PoC Baseline
appsvc-easyauth-workforce
easyauth
Next.js 16 x Azure auth comparison
Single codebase で Easy Auth と app-managed auth を比較する起点を先に固めます。
まずは public / protected の導線、normalized session、telemetry bootstrap、 Graph Track A / Track B の比較面を同じ UI から観察できる骨格を置いています。
trace
traceparent not availableRuntime contract
Platform auth
easyauth
App auth
n/a
Identity profile
workforce
Easy Auth local mock
disabled
- `APP_AUTH_MODE` は `PLATFORM_AUTH_MODE=none` の target でのみ有効です。
- proxy.ts は楽観的ルーティング専用で、厳密な認可は server-side で再確認します。
- Easy Auth の token store 依存は `src/lib/auth/adapters/easyauth.ts` に閉じ込めます。
Session status
deployment target: appsvc-easyauth-workforce
workforce
Anonymous runtime
track-a
Self profile via /me
User.Read
least-privilege baseline for delegated Graph access on the current signed-in user.
default target: appsvc-easyauth-workforce
- App Service auth V2 uses explicit loginParameters scope for Graph Track A.
- Hybrid track reuses the same permission surface and delegates refresh to /.auth/refresh.
- The browser never becomes the trust boundary for raw provider tokens.
track-b
Directory search via /users
User.ReadBasic.All or wider
admin-consented directory lookup isolated to a dedicated target and registration.
default target: appsvc-easyauth-workforce-admin
- Track B is separated from Track A and from the exhibition B2B target.
- Guest-oriented B2B baseline relies on app roles, groups, and claims before directory search.
- Advanced queries can require ConsistencyLevel: eventual and $count=true.