5634a7f390
Why: Many services in La Suite rely on Agent Connect to authenticate their users. Delegating authentication to Agent Connect is highly beneficial. With a central party (Agent Connect) handling user authentication, our services can seamlessly communicate with each other. Our backend must be able to receive and verify access tokens issued by Agent Connect. Additionally, it should ensure that the resource owner has granted permission for our data to the service provider transmitting the access token. How: Our backend needs to verify access tokens by introspecting them. This involves requesting the Authorization Server to validate the access token received in the authentication header. The Authorization Server validates the token's integrity, provides authentication and authorization information about the user currently logged into the service provider requesting data from the resource server. The data returned by the Authorization Server to the resource server is encrypted and signed. To encrypt the introspection token, the Authorization Server retrieves the resource server's public key from the new ‘/jwks’ endpoint. Encryption parameters, such as algorithm and encoding, are configured on the resource server. Ensure that these parameters match between the Authorization Server and the resource server. The resource server verifies the token signature using the Authorization Server's public key, exposed through its `/jwks` endpoint. Make sure the signature algorithms match between both servers. Finally, introspection token claims are verified to adhere to good practices for handling JWTs, including checks on issuer, audience, and expiration time. The introspection token contains a subject (`sub`). The resource server uses this subject to retrieve the requested database user, compatible with both pairwise and public subjects. Important: Agent Connect does not follow RFC 7662 but uses a draft RFC that adds security (signing/encryption) to the initial specification. Refer to the "References" section for more information. References: The initial RFC describing token introspection is RFC 7662 "OAuth 2.0 Token Introspection". However, this RFC specifies that the introspection response is a plain JSON object. In eGovernment applications, our resource server requires stronger assurance that the Authorization Server issued the token introspection response. France Connect's team implemented a stronger version of the spec, returning a signed and encrypted token introspection response. This version is still a draft, available under: "draft-ietf-oauth-jwt-introspection-response".
People
People is an application to handle users and teams.
As of today, this project is not yet ready for production. Expect breaking changes.
People is built on top of Django Rest Framework.
Getting started
Prerequisite
Make sure you have a recent version of Docker and Docker Compose installed on your laptop:
$ docker -v
Docker version 20.10.2, build 2291f61
$ docker compose -v
docker compose version 1.27.4, build 40524192
⚠️ You may need to run the following commands with
sudobut this can be avoided by assigning your user to thedockergroup.
Project bootstrap
The easiest way to start working on the project is to use GNU Make:
$ make bootstrap
This command builds the app container, installs dependencies, performs
database migrations and compile translations. It's a good idea to use this
command each time you are pulling code from the project repository to avoid
dependency-related or migration-related issues.
Your Docker services should now be up and running 🎉
Note that if you need to run them afterward, you can use the eponym Make rule:
$ make run
Adding content
You can create a basic demo site by running:
$ make demo
Finally, you can check all available Make rules using:
$ make help
Django admin
You can access the Django admin site at http://localhost:8071/admin.
You first need to create a superuser account:
$ make superuser
You can then login with sub admin and password admin.
Run frontend
Run the front with:
$ make run-front-desk
Then access at http://localhost:3000
user: people
password: people
Contributing
This project is intended to be community-driven, so please, do not hesitate to get in touch if you have any question related to our implementation or design decisions.
License
This work is released under the MIT License (see LICENSE).