Skip to content

Commit b0c6057

Browse files
Add guides for Windows Docker, Cookies, Entra and Defra ID (#136)
1 parent b356f18 commit b0c6057

4 files changed

Lines changed: 144 additions & 0 deletions

File tree

docs/guides/cookies-banner.md

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
# Cookie banner
2+
3+
An example repository has been created to correctly implement the GOV.UK Design System cookie banner with Google Tag Manager (GTM).
4+
5+
This demonstrates how to address the common pain points teams encounter when implementing a cookie banner, including:
6+
7+
- Immediately setting GA cookies on acceptance - GTM loads client-side the moment the user accepts, no page reload required for GA to start collecting
8+
- Removing all GA cookies when the user rejects - from both the banner and the cookie preferences page
9+
- Working without JavaScript - progressive enhancement via form submission
10+
- Working with Content Security Policy (CSP) - domain and script protection
11+
- CSRF protection - on all cookie consent forms
12+
13+
[https://github.com/DEFRA/cookie-banner-example](https://github.com/DEFRA/cookie-banner-example)

docs/guides/defra-id.md

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
# Defra Identity
2+
3+
Defra Identity is Defra's common customer authentication and identity-management platform that provides external user authentication and authorisation for Defra services. It is based on the OAuth 2.0 and OpenID Connect standards and is backed by Azure B2C.
4+
5+
Defra Identity supports authentication through a Government Gateway, GOV.UK One Login or Rural Payments account.
6+
7+
## Sign in flow
8+
9+
1. User accesses a service
10+
2. User is redirected to the Defra Identity login page
11+
3. User logs in
12+
4. User selects an organisation
13+
5. User is redirected back to the consuming service with an authorisation code
14+
6. Consuming service exchanges the authorisation code for an access token
15+
7. Consuming service stores JWT token in session
16+
17+
Services using the Rural Payments account need an additional step to retrieve the user's permissions for the selected organisation from Siti Agri as they are not included in the JWT token.
18+
19+
## Example
20+
21+
An example repository has been created to demonstrate how to integrate with Defra Identity using Node.js.
22+
23+
The example includes a detailed explanation of the pattern and required code to implement a secure implementation of the pattern.
24+
25+
Although written from the perspective of Farming, the example is applicable to any service that needs to integrate with Defra Identity.
26+
27+
[https://github.com/DEFRA/fcp-defra-id-example](https://github.com/DEFRA/fcp-defra-id-example)

