Allow access to app for Turing folk from offsite

[jack89roberts]

Currently the Azure app is restricted to Turing IP addresses, but open to anyone trying to access it whilst at the Turing.

As a first pass to making the app accessible to Turing folk offsite, we'll incorporate Azure Active directory login.

Note that this is still fairly "hacky" as the app is accessing Github and Harvest with credentials many users with Turing AAD credentials will not have. See issue #50 as placeholder for improvements to authentication.

[martintoreilly]

Let's use Azure AD - see https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad#-configure-with-advanced-settings

• Ask IT for an app registration via this form
• Store the app credentials in a KeyVault on Azure

Progress

Azure AD Enterprise app setup

• Requested an app registration (see TopDesk ticket C1910-085)
• Received app registration info
• Created following app info as secrets in wimbledon-planner KeyVault
  • app-id
  • app-secret
  • turing-tenant-id
• App setting needed
  • Check the "Access tokens" and "ID tokens" boxes under "Authentication -> Implicit grant" (or equivalently set "oauth2AllowIdTokenImplicitFlow": true and "oauth2AllowImplicitFlow": true in the app manifest)
  • Set the redirect URL to https://wimbledon-planner.azurewebsites.net/.auth/login/aad/callback

Azure app service AAD login configuration

• Turned on "HTTPS only" option in portal "Settings -> TLS/SSL settings"
• Followed Microsoft's advanced settings instructions for adding AAD authentication to a web app
  • In the Azure portal, go to your App Service app
  • Select Settings > Authentication / Authorization in the left pane, and make sure that App Service Authentication is On
  • To enforce user authentication, set Action to take when request is not authenticated to Log in with Azure Active Directory (selected "Log in with Azure Active Directory")
  • Under Authentication Providers, select Azure Active Directory.
  • In Management mode, select Advanced and configure App Service authentication according to the following table:
  • Client ID: Use the Application (client) ID of the app registration (app-id secret in wimbledon-planner KeyVault)
  • Issuer ID: Use https://login.microsoftonline.com/, and replace  with the Directory (tenant) ID of the app registration (https://login.microsoftonline.com/<turing-tenant-id>, using turing-tenant-id secret in wimbledon-planner KeyVault)
  • Client Secret: Use the client secret you generated in the app registration (app-secret secret in wimbledon-planner KeyVault)
  • Allowed Token Audiences: If this is a cloud or server app and you want to allow authentication tokens from a web app, add the Application ID URI of the web app here (left blank)
  • Clicked 'Ok' on advanced AAD configuration screen
  • Clicked "Save" on the main Authentication / Authorization screen

Open up network access rules

• Made SCM access rules separate from app access rules and restricted to Turing networks
• Removed all app access rules

[martintoreilly]

Testing

• Was able to access site from my Turing laptop on the Turing EduRoam wifi network and (i) could access the site when logged into my Turing Azure account and (ii) was required to log in when accessing via an incognito window.
• Was able to access site from my mobile on my mobile network and (i) could access the site when logged into my Turing Azure account and (ii) was required to log in when accessing via an incognito window.

[martintoreilly]

@jack89roberts Please could you review the above and let me know if (i) any of the instructions are not clear and (ii) do some ad-hoc testing of your own to confirm access control works as you expect.

[jack89roberts]

Nice! It works on my phone (using mobile data) as well - asks me to login and then the app works as normal afterwards.

The only thing I'm unsure about in the instructions is this part:

Azure AD Enterprise app setup

• Check the "Access tokens" and "ID tokens" boxes under "Authentication -> Implicit grant" (or equivalently set "oauth2AllowIdTokenImplicitFlow": true and "oauth2AllowImplicitFlow": true in the app manifest)
• Set the redirect URL to https://wimbledon-planner.azurewebsites.net/.auth/login/aad/callback

Where are these settings and are we supposed to have access to them or is it part of what IT sets up (e.g. if it's in "App registrations" then I get a "you do not have access" error back)?

[martintoreilly]

It's part of the set up IT do for the AD enterprise app. I've updates the notes to reflect this.

[jack89roberts]

The app registration expired and had to be renewed. These are the steps for renewing it:

• Create a ticket with IT asking them to renew the active directory app registration for Wimbledon Planner (I also included the redirect URL https://wimbledon-planner.azurewebsites.net/.auth/login/aad/callback and the previous ticket numbers C1910-085 and I2010-637).

• IT will send a new secret value.

• Update the app-secret secret in the wimbledon-planner key vault in the wimbledon-planner-production resource group.

  • Go to secrets (menu on the left)
  • Select app-secret from the list
  • Select "New Version"
  • Copy the secret into the "value" field and make sure to set the activation and expiration dates (these will cause an automated email to be triggered the next time it's about to expire - automated emailing doesn't seem to be working).

• Update the secret value in the wimbledon-planner app service in the wimbledon-planner-production resource group.

  • Go to Authentication/Authorization (menu on the left)
  • Click on Azure Active Directory Configured (Advanced)
  • Click "Show Secret"
  • Paste the new secret value into the secret field.
  • Click "OK"

• (edit: 2022 - unsure whether this is required in addition to/instead of step above) Update the secret value in the wimbledon-planner app service in the wimbledon-planned-production resource group:

  • Configuration -> MICROSOFT_PROVIDER_AUTHENTICATION_SECRET

I then restarted the app service, but I'm not sure whether this is necessary.

[yongrenjie]

16/1/2024: Client secret was renewed. The steps are similar to above, but the Azure interface is slightly different:

1. Bug IT to send a new client secret. (This was surprisingly difficult: they initially told me to go to Tomas, but the Active Directory secrets are managed by IT, not by Research Computing, so you may have to insist that they do it. In my case, Tomas got them to sort it out, thanks Tomas 😄)
2. (Same as above) Go to the wimbledon-planner key vault in the wimbledon-planner-production resource group. From the left menu, select Objects > Secrets. Click on app-secret and create a new version
3. In the wimbledon-planner App Service, select Settings > Configuration, and select Application Settings from the tabs in that page. Click on MICROSOFT_PROVIDER_AUTHENTICATION_SECRET and paste the new secret as the value there.
   • You can also do this from Settings > Authentication, and editing the Wimbledon-Planner identity provider in the list shown there. It brings you to the same screen.

Wait a couple of minutes and the app should work. I didn't need to restart it.

[jack89roberts]

Thanks Jon!