Register Azure applications for DataHub

[tom-webber]

User Story

As an Azure AD (AAD) evangelist
I need to register DataHub as an app in AAD
So that users can Auth via AAD to log into DataHub

Proposal

Configuring Azure Authentication for React App (OIDC)

Register an app in the AAD portal.

There is already an app named as 'data-platform-datahub-development', so maybe name the new one 'data-platform-datahub-dev'?

May be worth checking with @julialawrence precisely which permissions are required for Datahub. It is not clear whether we need User.Read, or if we need User.Read.All or some combination of the permissions on the existing data-platform-datahub-development app.

This app will likely use client credential flow for login, whereby the DataHub instance stores the client secret.

Determine whether the frontend app we're creating will reuse this same auth flow (very likely), and if so, if there are any other scopes required to handle this.

Once this is registered with the desired scopes, you'll need to post in the #staff-identity-authentication-services channel to ask for admin approval of the app (all apps required admin approval now, regardless of which permissions they need).

Definition of Done

Example

• App registered in AAD
• Required permissions are attached to the app
• Admin approval requested
• Admin approval granted
• DataHub auth flow tested and working
• (maybe) Custom front end flow tested and working

[mitchdawson1982]

Not sure on the normal timeline for approvals on this type of request but I have given a nudge to the Azure admin that has picked this up via the slack channel.

[mitchdawson1982]

Jacob Khoo confirmed he is raiding a change for Tuesday CAB to perform the admin approval implementation this week.

[mitchdawson1982]

I had raised this with Matt W for approval to avoid the need for a CAB change however Matt hasn't as yet responded. I have therefore agreed with Jacob Khoo the following:

• Jacob to recreate the app in their dev environment based on the current app settings.
• Jacob to provide necessary credentials and example dev user accounts to test with.
• Once testing has been completed successfully, Jacob will raise the necessary change for implementation in live.
• Jacob will implement the change in live and provide us with the necessary credentials to validate it is working as expected.

[mitchdawson1982]

• Tested successfully on 31/1/24, change has been raised for implementation.
• 6/2/24 CAB approval obtained, raised for implementation on 8/2/24
• Implemented 8/2/24 and tested on 9/2/24

[github-actions]

This issue is being marked as stale because it has been open for 60 days with no activity. Remove stale label or comment to keep the issue open.