Skip to content

FranceConnect for users

Vincent Agnano requested to merge feature/franceconnect-poc-3 into master

Created by: adipasquale

1. migration to add FranceConnect fields to users

I'm adding two fields to users:

  • franceconnect_openid_sub : this is a unique identifier for accounts from FC. not used yet but could be useful in the future.
  • created_through : describes how the user was created. possible values: agent_creation user_sign_up franceconnect_sign_up user_relative_creation unknown. I'm relying on a 'bug' in the migration: we were setting invited_by for all users created by agents, regardless of whether they were indeed invited or not. For the other ones we cannot always know if they were created by the user herself or by an agent so I'm using unknown.

2. eject from devise for SuperAdmin omniauth with GH

Devise unfortunately does not support using omniauth with multiple models so we need to eject from devise for SuperAdmins.

I've isolated the 'ejection' from Devise iso-feature with the current GH OAuth apps for SuperAdmins. This shouldn't change anything except that we'll need to change the oauth apps callback urls.

3. Implement FranceConnect omniauth sign in for users

I'm adding the gems + the buttons + the callback handler + the service to upsert users with FC data.

Tested paths

  • signup with FC from rdv tunnel
  • login with FC from rdv tunnel
  • login with FC for existing account created with password
  • reset password from account created with FC
  • login to super admin

Prod migration simulation results

users.created_through
 => {"unknown"=>2346, "user_sign_up"=>6372, "agent_creation"=>52046}

Testing on the review app

there is a list of demo users for the FC demo fournisseur here: https://github.com/france-connect/identity-provider-example/blob/master/database.csv

Tech discussion:

I'm not happy at all to introduce these new gems dependencies, especially since they have very low usage. BUT I think I prefer this than to having to implement OpenID protocol ourselves.

Namely, I'm adding a dependency on omniauth_openid_connect (~62 stars) which itself depends on openid_connect (~300 GH stars)

Local setup

add this to your .env

HOST=http://localhost:5000
FRANCECONNECT_HOST=fcp.integ01.dev-franceconnect.fr
FRANCECONNECT_APP_ID=xxxx
FRANCECONNECT_APP_SECRET=xxxx

you can find these credentials in the FCP interface https://partenaires.franceconnect.gouv.fr/ using the password in nextcloud, or copy them from the scalingo review app env. make sure that the callback url on the recette environment is set to localhost

not done in this PR, notes for later :

  • fetch more data (address, phone number) from a specific "FI" ?
  • for FC-created users, improve message when trying to login/re-register with existing email address
  • should we store extra identity data (birthplace, birthcountry..)?

and maaaaaybe someday extract france_connect strategy to separate gem

Merge request reports