FranceConnect for users
Created by: adipasquale
1. migration to add FranceConnect fields to users
I'm adding two fields to users:
-
franceconnect_openid_sub
: this is a unique identifier for accounts from FC. not used yet but could be useful in the future. -
created_through
: describes how the user was created. possible values:agent_creation user_sign_up franceconnect_sign_up user_relative_creation unknown
. I'm relying on a 'bug' in the migration: we were settinginvited_by
for all users created by agents, regardless of whether they were indeed invited or not. For the other ones we cannot always know if they were created by the user herself or by an agent so I'm usingunknown
.
2. eject from devise for SuperAdmin omniauth with GH
Devise unfortunately does not support using omniauth with multiple models so we need to eject from devise for SuperAdmins.
I've isolated the 'ejection' from Devise iso-feature with the current GH OAuth apps for SuperAdmins. This shouldn't change anything except that we'll need to change the oauth apps callback urls.
3. Implement FranceConnect omniauth sign in for users
I'm adding the gems + the buttons + the callback handler + the service to upsert users with FC data.
Tested paths
- signup with FC from rdv tunnel
- login with FC from rdv tunnel
- login with FC for existing account created with password
- reset password from account created with FC
- login to super admin
Prod migration simulation results
users.created_through
=> {"unknown"=>2346, "user_sign_up"=>6372, "agent_creation"=>52046}
Testing on the review app
there is a list of demo users for the FC demo fournisseur here: https://github.com/france-connect/identity-provider-example/blob/master/database.csv
Tech discussion:
I'm not happy at all to introduce these new gems dependencies, especially since they have very low usage. BUT I think I prefer this than to having to implement OpenID protocol ourselves.
Namely, I'm adding a dependency on omniauth_openid_connect
(~62 stars) which itself depends on openid_connect
(~300 GH stars)
Local setup
add this to your .env
HOST=http://localhost:5000
FRANCECONNECT_HOST=fcp.integ01.dev-franceconnect.fr
FRANCECONNECT_APP_ID=xxxx
FRANCECONNECT_APP_SECRET=xxxx
you can find these credentials in the FCP interface https://partenaires.franceconnect.gouv.fr/ using the password in nextcloud, or copy them from the scalingo review app env. make sure that the callback url on the recette environment is set to localhost
not done in this PR, notes for later :
- fetch more data (address, phone number) from a specific "FI" ?
- for FC-created users, improve message when trying to login/re-register with existing email address
- should we store extra identity data (birthplace, birthcountry..)?
and maaaaaybe someday extract france_connect strategy to separate gem