demarches-normaliennes/app/services/agent_connect_service.rb

class AgentConnectService
  include OpenIDConnect

  def self.enabled?
    ENV['AGENT_CONNECT_BASE_URL'].present?
  end

  def self.authorization_uri
    client = OpenIDConnect::Client.new(conf)

    state = SecureRandom.hex(16)
    nonce = SecureRandom.hex(16)

    uri = client.authorization_uri(
      scope: [:openid, :email, :given_name, :usual_name, :organizational_unit, :belonging_population, :siret],
      state:,
      nonce:,
      acr_values: 'eidas1'
    )

    [uri, state, nonce]
  end

  def self.user_info(code, nonce)
    client = OpenIDConnect::Client.new(conf)
    client.authorization_code = code

    access_token = client.access_token!(client_auth_method: :secret)

    id_token = ResponseObject::IdToken.decode(access_token.id_token, conf[:jwks])
    id_token.verify!(conf.merge(nonce: nonce))

    [access_token.userinfo!.raw_attributes, access_token.id_token]
  end

  private

  # TODO: remove this block when migration to new domain is done
  def self.conf
    if Current.host.end_with?('.gouv.fr')
      AGENT_CONNECT_GOUV
    else
      AGENT_CONNECT
    end
  end
end
AgentConnect UI 2021-11-19 10:00:04 +01:00			`class AgentConnectService`
check nonce 2022-04-11 13:11:54 +02:00			`include OpenIDConnect`

AgentConnect UI 2021-11-19 10:00:04 +01:00			`def self.enabled?`
replace AGENT_CONNECT_ENABLED and move AC conf to optionnal env 2024-03-19 18:10:59 +01:00			`ENV['AGENT_CONNECT_BASE_URL'].present?`
AgentConnect UI 2021-11-19 10:00:04 +01:00			`end`
redirect to AgentConnect 2021-11-19 10:21:47 +01:00
			`def self.authorization_uri`
use ac gouv conf when needed 2024-03-19 14:42:40 +01:00			`client = OpenIDConnect::Client.new(conf)`
redirect to AgentConnect 2021-11-19 10:21:47 +01:00
check state 2022-04-11 13:11:04 +02:00			`state = SecureRandom.hex(16)`
check nonce 2022-04-11 13:11:54 +02:00			`nonce = SecureRandom.hex(16)`
check state 2022-04-11 13:11:04 +02:00
			`uri = client.authorization_uri(`
feat(file retrieval): attach agent_connect_information to instructeur 2023-12-12 15:02:22 +01:00			`scope: [:openid, :email, :given_name, :usual_name, :organizational_unit, :belonging_population, :siret],`
			`state:,`
			`nonce:,`
redirect to AgentConnect 2021-11-19 10:21:47 +01:00			`acr_values: 'eidas1'`
			`)`
check state 2022-04-11 13:11:04 +02:00
check nonce 2022-04-11 13:11:54 +02:00			`[uri, state, nonce]`
redirect to AgentConnect 2021-11-19 10:21:47 +01:00			`end`
manage AgentConnect callback 2021-11-19 15:24:54 +01:00
check nonce 2022-04-11 13:11:54 +02:00			`def self.user_info(code, nonce)`
use ac gouv conf when needed 2024-03-19 14:42:40 +01:00			`client = OpenIDConnect::Client.new(conf)`
remove one indirection 2024-03-18 17:36:25 +01:00			`client.authorization_code = code`
manage AgentConnect callback 2021-11-19 15:24:54 +01:00
check nonce 2022-04-11 13:11:54 +02:00			`access_token = client.access_token!(client_auth_method: :secret)`

use ac gouv conf when needed 2024-03-19 14:42:40 +01:00			`id_token = ResponseObject::IdToken.decode(access_token.id_token, conf[:jwks])`
			`id_token.verify!(conf.merge(nonce: nonce))`
check nonce 2022-04-11 13:11:54 +02:00
store id_token 2024-03-18 10:35:41 +01:00			`[access_token.userinfo!.raw_attributes, access_token.id_token]`
manage AgentConnect callback 2021-11-19 15:24:54 +01:00			`end`
use ac gouv conf when needed 2024-03-19 14:42:40 +01:00
			`private`

			`# TODO: remove this block when migration to new domain is done`
			`def self.conf`
			`if Current.host.end_with?('.gouv.fr')`
			`AGENT_CONNECT_GOUV`
			`else`
			`AGENT_CONNECT`
			`end`
			`end`
AgentConnect UI 2021-11-19 10:00:04 +01:00			`end`