demarches-normaliennes/app/services/agent_connect_service.rb

# frozen_string_literal: true

class AgentConnectService
  include OpenIDConnect

  def self.enabled?
    ENV['AGENT_CONNECT_BASE_URL'].present?
  end

  def self.authorization_uri
    client = OpenIDConnect::Client.new(conf)

    state = SecureRandom.hex(16)
    nonce = SecureRandom.hex(16)

    uri = client.authorization_uri(
      scope: [:openid, :email, :given_name, :usual_name, :organizational_unit, :belonging_population, :siret, :idp_id],
      state:,
      nonce:,
      acr_values: 'eidas1',
      claims: { id_token: { amr: { essential: true } } }.to_json,
      prompt: :login
    )

    [uri, state, nonce]
  end

  def self.user_info(code, nonce)
    client = OpenIDConnect::Client.new(conf)
    client.authorization_code = code

    access_token = client.access_token!(client_auth_method: :secret)

    id_token = ResponseObject::IdToken.decode(access_token.id_token, conf[:jwks])
    id_token.verify!(conf.merge(nonce: nonce))

    amr = id_token.amr.present? ? JSON.parse(id_token.amr) : []

    [access_token.userinfo!.raw_attributes, access_token.id_token, amr]
  end

  def self.logout_url(id_token, host_with_port:)
    app_logout = Rails.application.routes.url_helpers.logout_url(host: host_with_port)
    h = { id_token_hint: id_token, post_logout_redirect_uri: app_logout }
    "#{AGENT_CONNECT[:end_session_endpoint]}?#{h.to_query}"
  end

  private

  # TODO: remove this block when migration to new domain is done
  def self.conf
    if Current.host.end_with?('.gouv.fr')
      AGENT_CONNECT_GOUV
    else
      AGENT_CONNECT
    end
  end
end
chore: enable freeze string literals by comment 2024-04-29 00:17:15 +02:00			`# frozen_string_literal: true`

AgentConnect UI 2021-11-19 10:00:04 +01:00			`class AgentConnectService`
check nonce 2022-04-11 13:11:54 +02:00			`include OpenIDConnect`

AgentConnect UI 2021-11-19 10:00:04 +01:00			`def self.enabled?`
replace AGENT_CONNECT_ENABLED and move AC conf to optionnal env 2024-03-19 18:10:59 +01:00			`ENV['AGENT_CONNECT_BASE_URL'].present?`
AgentConnect UI 2021-11-19 10:00:04 +01:00			`end`
redirect to AgentConnect 2021-11-19 10:21:47 +01:00
			`def self.authorization_uri`
use ac gouv conf when needed 2024-03-19 14:42:40 +01:00			`client = OpenIDConnect::Client.new(conf)`
redirect to AgentConnect 2021-11-19 10:21:47 +01:00
check state 2022-04-11 13:11:04 +02:00			`state = SecureRandom.hex(16)`
check nonce 2022-04-11 13:11:54 +02:00			`nonce = SecureRandom.hex(16)`
check state 2022-04-11 13:11:04 +02:00
			`uri = client.authorization_uri(`
add identity_provider id scope 2024-09-16 11:03:24 +02:00			`scope: [:openid, :email, :given_name, :usual_name, :organizational_unit, :belonging_population, :siret, :idp_id],`
feat(file retrieval): attach agent_connect_information to instructeur 2023-12-12 15:02:22 +01:00			`state:,`
			`nonce:,`
ask for amr (Authentication Methods References) 2024-09-11 10:18:46 +02:00			`acr_values: 'eidas1',`
			`claims: { id_token: { amr: { essential: true } } }.to_json,`
			`prompt: :login`
redirect to AgentConnect 2021-11-19 10:21:47 +01:00			`)`
check state 2022-04-11 13:11:04 +02:00
check nonce 2022-04-11 13:11:54 +02:00			`[uri, state, nonce]`
redirect to AgentConnect 2021-11-19 10:21:47 +01:00			`end`
manage AgentConnect callback 2021-11-19 15:24:54 +01:00
check nonce 2022-04-11 13:11:54 +02:00			`def self.user_info(code, nonce)`
use ac gouv conf when needed 2024-03-19 14:42:40 +01:00			`client = OpenIDConnect::Client.new(conf)`
remove one indirection 2024-03-18 17:36:25 +01:00			`client.authorization_code = code`
manage AgentConnect callback 2021-11-19 15:24:54 +01:00
check nonce 2022-04-11 13:11:54 +02:00			`access_token = client.access_token!(client_auth_method: :secret)`

use ac gouv conf when needed 2024-03-19 14:42:40 +01:00			`id_token = ResponseObject::IdToken.decode(access_token.id_token, conf[:jwks])`
			`id_token.verify!(conf.merge(nonce: nonce))`
check nonce 2022-04-11 13:11:54 +02:00
ask for amr (Authentication Methods References) 2024-09-11 10:18:46 +02:00			`amr = id_token.amr.present? ? JSON.parse(id_token.amr) : []`

			`[access_token.userinfo!.raw_attributes, access_token.id_token, amr]`
manage AgentConnect callback 2021-11-19 15:24:54 +01:00			`end`
use ac gouv conf when needed 2024-03-19 14:42:40 +01:00
refactor: extract agent_connect logout_url to a agent_connect_service 2024-09-16 12:10:55 +02:00			`def self.logout_url(id_token, host_with_port:)`
			`app_logout = Rails.application.routes.url_helpers.logout_url(host: host_with_port)`
			`h = { id_token_hint: id_token, post_logout_redirect_uri: app_logout }`
			`"#{AGENT_CONNECT[:end_session_endpoint]}?#{h.to_query}"`
			`end`

use ac gouv conf when needed 2024-03-19 14:42:40 +01:00			`private`

			`# TODO: remove this block when migration to new domain is done`
			`def self.conf`
			`if Current.host.end_with?('.gouv.fr')`
			`AGENT_CONNECT_GOUV`
			`else`
			`AGENT_CONNECT`
			`end`
			`end`
AgentConnect UI 2021-11-19 10:00:04 +01:00			`end`