development and E2E testing, enable anonymous access:
# terraform.tfvars
configure_auth = true
allow_anonymous_access = trueThis allows unauthenticated requests while still enabling Easy Auth for optional login.
For service-to-service communication, use API keys stored in Key Vault:
# Get Key Vault name from Terraform
KV_NAME=$(cd terraform && terraform output -raw key_vault_name)
# Store API key
az keyvault secret set \
--vault-name $KV_NAME \
--name "api-key-service-a" \
--value "your-secure-api-key"In your gateway config, add API key validation:
routes:
- name: api-route
matches:
- path:
pathPrefix: /api
policies:
# Add API key header requirement
requestHeaders:
add:
- name: x-api-key
value: "${API_KEY}"- Verify
allow_anonymous_access = falsein terraform - Check Easy Auth is enabled in Azure Portal
- Verify redirect URIs match exactly
- Verify redirect URI includes
/.auth/login/<provider>/callback - Check client ID and secret are correct
- Ensure HTTPS is used (not HTTP)
# Check current auth status
curl https://<your-app>.azurecontainerapps.io/.auth/me
# Force re-login
curl https://<your-app>.azurecontainerapps.io/.auth/login/<provider>For service-to-service authentication, you can require client certificates (mutual TLS).
- Service-to-service auth - Backend services calling the gateway must prove identity
- Zero-trust architecture - Every caller must present a valid certificate
- Enterprise environments - Integrate with existing PKI infrastructure
# terraform.tfvars
client_certificate_mode = "require" # or "accept" or "ignore"| Mode | Behavior |
|---|---|
ignore |
Don't request client certs (default) |
accept |
Accept certs if provided, but don't require |
require |
All requests must have valid client cert |
Client Service AgentGateway
│ │
│── TLS handshake ─────────────►│
│◄── Server certificate ───────│
│── Client certificate ────────►│ ← Gateway verifies
│◄── Connection established ───│
│── MCP request ───────────────►│
For testing, generate a self-signed certificate:
# Generate CA
openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt -subj "/CN=MyCA"
# Generate client cert
openssl genrsa -out client.key 4096
openssl req -new -key client.key -out client.csr -subj "/CN=my-service"
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crtFor production, use your organization's PKI or Azure Key Vault certificates.
curl --cert client.crt --key client.key \
https://your-app.azurecontainerapps.io/mcp- Never commit secrets - Use terraform.tfvars (gitignored) or environment variables
- Rotate secrets regularly - Update in OAuth provider and Key Vault
- Use Azure AD for enterprise - Provides SSO, MFA, and audit logs
- Enable HTTPS only - Container Apps enforce this by default
- Monitor authentication logs - Check Application Insights for auth events
- Use mTLS for service-to-service - More secure than API keys for internal services