ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
d514550579
TenantAtlas/specs/063-entra-signin/research.md
Ahmed Darrazi d514550579 feat(063): Entra sign-in (tenant panel) v1
2026-01-27 17:22:33 +01:00

52 lines
2.6 KiB
Markdown
Raw Blame History

# Research: 063 — Entra Sign-in
## 1. Required OAuth Scopes for Entra ID Sign-in
**Decision**: Use the standard OpenID Connect scopes: `openid`, `email`, `profile`.
**Rationale**:
- `openid`: Required for OIDC compliance, returns the `sub` (subject) claim which can be used for the user identifier.
- `email`: Requests the `email` claim.
- `profile`: Requests claims like `name`, `family_name`, `given_name`.
The `tid` and `oid` claims are standard in Microsoft's implementation and do not require special scopes.
**Alternatives considered**:
- Requesting more specific scopes (e.g., `User.Read` from Microsoft Graph). This is not necessary for basic sign-in and would require the Graph API, which is out of scope for the login flow itself.
## 2. User Provisioning Strategy
**Decision**: Just-In-Time (JIT) provisioning using `updateOrCreate`.
**Rationale**:
- The `spec.md` requires upserting the user based on `(entra_tenant_id, entra_object_id)`.
- Laravel's `updateOrCreate` is the idiomatic way to handle this. It will find a user with the matching `entra_tenant_id` and `entra_object_id` or create a new one if none exists.
- The `User` model will be updated with information from the Entra ID claims (name, email).
**Alternatives considered**:
- Pre-provisioning users. This would require an admin to manually create users before they can sign in, which is not a good user experience.
## 3. Interaction with Tenant RBAC
**Decision**: The sign-in flow will only *read* tenant memberships after the user is authenticated.
**Rationale**:
- The `spec.md` is clear: "063 MUST NOT refactor tenant RBAC data model or enforcement. It may only **read** memberships to decide where to redirect after login."
- After the user is upserted and logged in, a service class will be used to check their tenant memberships (e.g., `Auth::user()->tenants()->count()`).
- The result of this check (0, 1, or N) will determine the redirect path as per the spec.
**Alternatives considered**:
- Modifying RBAC during login. This is explicitly out of scope.
## 4. User Experience for Unmapped/New Users
**Decision**: The user experience is defined by the post-login routing based on tenant memberships.
**Rationale**:
- If a new user signs in via Entra, they will be created in the `users` table.
- At this point, they will have 0 tenant memberships.
- According to the spec (`FR-003`), they will be redirected to `/admin/no-access`.
- This page will instruct them to "Ask an admin to add you." This is the desired flow.
**Alternatives considered**:
- Displaying an error on the login page. This is less user-friendly than guiding them to a page that explains the next steps.
Reference in New Issue View Git Blame Copy Permalink