Replace back-office group requirement with platform Easy Auth and auto-bootstrap Entra app registration

tjementum · tjementum · commit 02c675300f76 · 2026-04-29T00:26:40.000+02:00
diff --git a/.github/workflows/_deploy-infrastructure.yml b/.github/workflows/_deploy-infrastructure.yml
@@ -34,6 +34,9 @@ on:
         required: false
         type: string
         default: "-"
+      back_office_entra_client_id:
+        required: true
+        type: string
       postgres_admin_object_id:
         required: true
         type: string
@@ -84,6 +87,7 @@ jobs:
         id: deploy_cluster
         env:
           POSTGRES_ADMIN_OBJECT_ID: ${{ inputs.postgres_admin_object_id }}
+          BACK_OFFICE_ENTRA_CLIENT_ID: ${{ inputs.back_office_entra_client_id }}
           GOOGLE_OAUTH_CLIENT_ID: ${{ vars.GOOGLE_OAUTH_CLIENT_ID }}
           GOOGLE_OAUTH_CLIENT_SECRET: ${{ secrets.GOOGLE_OAUTH_CLIENT_SECRET }}
           STRIPE_PUBLISHABLE_KEY: ${{ vars.STRIPE_PUBLISHABLE_KEY }}
@@ -169,6 +173,7 @@ jobs:
         id: deploy_cluster
         env:
           POSTGRES_ADMIN_OBJECT_ID: ${{ inputs.postgres_admin_object_id }}
+          BACK_OFFICE_ENTRA_CLIENT_ID: ${{ inputs.back_office_entra_client_id }}
           GOOGLE_OAUTH_CLIENT_ID: ${{ vars.GOOGLE_OAUTH_CLIENT_ID }}
           GOOGLE_OAUTH_CLIENT_SECRET: ${{ secrets.GOOGLE_OAUTH_CLIENT_SECRET }}
           STRIPE_PUBLISHABLE_KEY: ${{ vars.STRIPE_PUBLISHABLE_KEY }}
diff --git a/.github/workflows/cloud-infrastructure.yml b/.github/workflows/cloud-infrastructure.yml
@@ -38,6 +38,7 @@ jobs:
       cluster_location: ${{ vars.STAGING_CLUSTER_LOCATION }}
       domain_name: ${{ vars.STAGING_DOMAIN_NAME }}
       back_office_domain_name: ${{ vars.STAGING_BACK_OFFICE_DOMAIN_NAME || '-' }}
+      back_office_entra_client_id: ${{ vars.STAGING_BACK_OFFICE_ENTRA_CLIENT_ID }}
       postgres_admin_object_id: ${{ vars.STAGING_POSTGRES_ADMIN_OBJECT_ID }}
       production_service_principal_object_id: ${{ vars.PRODUCTION_SERVICE_PRINCIPAL_OBJECT_ID }}
 
@@ -57,5 +58,6 @@ jobs:
       cluster_location: ${{ vars.PRODUCTION_CLUSTER1_LOCATION }}
       domain_name: ${{ vars.PRODUCTION_DOMAIN_NAME }}
       back_office_domain_name: ${{ vars.PRODUCTION_BACK_OFFICE_DOMAIN_NAME || '-' }}
+      back_office_entra_client_id: ${{ vars.PRODUCTION_BACK_OFFICE_ENTRA_CLIENT_ID }}
       postgres_admin_object_id: ${{ vars.PRODUCTION_POSTGRES_ADMIN_OBJECT_ID }}
       tenant_id: ${{ vars.TENANT_ID }}
diff --git a/application/AppHost/Program.cs b/application/AppHost/Program.cs
@@ -81,8 +81,6 @@
     .WithReference(azureStorage)
     .WaitFor(accountDatabase);
 
-var backOfficeGroupId = builder.Configuration["BackOffice:GroupId"];
-
 var accountApi = builder
     .AddProject<Account_Api>("account-api")
     .WithEnvironment("KESTREL_PORT", ports.AccountApi.ToString())
@@ -93,7 +91,6 @@
     .WithEnvironment("OAUTH_PUBLIC_URL", "https://localhost:" + ports.AppGateway)
     .WithEnvironment("Hostnames__App", appHostname)
     .WithEnvironment("BackOffice__Host", backOfficeHostname)
-    .WithEnvironment("BackOffice__GroupId", backOfficeGroupId ?? string.Empty)
     .WithReference(accountDatabase)
     .WithReference(azureStorage)
     .WithEnvironment("OAuth__Google__ClientId", googleOAuthClientId)
diff --git a/application/account/Tests/BackOffice/BackOfficeEndpointBaseTest.cs b/application/account/Tests/BackOffice/BackOfficeEndpointBaseTest.cs
@@ -33,7 +33,7 @@ public abstract class BackOfficeEndpointBaseTest : IDisposable
     protected readonly Faker Faker = new();
     private readonly WebApplicationFactory<Program> _webApplicationFactory;
 
