New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FranceConnect for users #752
Conversation
dea56b7
to
586f23c
Compare
As a first iteration, we can insist on relying on a single token. I agree with you that extracting to a dedicated gem is optional so far. |
6b4d9dc
to
b873f4b
Compare
b873f4b
to
3dca313
Compare
closing because we're still waiting to get token keys from France Connect or something |
back from the dead 🌈 |
79023d8
to
804a8a9
Compare
804a8a9
to
d3a53e3
Compare
J'ai fait un test exploratoire, peut-être incomplet. En l'écrivant je me dis que c'est une situation qui ne doit pas arriver souvent donc pourquoi s'embêter. Je pose ça quand même là mais c'est pas une très bonne idée. 😅 |
798b47a
to
d0772c8
Compare
9905aa7
to
f702dcf
Compare
f702dcf
to
bc4db2c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
J'ai fait un ou deux tests de rapprochement, tout semble bien se passer. La déconnexion aussi.
1. migration to add FranceConnect fields to users
I'm adding two fields to users:
franceconnect_openid_sub
: this is a unique identifier for accounts from FC. not used yet but could be useful in the future.created_through
: describes how the user was created. possible values:agent_creation user_sign_up franceconnect_sign_up user_relative_creation unknown
. I'm relying on a 'bug' in the migration: we were settinginvited_by
for all users created by agents, regardless of whether they were indeed invited or not. For the other ones we cannot always know if they were created by the user herself or by an agent so I'm usingunknown
.2. eject from devise for SuperAdmin omniauth with GH
Devise unfortunately does not support using omniauth with multiple models so we need to eject from devise for SuperAdmins.
I've isolated the 'ejection' from Devise iso-feature with the current GH OAuth apps for SuperAdmins. This shouldn't change anything except that we'll need to change the oauth apps callback urls.
3. Implement FranceConnect omniauth sign in for users
I'm adding the gems + the buttons + the callback handler + the service to upsert users with FC data.
Tested paths
Prod migration simulation results
Testing on the review app
there is a list of demo users for the FC demo fournisseur here: https://github.com/france-connect/identity-provider-example/blob/master/database.csv
Tech discussion:
I'm not happy at all to introduce these new gems dependencies, especially since they have very low usage. BUT I think I prefer this than to having to implement OpenID protocol ourselves.
Namely, I'm adding a dependency on
omniauth_openid_connect
(~62 stars) which itself depends onopenid_connect
(~300 GH stars)Local setup
add this to your
.env
you can find these credentials in the FCP interface https://partenaires.franceconnect.gouv.fr/ using the password in nextcloud, or copy them from the scalingo review app env. make sure that the callback url on the recette environment is set to localhost
not done in this PR, notes for later :
and maaaaaybe someday extract france_connect strategy to separate gem