docs/guides/docker_guidance.md

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -321,3 +321,32 @@ volumes:
321321
```
322322

323323
Then volume and port bindings are only used during local development and any local tests runs will not impact development data.
324+
325+
### Windows Git Bash
326+
327+
There is an issue where Git Bash may not correctly interpret volume paths when running Docker Compose on Windows.
328+
329+
To avoid this issue, the following snippet should be added to the `.bashrc` file in the home directory of the user running Git Bash.
330+
331+
```bash
332+
# --- Make Docker work nicely in Git Bash ---
333+
334+
# Prevent MSYS from mangling paths
335+
__docker_env() {
336+
MSYS_NO_PATHCONV=1 MSYS2_ARG_CONV_EXCL='*' "$@"
337+
}
338+
339+
# Wrapper for docker.exe
340+
docker() {
341+
local needs_winpty=
342+
for a in "$@"; do
343+
[[ "$a" == "-it" || "$a" == "-i" || "$a" == "-t" ]] && needs_winpty=1
344+
done
345+
346+
if [[ -n "$needs_winpty" ]] && command -v winpty >/dev/null 2>&1; then
347+
__docker_env winpty docker.exe "$@"
348+
else
349+
__docker_env docker.exe "$@"
350+
fi
351+
}
352+
```

docs/guides/entra.md

Lines changed: 75 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,75 @@
1+
# Entra
2+
3+
Entra is a Microsoft identity and access management platform that provides secure access to applications and resources. It allows organizations to manage user identities, enforce access policies, and protect sensitive data.
4+
5+
It is used to securely authenticate and authorise internal users, enabling them to access applications and resources based on their roles and permissions.
6+
7+
## App Registration
8+
9+
To use Entra, an Azure App Registration needs to be created in the Azure Portal by CCoE.
10+
11+
An App Registration is a representation of an application within the Azure Active Directory (Azure AD) tenant.
12+
13+
Within the App Registration, the following can be configured to enable secure authentication and authorisation:
14+
15+
- **Redirect URIs**: The URLs where users are redirected after authentication and sign out. These URIs must be registered in the App Registration to ensure that the authentication response is sent to the correct location.
16+
17+
- **Client ID**: A unique identifier for the application. It is used to identify the application during the authentication process.
18+
19+
- **Client Secret**: A secret key used to authenticate the application. It should be kept confidential and not exposed in client-side code.
20+
21+
- **Federated Credentials**: An alternative to using a client secret, federated credentials allow the application to authenticate using a certificate or other secure method. This is the preferred method when using the Core Delivery Platform (CDP) as it avoids the need to store a client secret in the application code.
22+
23+
- **Token Configuration**: The App Registration can be configured to specify the types of tokens (ID tokens, access tokens, refresh tokens) and claims that the application can request and receive during the authentication process.
24+
25+
- **Roles and Permissions**: The App Registration can define roles and permissions that control access to the application. This allows for fine-grained access control based on user roles and responsibilities.
26+
27+
### Enterprise application
28+
29+
When creating a new App Registration, an Enterprise Application is automatically created in the Azure AD tenant. The Enterprise Application represents the application instance and is used to manage access and permissions for users and groups. eg adding users to roles.
30+
31+
### Tenants
32+
33+
There are two Azure tenants where App Registrations can be created:
34+
35+
#### `O365_DefraDev`
36+
37+
This tenant is used for experimentation, local development and lower environments.
38+
39+
Teams can request/amend an App Registration in this tenant by raising a request with CCoE with this [ServiceNow ticket](https://defragroup.service-now.com/esc?id=sc_cat_item&table=sc_cat_item&sys_id=496b9d931b2cce90848b8594e34bcbe5&recordUrl=com.glideapp.servicecatalog_cat_item_view.do%3Fv%3D1&sysparm_id=496b9d931b2cce90848b8594e34bcbe5).
40+
41+
#### `Defra`
42+
43+
This tenant is used for higher environments including production.
44+
45+
It has a tighter level of control and requires an approved Change Request in ServiceNow to enable CCoE to make a requested change.
46+
47+
A Series of Standard Changes have been created for common App Registration configuration requests. This allows teams to request changes without needing to raise a Normal Change with the eight day lead time.
48+
49+
> If the configuration required is not covered by a Standard Change, then a Normal Change will need to be raised.
50+
51+
| Standard Change | Description |
52+
|-----------------|-------------|
53+
| [Create App Registration](https://defragroup.service-now.com/change_request.do?sys_id=-1&sysparm_query=chg_model%3de55d0bfec343101035ae3f52c1d3ae49^std_change_producer_version%3decb13db83bf17ed81560dca985e45a54&sysparm_link_parent=d401364f1b7861101fd8337f034bcbf9&sysparm_catalog=e0d08b13c3330100c8b837659bba8fb4&sysparm_catalog_view=catalog_Service_Catalog&sysparm_view=catalog_Service_Catalog) | Add a new redirect URI to an existing App Registration |
54+
| [Configure redirect URI](https://defragroup.service-now.com/change_request.do?sys_id=-1&sysparm_query=chg_model%3de55d0bfec343101035ae3f52c1d3ae49^std_change_producer_version%3d8b61e8a5fbdd3650ff02f46daeefdc5a&sysparm_link_parent=d401364f1b7861101fd8337f034bcbf9&sysparm_catalog=e0d08b13c3330100c8b837659bba8fb4&sysparm_catalog_view=catalog_Service_Catalog&sysparm_view=catalog_Service_Catalog) | Configure redirect URI for sign in and sign out |
55+
|[Configure roles](https://defragroup.service-now.com/change_request.do?sys_id=-1&sysparm_query=chg_model%3de55d0bfec343101035ae3f52c1d3ae49^std_change_producer_version%3d247ace93c38f2e5082ee354c050131fd&sysparm_link_parent=d401364f1b7861101fd8337f034bcbf9&sysparm_catalog=e0d08b13c3330100c8b837659bba8fb4&sysparm_catalog_view=catalog_Service_Catalog&sysparm_view=catalog_Service_Catalog)| Configure roles for the App Registration |
56+
| [Add/remove user/Security Group to role](https://defragroup.service-now.com/change_request.do?sys_id=-1&sysparm_query=chg_model%3de55d0bfec343101035ae3f52c1d3ae49^std_change_producer_version%3deff16ce9fbdd3650ff02f46daeefdcce&sysparm_link_parent=d401364f1b7861101fd8337f034bcbf9&sysparm_catalog=e0d08b13c3330100c8b837659bba8fb4&sysparm_catalog_view=catalog_Service_Catalog&sysparm_view=catalog_Service_Catalog) | Add or remove a user or Security Group to a role |
57+
| [Configure Graph API Permissions](https://defragroup.service-now.com/change_request.do?sys_id=-1&sysparm_query=chg_model%3de55d0bfec343101035ae3f52c1d3ae49^std_change_producer_version%3d9ba264a5fb117650ff02f46daeefdc19&sysparm_link_parent=d401364f1b7861101fd8337f034bcbf9&sysparm_catalog=e0d08b13c3330100c8b837659bba8fb4&sysparm_catalog_view=catalog_Service_Catalog&sysparm_view=catalog_Service_Catalog) | Configure Graph API permissions for the App Registration **Important:** Admin consent on `User.Read` permission is required and must be requested, otherwise users will not be able to complete authentication. |
58+
59+
## Sign in flow
60+
61+
1. User accesses a service
62+
2. User is redirected to the Entra login page
63+
3. User logs in
64+
4. User is redirected back to the consuming service with an authorisation code
65+
5. Consuming service exchanges the authorisation code for an access token
66+
6. Consuming service stores JWT token in session
67+
68+
## Example
69+
70+
An example repository has been created to demonstrate how to integrate with Entra using Node.js.
71+
72+
The example includes a detailed explanation of the pattern and required code to implement a secure implementation of the pattern.
73+
74+
[https://github.com/DEFRA/fcp-entra-example](https://github.com/DEFRA/fcp-entra-example)
75+

0 commit comments

Comments
 (0)