ahmido
c5fbcaa692
Key changes Adds Entra OIDC redirect + callback endpoints under /auth/entra/* (token exchange only there). Upserts tenant users keyed by (entra_tenant_id = tid, entra_object_id = oid); regenerates session; never stores tokens. Blocks disabled / soft-deleted users with a generic error and safe logging. Membership-based post-login routing: 0 memberships → /admin/no-access 1 membership → tenant dashboard (via Filament URL helpers) >1 memberships → /admin/choose-tenant Adds Filament pages: /admin/choose-tenant (tenant selection + redirect) /admin/no-access (tenantless-safe) Both use simple layout to avoid tenant-required UI. Guards / tests Adds DbOnlyPagesDoNotMakeHttpRequestsTest to enforce DB-only render/hydration for: /admin/login, /admin/no-access, /admin/choose-tenant with Http::preventStrayRequests() Adds session separation smoke coverage to ensure tenant session doesn’t access system and vice versa. Runs: vendor/bin/sail artisan test --compact tests/Feature/Auth Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box> Reviewed-on: #76
40 lines
1.6 KiB
Markdown
40 lines
1.6 KiB
Markdown
# Contract: Entra Auth Flow
|
|
|
|
This document describes the OIDC authentication flow for Entra sign-in.
|
|
|
|
## Sequence Diagram
|
|
|
|
```mermaid
|
|
sequenceDiagram
|
|
participant User
|
|
participant Browser
|
|
participant TenantPilot
|
|
participant MicrosoftEntra
|
|
|
|
User->>Browser: Access /admin/login
|
|
Browser->>TenantPilot: GET /admin/login
|
|
TenantPilot-->>Browser: Show "Sign in with Microsoft" button
|
|
User->>Browser: Click "Sign in with Microsoft"
|
|
Browser->>TenantPilot: GET /auth/entra/redirect
|
|
TenantPilot->>Browser: HTTP 302 Redirect to Microsoft Entra
|
|
Browser->>MicrosoftEntra: GET /authorize... (with OIDC params)
|
|
MicrosoftEntra-->>Browser: Show Microsoft login page
|
|
User->>Browser: Enter credentials
|
|
Browser->>MicrosoftEntra: POST credentials
|
|
MicrosoftEntra-->>Browser: HTTP 302 Redirect to /auth/entra/callback (with auth code)
|
|
Browser->>TenantPilot: GET /auth/entra/callback?code=...&state=...
|
|
TenantPilot->>MicrosoftEntra: POST /token (exchange code for ID token)
|
|
MicrosoftEntra-->>TenantPilot: Return ID Token (JWT)
|
|
TenantPilot->>TenantPilot: Validate token, decode claims (tid, oid, etc.)
|
|
TenantPilot->>TenantPilot: Upsert user in DB using (tid, oid)
|
|
TenantPilot->>TenantPilot: Regenerate session, log user in
|
|
TenantPilot->>TenantPilot: Check user's tenant memberships
|
|
alt 0 memberships
|
|
TenantPilot->>Browser: HTTP 302 Redirect to /admin/no-access
|
|
else 1 membership
|
|
TenantPilot->>Browser: HTTP 302 Redirect to tenant dashboard
|
|
else >1 memberships
|
|
TenantPilot->>Browser: HTTP 302 Redirect to /admin/choose-tenant
|
|
end
|
|
```
|