Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added documentation for general OAuth2 and specific FranceConnect configuration #130

Merged
merged 1 commit into from
Jun 17, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
121 changes: 117 additions & 4 deletions docs/authzn.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -149,13 +149,126 @@ georchestra:
----


== OAuth2
== OAuth2 & OpenID Connect

=== OAuth2 Configuration
OAuth2 authentication is enabled by setting `georchestra.gateway.security.oauth2.enabled` to `true`.

== OpenID Connect
=== Provider configuration

=== Configuration
Identity providers are declared as shown in https://docs.spring.io/spring-security/reference/servlet/oauth2/login/core.html[Spring OAuth2 Log In documentation].
Some providers are natively supported by Spring, resulting in minimal configuration which often summarizes
as defining `client-name`, `client-id` and `client-secret`, and `scope` as in the following example :
[source,yaml]
----
spring:
security:
oauth2:
client:
registration:
google:
client-name: <display-name>
clientId: <client-id>
clientSecret: <client-secret>
scope: openid, email, profile
----

For providers compatible with OAuth2 or OpenID Connect but not natively supported, this section needs more
details which depends on the provider used, shown in this example but may vary :
[source,yaml]
----
spring:
security:
oauth2:
client:
registration:
<provider-name>:
client-name: <display-name>
client-id: <client-id>
client-secret: <client-secret>
authorization-grant-type: authorization_code
redirect-uri: https://<gateway-url>/login/oauth2/code/<provider-name>
scope: openid, email, profile
----

Then an additional section is needed to define entry point URLs. With OpenID Connect, configuration can be
automatically loaded using the discovery endpoint if the provider has one, by adding
`spring.security.oauth2.provider.<provider-name>.issuer-uri: <configuration-entry-point-url>`
(without specifying the `.well-known/openid-configuration` part).

If the provider does not have this endpoint, configuration must be manually defined. An example is provided
below, but it may vary according to provider configuration :
[source,yaml]
----
spring:
security:
oauth2:
client:
provider:
<provider-name>:
authorization-uri: <authorization-entry-point-url>
token-uri: <token-entry-point-url>
user-info-uri: <user-info-entry-point-url>
end-session-uri: <end-session-entry-point-url>
user-name-attribute: sub
----

The `authorization-uri`, `token-uri` and `user-info-uri` endpoints are always required, but other parameters
shown here may not, and other parameters not shown here may also be required. Please check
https://docs.spring.io/spring-security/reference/servlet/oauth2/login/core.html#oauth2login-sample-application-config[Spring documentation]
about available parameters, and note that `end-session-uri` is not a Spring parameter but an addition that
was made to the gateway to add support for logout endpoint.

Identity providers may ask about authorized callback URLs so that they can check which client domain has
access to their identification feature with given secrets. Here are the callback URLs used by the gateway : +
Login callback : `https://<gateway-url>/login/oauth2/code/<provider-name>` +
Logout callback : `https://<gateway-url>/login?logout`

=== FranceConnect provider

FranceConnect is a widely used french identity provider which allows individuals to login on a public
administration website using an account held by another public administration. It is available only to
public entities, has some strict technical and ergonomics guidelines, and requires an administrative
validation procedure where functionality of the website is fully tested against theses guidelines
before providing production secrets. Until this procedure is complete, they provide integration secrets,
endpoints, and dummy accounts for testing purpose.

FranceConnect technical documentation is available https://partenaires.franceconnect.gouv.fr/fcp/fournisseur-service[here in French]. It requires some specific parameters to be used with the gateway. Here is an example of a working
configuration using integration platform (URLs may change) :

[source,yaml]
----
spring:
security:
oauth2:
client:
registration:
<provider-name>:
client-name: <display-name>
clientId: <client-id>
clientSecret: <client-secret>
client-authentication-method: post
authorization-grant-type: authorization_code
redirect-uri: https://<gateway-url>/login/oauth2/code/<provider-name>
scope: openid, email, given_name, family_name
provider:
<provider-name>:
authorization-uri: https://fcp.integ01.dev-franceconnect.fr/api/v1/authorize
token-uri: https://fcp.integ01.dev-franceconnect.fr/api/v1/token
user-info-uri: https://fcp.integ01.dev-franceconnect.fr/api/v1/userinfo
end-session-uri: https://fcp.integ01.dev-franceconnect.fr/api/v1/logout
user-name-attribute: sub
----

`end-session-uri` is strictly mandatory because FranceConnect will keep track of active logins and won't
allow a new login if the previous one was not logged out properly by a call to this endpoint. If locked
when testing, login state can be reset by deleting FranceConnect cookies or by pasting this endpoint URL
in the locked browser.

FranceConnect does not support the general `profile` scope, so it is required to specify each necessary
OpenID fields one by one, as in the example, in a list of supported fields. It will also show to the user
when logging in which scope has been requested.

=== Claims configuration

Both standard and non-standard claims can be used to set the `GeorchestraUser`'s
`organization` short name and `roles` properties using JSONPath expressions with
Expand Down
Loading