diff --git a/pages/api/auth/agent-connect/callback.ts b/pages/api/auth/agent-connect/callback.ts
index 30f1b17f1..d413c0627 100644
--- a/pages/api/auth/agent-connect/callback.ts
+++ b/pages/api/auth/agent-connect/callback.ts
@@ -1,7 +1,11 @@
import { agentConnectAuthenticate } from '#clients/authentication/agent-connect/strategy';
import { HttpForbiddenError } from '#clients/exceptions';
+import { clientUniteLegaleRechercheEntreprise } from '#clients/recherche-entreprise/siren';
+import { isServicePublic } from '#models/core/types';
import { Exception } from '#models/exceptions';
import { getAgent } from '#models/user/agent';
+import { isAgentScope } from '#models/user/scopes';
+import { extractSirenFromSiret } from '#utils/helpers';
import { logFatalErrorInSentry } from '#utils/sentry';
import { cleanPathFrom, getPathFrom, setAgentSession } from '#utils/session';
import withSession from '#utils/session/with-session';
@@ -10,6 +14,26 @@ export default withSession(async function callbackRoute(req, res) {
try {
const userInfo = await agentConnectAuthenticate(req);
const agent = await getAgent(userInfo);
+
+ const isWhitelisted = agent.scopes.some((scope) => isAgentScope(scope));
+ const { isMCP } = agent;
+
+ if (!isWhitelisted && isMCP) {
+ const siren = extractSirenFromSiret(agent.siret);
+ const uniteLegale = await clientUniteLegaleRechercheEntreprise(siren, 0);
+
+ const isNotServicePublic = !isServicePublic(uniteLegale);
+ // TODO filter base on uniteLegal if it's not a service public for sure
+ const couldBeServicePublic = true;
+
+ if (isNotServicePublic) {
+ if (couldBeServicePublic) {
+ return res.redirect('/connexion/habilitation-requise');
+ } else {
+ return res.redirect('/connexion/echec-autorisation-requise');
+ }
+ }
+ }
const session = req.session;
await setAgentSession(agent, session);
diff --git a/pages/connexion/echec-authorisation-requise.tsx b/pages/connexion/echec-authorisation-refuse.tsx
similarity index 100%
rename from pages/connexion/echec-authorisation-requise.tsx
rename to pages/connexion/echec-authorisation-refuse.tsx
index d1832c0b8..bd69b4440 100644
--- a/pages/connexion/echec-authorisation-requise.tsx
+++ b/pages/connexion/echec-authorisation-refuse.tsx
@@ -1,9 +1,9 @@
-import { ReactElement } from 'react';
import connexionRefusedPicture from '#components-ui/illustrations/connexion-refused';
import { LayoutConnexion } from '#components/layouts/layout-connexion';
import Meta from '#components/meta/meta-client';
import constants from '#models/constants';
import { NextPageWithLayout } from 'pages/_app';
+import { ReactElement } from 'react';
const ConnexionFailure: NextPageWithLayout = () => (
<>
diff --git a/pages/connexion/habilitation-requise.tsx b/pages/connexion/habilitation-requise.tsx
new file mode 100644
index 000000000..c49d41d00
--- /dev/null
+++ b/pages/connexion/habilitation-requise.tsx
@@ -0,0 +1,38 @@
+import connexionRefusedPicture from '#components-ui/illustrations/connexion-refused';
+import { LayoutConnexion } from '#components/layouts/layout-connexion';
+import Meta from '#components/meta/meta-client';
+import { NextPageWithLayout } from 'pages/_app';
+import { ReactElement } from 'react';
+
+const ConnexionFailure: NextPageWithLayout = () => (
+ <>
+
+ Vous n’êtes pas autorisé(e) à accéder à cette partie du site
+
+ Votre compte ProConnect doit être habilité pour être utilisé sur ce site.
+
+
+ Vous souhaitez obtenir l‘habilitation :{' '}
+
+ remplissez ce formulaire
+
+ .
+
+ ← Retourner au moteur de recherche
+
+);
+
+ConnexionFailure.getLayout = function getLayout(page: ReactElement) {
+ return (
+ {page}
+ );
+};
+
+export default ConnexionFailure;