Versatile identity management server
Go to file
Benjamin Dauvergne 44d8bfb472 utils: fix mapping of user attributes 2017-07-18 19:29:37 +02:00
debian Fix bad version number in last commit. 2016-06-16 15:28:28 +02:00
src/authentic2_auth_fc utils: fix mapping of user attributes 2017-07-18 19:29:37 +02:00
tests allow fc unlinking through api (#15297) 2017-07-05 15:33:05 +02:00
.gitignore Refactorize application to make it an authentic2 plugin (2/2) 2014-11-06 21:35:04 +01:00
COPYING Rename MSP plugin as FC plugin 2015-05-27 18:07:23 +02:00
MANIFEST.in setup.py: distribute insee files 2017-07-18 00:44:30 +02:00
README improve mapping of FC attributes to A2 attributes (#10062) 2017-03-21 11:02:26 +01:00
getlasso.sh validate id_token 2017-06-15 18:46:27 +02:00
setup.py setup.py: distribute insee files 2017-07-18 00:44:30 +02:00
tox.ini validate id_token 2017-06-15 18:46:27 +02:00

README

==================
authentic2-auth-fc
==================

Authentic2 plugin to authenticate against *France Connect* the french
citizen and entreprise SSO.

Installation
============

Install with `pip install authentic2-auth-fc`

Settings
========

Add `A2_FC_ENABLE = True` to your `local_settings.py` file
Define the needed parameters::

   A2_FC_CLIENT_ID = 'id assigned by DISIC'
   A2_FC_CLIENT_SECRET = 'secret assigned by DISIC'
   A2_FC_VERIFY_CERTIFICATE = False # True for production

A2_FC_CREATE = True set the plugin in provisionning mode. If a sub is unknown,
a user is created instead of asking authentication.

When the create mode is enabled, the link for unlinking is hidden on the
profile frontend. This is due to the not yet implemented need of asking
the user credentiels when unlinking a user created without any other credential
that the authentication delegation. Unlinking meaning, loosing access to this
account at the end of the current session. To enable unlinking when create is
unabled use A2_FC_ENABLE_UNLINK_WHEN_CREATE = True.

A2_FC_LOGOUT_WHEN_UNLINK = True is using to trigger a logout toward the OP
after unlinking.

Platforms
=========

When testing against another platform than FranceConnect you must change
the default endpoints URL in your `local_settings.py` file::

   A2_FC_AUTHORIZE_URL = 'https://fcp.integ01.dev-franceconnect.fr/api/v1/authorize'
   A2_FC_TOKEN_URL = 'https://fcp.integ01.dev-franceconnect.fr/api/v1/token'
   A2_FC_USERINFO_URL = 'https://fcp.integ01.dev-franceconnect.fr/api/v1/userinfo'
   A2_FC_LOGOUT_URL = 'https://fcp.integ01.dev-franceconnect.fr/api/v1/logout'

Data Providers
==============

You can define data provider endpoints with the following dictionnary :

A2_FC_FD_LIST = {
    'revenu_fiscal_de_reference': [
        {
            'name': 'OpenDataSoft',
            'url': 'https://datafranceconnect.opendatasoft.com/api/records/1.0/search',
            'query_dic': {'dataset': 'guichet-des-bretons', },
        },
    ],
}

Data is requested using the login or link endpoint view giving space delimited
scopes in the `fd_scopes` get parameter :

    fc/callback/?next=%2F&fd_scopes=revenu_fiscal_de_reference scolarite

The data received is recorded in the session with a dictionnary named `fc-data`
with scopes as keys and lists of data as values. A data is a tuple
FD name and data content.

fc_data_dic = {
    scope_name = [
        [FD_name, data],
    ],
}

Attribute mapping
=================

You can map France Connect attributes to Authentic2 attributes through the
setting A2_FC_USER_INFO_MAPPINGS. A2_FC_USER_INFO_MAPPINGS is a dictionnary
whose keys are authentic2's attribute names and value can be France Connect
attribute names or dictionnary with the following keys:

- `value` : a static value which will be assigned to the authentic2 attribute,
  can be any Python value,
- `ref` : the name of a France Connect attribute,
- `translation` : a transformation name among:
  -  @insee-communes@ : translate the value using mapping from INSEE code of
     communes to their name,
  -  @insee-countries@ : translate the value using mapping from INSEE code of
     countries to their name,
  -  @simple@ : lookup the value using the dictionnary in @translation_simple@.
- `compute`: compute a value using a known function, only known function for now
  is @today@ which returns @datetime.date.today()@.
- `verified`: set the verified flag on the value.

Exemple:

A2_FC_USER_INFO_MAPPINGS = {
  'first_name': 'given_name',
  'last_name': 'family_name',
  'birthdate': { 'ref': 'birthdate', 'translation': 'isodate' },
  'birthplace': { 'ref': 'birthplace', 'translation': 'insee-communes' },
  'birthcountry': { 'ref': 'birthcountry', 'translation': 'insee-countries' },
  'birthplace_insee': 'birthplace',
  'birthcountry_insee': 'birthcountry',
  'title': {
     'ref': 'gender',
     'translation': 'simple',
     'translation_simple': {
        'male': 'Monsieur',
        'female': 'Madame',
     }
  },
  'gender': 'gender',
  'validated': { 'value': True },
  'validation_date': { 'compute': 'today' },
  'validation_context': { 'value': 'France Connect' },
}