📖 Capture Alpha Users's Justice identity in order to prepare for migration to new identity strategy

[julialawrence]

User Story

As as AP engineer, I would like to start collecting AP users' justice identity so we can start preparing to the roll-out of our new identity strategy.

Value / Purpose

A single identity across our estate is the ultimate goal, not only for security reasons but also for easing onboarding onto the platform. All MOJ employees have or could get justice accounts but not everyone uses or needs Github accounts. Linking AP auth to justice identity will help expand our reach.

Useful Contacts

Michael Collins, Julia Lawrence

User Types

AP Users

Hypothesis

If we begin collecting this information now, we will be in a better position to migrate people when the time is right.

Proposal

• Add a new page to display to users after logging in, where they can authenticate with their Justice identity
• Amend the database structure to allow storage of users' justice identity information.
• Amend Control Panel code to request post-auth AP users to authenticate with AzureAD (EntraID) to capture their justice identity.
• Validate information is being stored.

Additional Information

Potential questions:

Should we allow new users to register with their justice identity going forward? Is it worth implementing that at the same time so we can lower the number of users we eventually need to migrate?

For QS:
Should we make providing the justice identity as a prereq for new QS accesss? (New UI only allows justice authentiation?)

Things to think about:
Deferral?
"I don't have a justice account?" (More likely with P&A folks)

Definition of Done

• New "frontpage" added to the control panel to allow EntraID auth
• EntraID auth process implemented
• Database schema amended
• Users notified
• Documentation outlining what we're doing and why drafted and published
• Control Panel modified
• Capability switched on

[michaeljcollinsuk]

27/3/24
Basic implementation in place - draft PR open with full details

TODO

• Confirm the best messaging for the user on the new page (feedback on the draft PR welcome)
• Need to add unit tests
• Refactoring as necessary

[michaeljcollinsuk]

2/4/24
PR of the initial implementation merged, and deployed to dev.

It is only enabled for superusers, so normal users logging in to the dev site (there are some that are using it for Bedrock) will not see the message about authenticating with their justice identity.

Superusers will, however attempting to authenticate will cause a 500 error, as there are missing EntraID secrets, which requires #3868 to be completed to add. Therefore, I have moved this ticket to blocked.

[michaeljcollinsuk]

4/4/24
Secret was added as part of #3868, to allow testing on dev.
Created a new release to add always prompt users to log in to their Justice account as part of the flow. Also updated the auth client implementation to use the Azure Client Secret. Currently this is not working (as I wanted to test the error sent to Sentry) - the secret has been added to dev, but a further change to the helm chart is required to set the env variable.

[michaeljcollinsuk]

Helm chart updated to set the AZURE_CLIENT_SECRET env.
Updated the messaging shown to the user about capturing their Justice email.
Django admin updated to allow easy querying of the number of users that have completed the auth process.
Deployed to dev for the AP team to test.