Integration with FranceConnect Particuliers (FCP)

[bobeal]

New features to integrate in profile page :

• Associate an FCP identity (if none yet)
• Remove an FCP identity association (if one exists)
• Synchronize an Ozwillo profile with an FCP identity (if one exists)
  • With field level selection of data to synchronize
• Hiding of "Password change" link
• Change an email address if account has no associated password
• Set a password for FCP accounts that do not have one

[tbroyer]

Note: the email address is verified on FCP side, and will be part of the identity (https://partenaires.franceconnect.gouv.fr/monprojet/decouverte/), so should Ozwillo just use it? In this case, we could cross out "change an email address if account has no associated password"…

[tbroyer]

The /d/user/{user_id} Kernel endpoint will return a new authentication_methods property with possible values pwd and franceconnect. Either one or both values can be present to tell whether the account has a password and/or is linked to a FCP identity.

To link the account with FCP and/or synchronize the profile info, the user's browser must make an HTTP POST request to the /a/franceconnect/login Kernel endpoint with application/x-www-form-urlencoded payload containing a continue key whose value is the URI to redirect to after successful authentication (possibly transparent) to FCP. The user will only be redirected to the continue URL if the authentication and/or linking succeeds.
The continue URL will have to make a call (HTTP GET or POST) to the /a/franceconnect/userinfo Kernel endpoint to retrieve the FCP identity (this reverse-proxies the request to the FCP UserInfo endpoint, with the appropriate FCP access token). In case of error (could signal an expired FCP access token), the Portal should start the "FCP dance" again (HTTP POST to /a/franceconnect/login; probably user-driven from an error page, e.g. "there was an error, try again", with a button submitting the form to the Kernel). Due to FCP limitations, the Portal should probably cache the result somehow to survive page reloads and prevent those error conditions (but then clear the cache when starting the "FCP dance" to retrieve fresh informations).

To remove the FCP identity association, a simple link to /a/franceconnect/unlink on the Kernel will be enough. The Kernel will display a confirmation page and handle everything. Upon "unlinking", the Kernel will redirect to the Portal's "my profile" page, so there's no need for a "continue URL".

To set a password, the same /a/password Kernel page will be used as for changing an existing password; the page will adapt depending on whether the account already has a password or not.

[Nicoletti-Seb]

To synchronize the profile info with FranceConnect @tbroyer you say in your previous comment to make an HTTP POST request to /a/franceconnect/login but I found in kernel an endpoint to /a/franceconnect/link. So, to link an account to franceconnect I am not sure about url and parameters to use. Do you need this parameters (FranceConnect Particulier) in request and a continue parameter to do an redirection ?

[tbroyer]

/a/franceconnect/link is an "internal" endpoint used in some cases after coming back from FranceConnect. The one the Portal needs to POST to is /a/franceconnect/login (that's actually the only one in the Kernel that accepts form POST requests from the Portal: @StrictReferer(allowPortal=true); for reference, @StrictReferer triggers a check on Origin or Referer request headers to prevent CSRF, and for /a/franceconnect/login we make an exception for the Portal).

[bobeal]

• Rename "France Connect" to "FranceConnect Particuliers"
• Use the word "Lier" (resp "Supprimer la liaison") instead of "Synchroniser" (resp "Désynchroniser") ?
• Center the button "Désynchroniser ..." (as for the "Synchroniser ..." one)
• Display an error message when the profile sync with FCP is not possible

[tbroyer]

Rename "France Connect" to "FranceConnect Particuliers"

I would disagree with this one. Only the developer documentation ever calls it that way; everywhere else, and for everyone, it's just FranceConnect. When FranceConnect Agent will be a thing, then I believe there will be "FranceConnect" and "FranceConnect Agent" (and for now, FranceConnect Entreprise looks as if it's anecdotal, and the two websites I know of that use it just call it “FranceConnect” too).

Your call though.

[bobeal]

OK, you win, let's go for FranceConnect :)

[bobeal]

From the profile page :

• There are still centering problems with the FranceConnect buttons (see screenshot)

From the profile synchronization page :

• If I choose my birth date from FCP, there is a serialization error :

error: "Bad Request"
exception: "org.springframework.http.converter.HttpMessageNotReadableException"
message: "Could not read document: Can not deserialize value of type java.time.LocalDate from String "1981,6,23": Text '1981,6,23' could not be parsed at index 4↵ at [Source: java.io.PushbackInputStream@28b29955; line: 1, column: 526] (through reference chain: org.oasis_eu.portal.model.kernel.UserProfile["birthdate"]); nested exception is com.fasterxml.jackson.databind.exc.InvalidFormatException: Can not deserialize value of type java.time.LocalDate from String "1981,6,23": Text '1981,6,23' could not be parsed at index 4↵ at [Source: java.io.PushbackInputStream@28b29955; line: 1, column: 526] (through reference chain: org.oasis_eu.portal.model.kernel.UserProfile["birthdate"])"
path: "/my/api/profile"
status: 400
timestamp: 1515487932851

• Even if I don't choose my birth date from FCP, there is an error (Could not read document: Can not deserialize value of type java.time.LocalDate from String "on")
• If a data is not present in my Ozwillo profile, it should not be displayed and instead it should only ask whether I want to synchronize it (via a checkbox)
• It misses an explanation about what is going on this page and how it works

[bobeal]

• "The field Gender was not inform in your account. Do you want to update field Gender with value from FranceConnect ?" to be rewritten as "The Gender field is not filled in your Ozwillo account. Do you want to initialize it with the value provided by FranceConnect ?"