#!/bin/bash # Create Azure AD App Registration for Entra VerifiedID # This script automates the app registration creation set -euo pipefail # Colors GREEN='\033[0;32m' BLUE='\033[0;34m' YELLOW='\033[1;33m' NC='\033[0m' log_info() { echo -e "${BLUE}[INFO]${NC} $1"; } log_success() { echo -e "${GREEN}[SUCCESS]${NC} $1"; } log_warning() { echo -e "${YELLOW}[WARNING]${NC} $1"; } # Check Azure CLI if ! command -v az &> /dev/null; then log_warning "Azure CLI not found. Install from: https://docs.microsoft.com/cli/azure/install-azure-cli" exit 1 fi # Check login if ! az account show &> /dev/null; then log_warning "Not logged in to Azure. Run: az login" exit 1 fi log_info "Creating Azure AD App Registration for Entra VerifiedID..." # Get inputs read -p "App Registration name (default: the-order-entra): " APP_NAME APP_NAME=${APP_NAME:-the-order-entra} read -p "Resource Group (optional, for tagging): " RESOURCE_GROUP # Create app registration log_info "Creating app registration: ${APP_NAME}" APP_ID=$(az ad app create \ --display-name "${APP_NAME}" \ --query appId -o tsv) log_success "App Registration created!" log_info "Application (Client) ID: ${APP_ID}" # Get tenant ID TENANT_ID=$(az account show --query tenantId -o tsv) log_info "Directory (Tenant) ID: ${TENANT_ID}" # Create service principal log_info "Creating service principal..." az ad sp create --id "${APP_ID}" --output none log_success "Service principal created" # Create client secret log_info "Creating client secret (valid for 1 year)..." SECRET_RESPONSE=$(az ad app credential reset --id "${APP_ID}" --years 1) CLIENT_SECRET=$(echo "${SECRET_RESPONSE}" | jq -r '.password') log_success "Client secret created" log_warning "IMPORTANT: Save this secret now - it won't be shown again!" log_info "Client Secret: ${CLIENT_SECRET}" # Add API permissions log_info "Adding Verifiable Credentials Service permissions..." VC_SERVICE_APP_ID="3db474b9-7a6d-4f50-afdc-70940ce1df8f" # Note: Exact permission IDs may vary - this is a template log_warning "You need to add permissions manually in Azure Portal:" log_info "1. Go to Azure Portal → App registrations → ${APP_NAME} → API permissions" log_info "2. Add permission → APIs my organization uses" log_info "3. Search for 'Verifiable Credentials Service'" log_info "4. Add Application permissions: VerifiableCredential.Create.All, VerifiableCredential.Verify.All" log_info "5. Grant admin consent" # Output summary cat > .entra-app-info.txt << EOF Azure AD App Registration Created ================================== Application Name: ${APP_NAME} Application (Client) ID: ${APP_ID} Directory (Tenant) ID: ${TENANT_ID} Client Secret: ${CLIENT_SECRET} NEXT STEPS: 1. Add API permissions in Azure Portal (see above) 2. Grant admin consent 3. Store these values securely 4. Run: ./scripts/deploy/store-entra-secrets.sh EOF log_success "App registration complete!" log_info "Details saved to: .entra-app-info.txt" log_warning "Remember to add API permissions and grant admin consent!"