Microsoft SSO

Microsoft (Entra ID) OIDC sign-in flow + Cognito Hosted UI callback.

📄️Begin Microsoft (Entra ID) OIDC sign-in

Generates a signed `state` and 302-redirects the browser to the Microsoft authorize endpoint.

📄️Microsoft OIDC redirect URI

Microsoft redirects here with `code` + `state`. The handler exchanges the code, verifies the ID token, finds the user's tenant, runs Cognito CUSTOM_AUTH to mint Cognito tokens, sets session cookies, and 302-redirects to the SPA.

📄️Cognito Hosted UI redirect URI

Receives the Hosted UI authorization `code` + signed `state`, then 302-redirects to the SPA with the code and a tenant `state` blob attached.