-    protected BackOfficeEndpointBaseTest(string? configuredGroupId = null)
+    protected BackOfficeEndpointBaseTest()
     {
         Environment.SetEnvironmentVariable(SinglePageAppConfiguration.PublicUrlKey, TestPublicUrl);
         Environment.SetEnvironmentVariable(SinglePageAppConfiguration.CdnUrlKey, $"{TestPublicUrl}/account");
@@ -62,10 +62,6 @@ protected BackOfficeEndpointBaseTest(string? configuredGroupId = null)
                             // user-facing host use app.test.localhost.
                             ["Hostnames:App"] = "app.test.localhost"
                         };
-                        if (configuredGroupId is not null)
-                        {
-                            backOfficeSettings["BackOffice:GroupId"] = configuredGroupId;
-                        }
 
                         configuration.AddInMemoryCollection(backOfficeSettings);
                     }
diff --git a/application/account/Tests/BackOffice/GroupRequirementTests.cs b/application/account/Tests/BackOffice/GroupRequirementTests.cs
diff --git a/application/shared-kernel/SharedKernel/Authentication/BackOfficeIdentity/BackOfficeGroupRequirement.cs b/application/shared-kernel/SharedKernel/Authentication/BackOfficeIdentity/BackOfficeGroupRequirement.cs
diff --git a/application/shared-kernel/SharedKernel/Authentication/BackOfficeIdentity/BackOfficeHostOptions.cs b/application/shared-kernel/SharedKernel/Authentication/BackOfficeIdentity/BackOfficeHostOptions.cs
@@ -8,6 +8,4 @@ public sealed class BackOfficeHostOptions
 
     [Required(AllowEmptyStrings = false)]
     public string Host { get; init; } = string.Empty;
-
-    public string? GroupId { get; init; }
 }
diff --git a/application/shared-kernel/SharedKernel/Authentication/BackOfficeIdentity/BackOfficeIdentityDefaults.cs b/application/shared-kernel/SharedKernel/Authentication/BackOfficeIdentity/BackOfficeIdentityDefaults.cs
@@ -24,6 +24,4 @@ public static class BackOfficeIdentityDefaults
     public const string LogoutPath = "/.auth/logout";
 
     public const string AccessDeniedPath = "/access-denied";
-
-    public const string BackOfficeGroupIdEnvironmentVariable = "BACK_OFFICE_GROUP_ID";
 }
diff --git a/application/shared-kernel/SharedKernel/Configuration/ApiDependencyConfiguration.cs b/application/shared-kernel/SharedKernel/Configuration/ApiDependencyConfiguration.cs
@@ -1,5 +1,4 @@
 using Microsoft.AspNetCore.Authentication.JwtBearer;
-using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.HttpOverrides;
@@ -247,15 +246,12 @@ private IServiceCollection AddAuthConfiguration()
                 )
                 .AddScheme<BackOfficeIdentityOptions, BackOfficeIdentityHandler>(BackOfficeIdentityDefaults.AuthenticationScheme, _ => { });
 
-            services.AddSingleton<IAuthorizationHandler, BackOfficeGroupAuthorizationHandler>();
-
             return services.AddAuthorization(authOptions =>
                 {
                     authOptions.AddPolicy(BackOfficeIdentityDefaults.PolicyName, policy =>
                         {
                             policy.AuthenticationSchemes = [BackOfficeIdentityDefaults.AuthenticationScheme];
                             policy.RequireAuthenticatedUser();
-                            policy.AddRequirements(new BackOfficeGroupRequirement());
                         }
                     );
                 }
diff --git a/cloud-infrastructure/cluster/deploy-cluster.sh b/cloud-infrastructure/cluster/deploy-cluster.sh
@@ -31,11 +31,17 @@ if [[ "$BACK_OFFICE_DOMAIN_NAME" == "-" ]]; then
   BACK_OFFICE_DOMAIN_NAME=""
 fi
 
+if [[ -z "$BACK_OFFICE_ENTRA_CLIENT_ID" ]]; then
+  echo "ERROR: BACK_OFFICE_ENTRA_CLIENT_ID is required. Run 'dotnet run --project developer-cli -- deploy' to bootstrap." >&2
+  exit 1
+fi
+
 export UNIQUE_PREFIX
 export ENVIRONMENT
 export LOCATION=$CLUSTER_LOCATION
 export DOMAIN_NAME
 export BACK_OFFICE_DOMAIN_NAME
+export BACK_OFFICE_ENTRA_CLIENT_ID
 export POSTGRES_ADMIN_OBJECT_ID
 export GOOGLE_OAUTH_CLIENT_ID
 export GOOGLE_OAUTH_CLIENT_SECRET
diff --git a/cloud-infrastructure/cluster/main-cluster.bicep b/cloud-infrastructure/cluster/main-cluster.bicep
@@ -7,8 +7,7 @@ param environment string
 param containerRegistryName string
 param domainName string
 param backOfficeDomainName string = ''
-param backOfficeGroupId string = ''
-param backOfficeEntraClientId string = ''
+param backOfficeEntraClientId string
 param appGatewayVersion string
 param accountVersion string
 param mainVersion string
@@ -277,10 +276,6 @@ var accountApiEnvironmentVariables = concat(accountEnvironmentVariables, [
     name: 'BackOffice__Host'
     value: backOfficeHost
   }
-  {
-    name: 'BackOffice__GroupId'
-    value: backOfficeGroupId
-  }
 ])
 
