Skip to content

Azure AD sidecar


This feature is only available in dev-gcp and prod-gcp.


A reverse proxy that provides functionality to handle Azure AD login and logout.



Port Configuration

The sidecar will occupy and use the ports 7564 and 7565.

Ensure that you do not bind to these ports from your application as they will be overridden.

      enabled: true
      enabled: true

      # everything below is optional, defaults shown
      autoLogin: false

See the NAIS manifest for details.



See the Wonderwall appendix for usage details.

Token Validation

Secure your endpoints

Your application is responsible for securing its own endpoints.

  • If a request does not contain an Authorization header, the request should be considered unauthenticated and access should be denied.
  • If a request has an Authorization header that contains a JWT, the token must be validated before access is granted.

Your application should validate the claims and signature for the JWT Bearer access_token attached by the sidecar in the Authorization header.

The aud (audience) claim must be equal to your application's client ID in Azure AD.

Next Steps

The access token that Wonderwall provides should only be accepted and used by your application.

In order to access other applications, you should exchange the token in order to get a new token that is correctly scoped to access a given application.

For Azure AD, use the on-behalf-of grant to do this.

Last update: 2023-03-28
Created: 2021-08-25