FranceConnect for users

[adipasquale]

1. migration to add FranceConnect fields to users

I'm adding two fields to users:

• franceconnect_openid_sub : this is a unique identifier for accounts from FC. not used yet but could be useful in the future.
• created_through : describes how the user was created. possible values: agent_creation user_sign_up franceconnect_sign_up user_relative_creation unknown. I'm relying on a 'bug' in the migration: we were setting invited_by for all users created by agents, regardless of whether they were indeed invited or not. For the other ones we cannot always know if they were created by the user herself or by an agent so I'm using unknown.

2. eject from devise for SuperAdmin omniauth with GH

Devise unfortunately does not support using omniauth with multiple models so we need to eject from devise for SuperAdmins.

I've isolated the 'ejection' from Devise iso-feature with the current GH OAuth apps for SuperAdmins. This shouldn't change anything except that we'll need to change the oauth apps callback urls.

3. Implement FranceConnect omniauth sign in for users

I'm adding the gems + the buttons + the callback handler + the service to upsert users with FC data.

Tested paths

• signup with FC from rdv tunnel
• login with FC from rdv tunnel
• login with FC for existing account created with password
• reset password from account created with FC
• login to super admin

Prod migration simulation results

users.created_through
 => {"unknown"=>2346, "user_sign_up"=>6372, "agent_creation"=>52046}

Testing on the review app

there is a list of demo users for the FC demo fournisseur here: https://github.com/france-connect/identity-provider-example/blob/master/database.csv

Tech discussion:

I'm not happy at all to introduce these new gems dependencies, especially since they have very low usage. BUT I think I prefer this than to having to implement OpenID protocol ourselves.

Namely, I'm adding a dependency on omniauth_openid_connect (~62 stars) which itself depends on openid_connect (~300 GH stars)

Local setup

add this to your .env

HOST=http://localhost:5000
FRANCECONNECT_HOST=fcp.integ01.dev-franceconnect.fr
FRANCECONNECT_APP_ID=xxxx
FRANCECONNECT_APP_SECRET=xxxx

you can find these credentials in the FCP interface https://partenaires.franceconnect.gouv.fr/ using the password in nextcloud, or copy them from the scalingo review app env. make sure that the callback url on the recette environment is set to localhost

not done in this PR, notes for later :

• fetch more data (address, phone number) from a specific "FI" ?
• for FC-created users, improve message when trying to login/re-register with existing email address
• should we store extra identity data (birthplace, birthcountry..)?

and maaaaaybe someday extract france_connect strategy to separate gem

[guillett]

As a first iteration, we can insist on relying on a single token.

I agree with you that extracting to a dedicated gem is optional so far.

[adipasquale]

closing because we're still waiting to get token keys from France Connect or something

[adipasquale]

back from the dead 🌈

[guillett]

J'ai fait un test exploratoire, peut-être incomplet.
En cas de création de compte, et hors d'un parcours de prise de RDV (ça doit être assez rare en fait) ça serait peut-être pas mal d'arriver sur la page « Vos informations » plutôt que la « home » usager connecté.

En l'écrivant je me dis que c'est une situation qui ne doit pas arriver souvent donc pourquoi s'embêter. Je pose ça quand même là mais c'est pas une très bonne idée. 😅

[yaf]

J'ai fait un ou deux tests de rapprochement, tout semble bien se passer. La déconnexion aussi.