-
Notifications
You must be signed in to change notification settings - Fork 11
GOV.UK Signon Integration
The GOV.UK Signon application an OAuth2 based single sign on for the GOV.UK publishing service.
- We would like to avoid creating our own authentication system if possible
- GOV.UK Signon is likely used by our target users already (e.g. people who publish content on GOV.UK)
- etc
- How do we onboard a new service with GOV.UK Signon
- How easy is it to onboard new users to GOV.UK Signon
- How easy is it to onboard existing users to our service on GOV.UK Signon
- How can we interact with our Forms API using the authenticated user
- Created a new management interface prototype
- Created a new application on GOV.UK Signon's integration environment
- Used credentials from GOV.UK Signon with the
gds-ssogem to integrate with GOV.UK Signon - Used the logged in user to create a JWT token to interact with our API
Following this, management interface prototype can now use GOV.UK Signon to authenticate users, and we can subsequently interact with our forms api prototype using those users. This allows for listing forms that are created, as well as any future interaction with the API, storing the users identifier (in this case, the email address) in the payload of the JWT token to be used elsewhere.
This token can also be passed to the XGov Designer following some updates, meaning we can link straight to the designer for updating each form.
-
How do we onboard a new service with GOV.UK Signon?
- We first need the GOV.UK Signon team to add our service to the list of services available on GOV.UK Signon, providing them with the details required
- Once the application is created, we can get the OAuth ClientID/Secret from the publishing team and use that for the OAuth flow
- With
gds-ssothis is done by setting environment variables
- With
-
How easy is it to onboard new users to GOV.UK Signon
- New users require a GOV.UK Signon user to be created, this can only be done by a GOV.UK Signon admin, who also sets the GOV.UK Forms application permission. The user will receive an invite from the GOV.UK Publishing Platform to set their GOV.UK Signon password
-
How easy is it to onboard existing users to our service on GOV.UK Signon
- A GOV.UK Signon admin must give the user the GOV.UK Forms application permission
-
How can we interact with our Forms API using the authenticated user
- The
gds-ssogem createsUseraccounts for us automatically, extracting the fields that are returned and storing them in the database for each new user. - This allows us to get the logged in user in controllers, and see things such as their permissions which are added via GOV.UK Signon
- Using these permissions we can add roles for different users further down the line
- The
For at least private beta, GOV.UK Sign on may be a viable option. However there's some longer term things to consider:
- User management
- Creating users has to be done on the GOV.UK Signon service, rather than on our own. As such users would not be able to self-service create accounts, and would need us to manage it for them.
- Deleting accounts (and revoking access) at the moment would require being done in GOV.UK Signon
- Managing users permissions (the ones that come from Sign on) would also create an admin overhead for our team/the GOV.UK Signon team
- How could we create our own user management layer on top of GOV.UK Signon to mitigate some of the concerns
- E.g. PaaS style teams, where users of our service can add/remove users to their "team" automatically even if the account is still active on GOV.UK Signon
Go back Home