Skip to main content

How to set up Entra ID OAuth 2.0 for Spotipo captive portal

Written by Matija Farkaš

Create Entra ID API credentials for OAuth

First, before you even do anything in Spotipo, you need to create OAuth client ID credentials, which you will then use later to set this up in Spotipo.

In your Azure portal, enter the Entra ID section

Once there, add the App registration

Create an app as the "Single tenant only - <your organization>" as you only want to limit this access to internet to people from your organization. If you want everyone to have access to wifi, select "Any Entra ID Tenant + Personal Microsoft Accounts" option.

Next step is to set the Redirect URI type to Web and the address to: https://app.spotipo.com/genericoauth/login/check/

All that's left to do is to register the application. Simply click on the Register button on the bottom of the page.

Now that your app is registered, you will be provided with Client ID, etc. But you still need secret and some more data. Next thing to do is to is add a secret. To do that, under "Client credentials" click on the "Add a certificate or secret"

There, create a new secret

Set the duration of the secret to however long you'd like, just make sure to renew it once time for that comes.

You will now be provided with Secret (under Value). This will be used in Spotipo.

All that we need now is to copy values for Authorize URl and for Access token URL. These can both be found under Endpoints section.

There, find the following values.

Now that we have all the necessary values, we can move on to Spotipo.

Set Oauth 2 in Spotipo

Set up SSO login in Spotipo

To enable SSO in spotipo, on your splash page editor, make sure to turn SSO (OAuth2) Login method on.

Once you have that turned on, proceed to Settings->SSO (OAuth 2) Login.

There, you'll be presented with a few fields. Make sure that the login type is set to Azure AD. And fill in the rest like following. Set the value from Application (client) ID under Client ID field, set Secret, as value from the Secret field in Azure, Authorization URL is "Oauth 2.0 authorization endpoint (v2) and finally, copy Access Token URL value from OAuth 2.0 token endpoint (v2) in Entra ID.

Make sure to save the settings. If you've done everything correctly, OAuth2 should now be enabled for your organization.

Only thing left to do is to whitelist domains in your router of choice.

Whitelisting domains

Before testing the portal out, make sure to enable the following domains in your router's settings for a captive portal.

microsoftonline.com
live.com
msftauth.net
microsoft.com
msauth.net
msauthimages.net

Add this alongside all the previous domains you have whitelisted for the portal. But do not delete previously set up ones.

Test the portal

Since some google domains are now whitelisted, android devices won't be able to have portal open up automatically. Instead, they should visit non https sites, like http://neverssl.com to have the portal trigger. After that, authentication can be done successfully.

To test the new login method with the portal, simply connect to your wifi that should have Oauth 2 set up, or test it using the Demo page in Spotipo.

Once you have done that, simply click on the "Login with a Service" (or just Sign in if this the only login method for you).

Then, try to log in with google Oauth and see if it works.

Did this answer your question?