ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
c5fbcaa692
TenantAtlas/specs/063-entra-signin/contracts/entra-auth-flow.md
ahmido c5fbcaa692 063-entra-signin (#76) 
Key changes

Adds Entra OIDC redirect + callback endpoints under /auth/entra/* (token exchange only there).
Upserts tenant users keyed by (entra_tenant_id = tid, entra_object_id = oid); regenerates session; never stores tokens.
Blocks disabled / soft-deleted users with a generic error and safe logging.
Membership-based post-login routing:
0 memberships → /admin/no-access
1 membership → tenant dashboard (via Filament URL helpers)
>1 memberships → /admin/choose-tenant
Adds Filament pages:
/admin/choose-tenant (tenant selection + redirect)
/admin/no-access (tenantless-safe)
Both use simple layout to avoid tenant-required UI.
Guards / tests

Adds DbOnlyPagesDoNotMakeHttpRequestsTest to enforce DB-only render/hydration for:
/admin/login, /admin/no-access, /admin/choose-tenant
with Http::preventStrayRequests()
Adds session separation smoke coverage to ensure tenant session doesn’t access system and vice versa.
Runs: vendor/bin/sail artisan test --compact tests/Feature/Auth

Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box>
Reviewed-on: #76
2026-01-27 16:38:53 +00:00

1.6 KiB
Raw Blame History

Contract: Entra Auth Flow

This document describes the OIDC authentication flow for Entra sign-in.

Sequence Diagram

sequenceDiagram
    participant User
    participant Browser
    participant TenantPilot
    participant MicrosoftEntra

    User->>Browser: Access /admin/login
    Browser->>TenantPilot: GET /admin/login
    TenantPilot-->>Browser: Show "Sign in with Microsoft" button
    User->>Browser: Click "Sign in with Microsoft"
    Browser->>TenantPilot: GET /auth/entra/redirect
    TenantPilot->>Browser: HTTP 302 Redirect to Microsoft Entra
    Browser->>MicrosoftEntra: GET /authorize... (with OIDC params)
    MicrosoftEntra-->>Browser: Show Microsoft login page
    User->>Browser: Enter credentials
    Browser->>MicrosoftEntra: POST credentials
    MicrosoftEntra-->>Browser: HTTP 302 Redirect to /auth/entra/callback (with auth code)
    Browser->>TenantPilot: GET /auth/entra/callback?code=...&state=...
    TenantPilot->>MicrosoftEntra: POST /token (exchange code for ID token)
    MicrosoftEntra-->>TenantPilot: Return ID Token (JWT)
    TenantPilot->>TenantPilot: Validate token, decode claims (tid, oid, etc.)
    TenantPilot->>TenantPilot: Upsert user in DB using (tid, oid)
    TenantPilot->>TenantPilot: Regenerate session, log user in
    TenantPilot->>TenantPilot: Check user's tenant memberships
    alt 0 memberships
        TenantPilot->>Browser: HTTP 302 Redirect to /admin/no-access
    else 1 membership
        TenantPilot->>Browser: HTTP 302 Redirect to tenant dashboard
    else >1 memberships
        TenantPilot->>Browser: HTTP 302 Redirect to /admin/choose-tenant
    end