Search

Configure OpenID Connect for Microsoft Entra

Securely share links to ClickUp public views via OpenID Connect (OIDC).

What you'll need

  • A Workspace owner or admin will need to configure OpenID Connect for your Workspace.
  • A Microsoft Entra admin account.
  • Public views authentication is only available on Enterprise Plans.

Copy your callback URL

During the configuration in the Microsoft Entra admin center, you'll need to paste your callback URL. To copy your callback URL from CickUp:

  1. Activate public views authentication in ClickUp.
  2. To the right of the Callback URL field, click Copy.
    Screenshot of the Copy button on the Callback URL field.png
  3. Your callback URL should follow this format based on your ClickUp configuration: https://app.clickup.com/data/v3/workspaces/{workspaceId}/oidc/callback

Register a new application in Microsoft Entra

To register a new application in Microsoft Entra:

  1. Log in to your organization's Microsoft Entra admin center.
  2. In the left sidebar, click Identity.
  3. In the Entra ID tab, click App registrations.
  4. Click New registration, and select one of these Supported account types:
    • Accounts in this organizational directory only: This is most common for Enterprise accounts.
    • Accounts in any organizational directory: This is a multi-tenant configuration.
    • Accounts in any organizational directory and personal Microsoft accounts: This is a multi-tenant configuration that also allows personal accounts.
  5. In the Platform configurations section, select Add a platform, then select Web.
  6. In the Redirect URI field, paste the value from the Callback URL field in ClickUp. This is where Microsoft Entra sends OAuth responses.
  7. Click Register.

Configure authentication

To configure authentication settings in Microsoft Entra:

  1. In the left sidebar, click Authentication.
  2. In the Platform Configuration section, verify that your redirect URI is correctly configured.
    • Add additional redirect URIs, if needed.
  3. In the Advanced Settings, configure these options:
    • Allow public client flows: Select No. This is recommended for web applications.
    • Supported account types: Verify that the selection matches your requirements. 

Create client secret

To create your client secret in Microsoft Entra:

  1. In the left sidebar, click Certificates & secrets.

  2. Click New client secret and configure the following:

    • Description: Enter a description. For example, OIDC Client Secret.
    • Expires: Select an expiration period. We recommend 24 months maximum.
    • Click Add.

    Ensure that you store the Client Secret securely. It won't be shown in plain text again. 

Retrieve configuration details

To retrieve your configuration details in Microsoft Entra:

  1. From the Overview page, copy these IDs:
    • Application (client) ID: For example, 12345678-1234-1234-1234-123456789abc
    • Directory (tenant) ID: For example, 12345678-1234-1234-1234-123456789abc
  • OpenID Discovery URL discoveryUrl: The discovery URL for Microsoft EntraID follows this format:
    • https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration.
    • Replace {tenant-id} with your Directory (tenant) ID.
    • For example: https://login.microsoftonline.com/12345678-1234-1234-1234-123456789abc/v2.0/.well-known/openid-configuration.
    • The OIDC discovery URL automatically provides these endpoints:
      • Issuer: issuer
      • Authorization Endpoint: authorization_endpoint
      • Token Endpoint: token_endpoint
      • UserInfo Endpoint: userinfo_endpoint
      • JWKS URI: jwks_uri

Configure API permissions

These settings are optional. 

To configure API permissions:

  1. In the left sidebar, click API permissions.
  2. By default, the User.Read permission is added. This allows the reading of basic user profile info.
    • If necessary, click Add a permission, then choose Microsoft Graph. Optionally, you can add these permissions:
      • openid: OpenID Connect sign in.
      • profile: Basic profile info.
      • email: Email address.
    • If the permissions need admin consent, click Grant admin consent.

Test your configuration

These configurations will be processed by your ClikUp OIDC service automatically to derive all other necessary endpoints and settings. 

To test your configuration:

  1. Use the discovery URL in a browser to verify that it returns a valid JSON configuration.

    • For example: 

      {
    
"clientId": "12345678-1234-1234-1234-123456789abc",
    
"clientSecret": "very-long-secret-string-here",
    
"discoveryUrl": "https://login.microsoftonline.com/87654321-4321-4321-4321-210987654321/v2.0/.well-known/openid-configuration"

}
  2. Test the OIDC flow using your application.
  3. Verify that the callback URL is accessible and properly configured.