-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
ab5293b
commit 8302b99
Showing
2 changed files
with
86 additions
and
17 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
# Understanding Login Functionality | ||
|
||
## Introduction: | ||
|
||
The login functionality in our application is crucial for securing our platform and ensuring that only authorized individuals have access. | ||
It is facilitated through the integration of Devise, Omniauth, and Azure AD strategy. | ||
This document elaborates on the process of configuring and operating the login functionality, especially focusing on its interaction with Azure App Registration. | ||
|
||
1. **Key Components**: | ||
- **Devise**: A flexible authentication solution for Rails based on Warden. | ||
- **Omniauth**: A library that standardizes multi-provider authentication for web applications. | ||
- **Azure Strategy**: A strategy employed by Omniauth to authenticate with Azure AD. | ||
2. **Azure AD and App Registration**: | ||
- Our application connects to an Azure App Registration configured on Azure within the DfE tenant. | ||
- The specific app registration we use is named `get-a-teacher-relocation-payment`. With suffix of 'local', 'qa', 'staging', 'production' for each environment. | ||
3. **Configuration for GitHub PR Review Apps**: | ||
|
||
- The `local` app registration is configured to work with GitHub PR review apps when adding the `deploy` label. | ||
- To make it work for a new PR review app deployment, update the list of redirect URIs in the Azure app registration configuration. Include the new URI corresponding to the PR number of the deployed GitHub review app. | ||
|
||
4. **Login Process**: | ||
- Navigate to the login page. | ||
- You will be redirected to Azure for authentication. Log in using an `@education.gov.uk` email address. | ||
- Upon successful authentication with Azure, you get redirected back, and then the application checks against an internal list of authorized users. | ||
- If the email address is on the list, the user is logged in; otherwise, access is denied. | ||
5. **Rails App Internal User List**: | ||
|
||
- Our Rails application maintains an internal list of users authorized to log in. | ||
- This list is crucial for an additional layer of access control beyond Azure authentication. | ||
|
||
6. **Code Snippet** (For illustration): | ||
|
||
```ruby | ||
# config/initializers/devise.rb | ||
Devise.setup do |config| | ||
config.omniauth(:azure_activedirectory_v2, | ||
client_id: ENV.fetch("AZURE_CLIENT_ID", nil), | ||
client_secret: ENV.fetch("AZURE_CLIENT_SECRET", nil), | ||
tenant_id: ENV.fetch("AZURE_TENANT_ID", nil)) | ||
end | ||
|
||
# app/controllers/users/omniauth_callbacks_controller.rb | ||
class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController | ||
skip_before_action :check_service_open! | ||
|
||
def azure_activedirectory_v2 | ||
response_params = request.env["omniauth.auth"]["info"] | ||
@user = User.find_by(email: response_params["email"]) | ||
|
||
if @user | ||
sign_in_and_redirect(@user, event: :authentication) | ||
else | ||
flash[:alert] = t("omniauth_callbacks.no_account") | ||
redirect_to(root_path) | ||
end | ||
end | ||
|
||
def after_omniauth_failure_path_for(_scope) | ||
root_path | ||
end | ||
end | ||
``` | ||
|
||
This snippet demonstrates the setup of Devise and Omniauth with the Azure strategy and a simplified user model that finds or creates a user based on the Azure authentication data. | ||
|
||
## Conclusion: | ||
|
||
Understanding and configuring the login functionality correctly is vital for the security and proper functioning of our application. Following the outlined steps ensures a seamless authentication process, leveraging Azure AD while maintaining an extra layer of access control through an internal user list. |