🛂 POC integration with Identity Center and EntraID in the AP UI

[michaeljcollinsuk]

User Story

As a developer
I want to create a POC of the integration with Identity Centre and EntraID in the UI
So that I can confirm that it will suit our needs

Value / Purpose

Confirm that we can use Identity Centre and EntraID together to log users in to the AP

Useful Contacts

No response

User Types

No response

Hypothesis

No response

Proposal

Create a POC integration with Identity Centre and Entra ID in the AP UI.
The POC should allow us to:

• visit the homepage of the UI
• Click a login button
• User is able to authenticate with EntraID/Identity Centre
• The user is logged in and redirected back to the AP UI

Additional Information

No response

Definition of Done

• Code written to integrate with Identity Centre via EntraID
• Unit tests to cover the login process, with external calls mocked
• Click through test to confirm a user can log in to the UI successfully
• Confirm users exist in Identity Centre and EntraID

[Ed-Bajo]

Ticket blocked until identity centre work is complete.

[julialawrence]

Identity work is complete. This ticket is now unblocked.

[michaeljcollinsuk]

Excalidraw diagram with planned next steps to test OIDC flow https://mojdt.slack.com/archives/C06NFN4FMNG/p1720797293431939

[michaeljcollinsuk]

Initial work has been pushed to a draft PR here https://github.com/ministryofjustice/analytical-platform-ui/pull/212/files

We have been able to:

• Exchange a users Entra ID token for an AWS ID token
• Use the AWS ID token to make an STS assume role call to retrieve AWS credentials

We have not been able to:

• Use those returned credentials to make subsequent successful calls to aws services e.g. to Athena

Currently we are:

• Looking into errors related to the user not having access to the athena workgroups: An error occurred (InvalidRequestException) when calling the StartQueryExecution operation: You do not have access to primary. After your AWS administrator has updated your permissions, please try again.

[michaeljcollinsuk]

When attempting to use the returned AWS token to make requests to AWS services e.g. grant lake formation permissions to another user:

    # where credentials are those returned from assuming IAM bearer role after successful token exchange
    lf = boto3.client("lakeformation", **credentials, region_name="eu-west-2") 
    grant = lf.grant_permissions(
        CatalogId='123456789', # the AWS account id e.g. ap-dev
        Principal={
         # Identity Store ID of a user. The ID is included in the ID token from AWS as the 'sub', the full ARN is returned from the "describe_user" quicksight API call
            "DataLakePrincipalIdentifier": "arn:aws:identitystore:::user/123-abc-456-def",
        },
        Resource={
            'Database': {
                'CatalogId': '123456789', # the AWS account id e.g ap-dev
                'Name': 'example-database' # database that the user had grantable permissions on 
            }
        },
        Permissions=['ALL']
    )

This failed with the following error:

botocore.errorfactory.AccessDeniedException: An error occurred (AccessDeniedException) when calling the GrantPermissions operation: Identity Center Session can't be used for this operation.