 module accountWorkers '../modules/container-app.bicep' = {
@@ -365,7 +360,7 @@ module backOffice '../modules/container-app.bicep' = {
   dependsOn: [accountApi]
 }
 
-module backOfficeAuthConfig '../modules/container-app-auth-config.bicep' = if (backOfficeEntraClientId != '') {
+module backOfficeAuthConfig '../modules/container-app-auth-config.bicep' = {
   name: '${clusterResourceGroupName}-back-office-auth-config'
   scope: clusterResourceGroup
   params: {
diff --git a/cloud-infrastructure/cluster/main-cluster.bicepparam b/cloud-infrastructure/cluster/main-cluster.bicepparam
@@ -8,8 +8,7 @@ param environment = readEnvironmentVariable('ENVIRONMENT')
 param containerRegistryName = readEnvironmentVariable('CONTAINER_REGISTRY_NAME')
 param domainName = readEnvironmentVariable('DOMAIN_NAME', '')
 param backOfficeDomainName = readEnvironmentVariable('BACK_OFFICE_DOMAIN_NAME', '')
-param backOfficeGroupId = readEnvironmentVariable('BACK_OFFICE_GROUP_ID', '')
-param backOfficeEntraClientId = readEnvironmentVariable('BACK_OFFICE_ENTRA_CLIENT_ID', '')
+param backOfficeEntraClientId = readEnvironmentVariable('BACK_OFFICE_ENTRA_CLIENT_ID')
 param appGatewayVersion = readEnvironmentVariable('APP_GATEWAY_VERSION')
 param accountVersion = readEnvironmentVariable('ACCOUNT_VERSION')
 param mainVersion = readEnvironmentVariable('MAIN_VERSION')
diff --git a/developer-cli/Commands/DeployCommand.cs b/developer-cli/Commands/DeployCommand.cs

Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,4 @@ public sealed class BackOfficeHostOptions`
`8`	`8`
`9`	`9`	`[Required(AllowEmptyStrings = false)]`
`10`	`10`	`public string Host { get; init; } = string.Empty;`
`11`		`-`
`12`		`- public string? GroupId { get; init; }`
`13`	`11`	`}`
Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,4 @@ public static class BackOfficeIdentityDefaults`
`24`	`24`	`public const string LogoutPath = "/.auth/logout";`
`25`	`25`
`26`	`26`	`public const string AccessDeniedPath = "/access-denied";`
`27`		`-`
`28`		`- public const string BackOfficeGroupIdEnvironmentVariable = "BACK_OFFICE_GROUP_ID";`
`29`	`27`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,4 @@`
`1`	`1`	`using Microsoft.AspNetCore.Authentication.JwtBearer;`
`2`		`-using Microsoft.AspNetCore.Authorization;`
`3`	`2`	`using Microsoft.AspNetCore.Builder;`
`4`	`3`	`using Microsoft.AspNetCore.Hosting;`
`5`	`4`	`using Microsoft.AspNetCore.HttpOverrides;`
`@@ -247,15 +246,12 @@ private IServiceCollection AddAuthConfiguration()`
`247`	`246`	`)`
`248`	`247`	`.AddScheme<BackOfficeIdentityOptions, BackOfficeIdentityHandler>(BackOfficeIdentityDefaults.AuthenticationScheme, _ => { });`
`249`	`248`
`250`		`- services.AddSingleton<IAuthorizationHandler, BackOfficeGroupAuthorizationHandler>();`
`251`		`-`
`252`	`249`	`return services.AddAuthorization(authOptions =>`
`253`	`250`	`{`
`254`	`251`	`authOptions.AddPolicy(BackOfficeIdentityDefaults.PolicyName, policy =>`
`255`	`252`	`{`
`256`	`253`	`policy.AuthenticationSchemes = [BackOfficeIdentityDefaults.AuthenticationScheme];`
`257`	`254`	`policy.RequireAuthenticatedUser();`
`258`		`- policy.AddRequirements(new BackOfficeGroupRequirement());`
`259`	`255`	`}`
`260`	`256`	`);`
`261`	`257`	`}`