Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ProConnect - use, adapt or config gateway #160

Open
Gaetanbrl opened this issue Dec 18, 2024 · 1 comment
Open

ProConnect - use, adapt or config gateway #160

Gaetanbrl opened this issue Dec 18, 2024 · 1 comment
Assignees
@f-necas

Comments

@Gaetanbrl
Copy link

Gaetanbrl commented Dec 18, 2024
edited
Loading

Context

As part of ProConnect developments,

We will use the gateway to allow user to be authenticated via ProConnect.

Description

This issue will be usefull to identify tasks and actions to use the gateway with this new provider.

georchestra gateway documentation (thanks @f-necas) is available here about openId and provider :

https://github.com/georchestra/georchestra-gateway/blob/main/docs/authzn.adoc#oauth2--openid-connect
@Gaetanbrl
Copy link
Author

Gaetanbrl commented Jan 13, 2025
edited
Loading

This explain how we apply Auto configuration with issuer-uri config param.

About configuration

ProConnect allow to get full informations from openid-configuration URI :
https://fca.integ01.dev-agentconnect.fr/api/v2/.well-known/openid-configuration

Geochestra-gateway documentation give som details about this config :

With OpenID Connect, configuration can be automatically loaded using the discovery endpoint if the provider has one, by adding spring.security.oauth2.provider.<provider-name>.issuer-uri: <configuration-entry-point-url> (without specifying the .well-known/openid-configuration part).

Next, I adapt the security.yaml config file :

spring:
  security:
    oauth2:
      client:
        registration:
          proconnect:
            client-id: ****
            client-secret: *****
            authorization-grant-type: authorization_code
            redirect-uri: "https://dev.jdev.fr/login/oauth2/code/proconnect"
            scope: openid, email, given_name, family_name, siret
        provider:
          proconnect:
            issuer-uri: "https://fca.integ01.dev-agentconnect.fr/api/v2"

Focus about ProConnect process

The process is fully documented (FR) here :
https://github.com/numerique-gouv/proconnect-documentation/blob/main/doc_fs/implementation_technique.md

  1. Publish a new request to create a new ProConnect Service Provider here :
    https://www.demarches-simplifiees.fr/dossiers

This request needs to input :

  • redirect-uri: https://<gateway-url>/login/oauth2/code/<provider-name>
  • logout uri: https://<gateway-url>/login?logout

See the georchestra-gateway documentation to get more details

  1. ProConnect Teams accept request and return a CLIENT and SECRET values
  1. Adapt gateway configuration (see YAML example above)

We can now inspect many requests / callback between the gateway and ProConnect :

image

At this point, ProConnect login come back correctly to the georchestra gateway but we get a login error URL :

https://dev.jdev.fr/login?error

I guess the gateway needs to be modified or need more configuration.
This is the next step...

@Gaetanbrl Gaetanbrl mentioned this issue Jan 16, 2025
Open
@f-necas f-necas self-assigned this Jan 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@f-necas f-necas

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Gaetanbrl @f-necas