-
Notifications
You must be signed in to change notification settings - Fork 11
GOV.UK Signon Integration
The GOV.UK Sign-on application an OAuth2 based single sign on for the GOV.UK publishing service.
- We would like to avoid creating our own authentication system if possible
- GOV.UK Sign-on is likely used by our target users already (e.g. people who publish content on GOV.UK)
- etc
- How do we onboard a new service with GOV.UK Sign-on
- How easy is it to onboard new users to GOV.UK sign-on
- How easy is it to onboard existing users to our service on GOV.UK Sign-on
- How can we interact with our Forms API using the authenticated user
- Created a new management interface prototype
- Created a new application on GOV.UK Sign-on's integration environment
- Used credentials from Sign-on with the
gds-ssogem to integrate with sign-on - Used the logged in user to create a JWT token to interact with our API
Following this, management interface prototype can now use signon to authenticate users, and we can subsequently interact with our forms api prototype using those users. This allows for listing forms that are created, as well as any future interaction with the API, storing the users identifier (in this case, the email address) in the payload of the JWT token to be used elsewhere.
This token can also be passed to the XGov Designer following some updates, meaning we can link straight to the designer for updating each form.
-
How do we onboard a new service with GOV.UK Sign-on?
- We first need the Sign-on team to add our service to the list of services available on sign-on, providing them with the details required
- Once the application is created, we can get the OAuth ClientID/Secret from the publishing team and use that for the OAuth flow
- With
gds-ssothis is done by setting environment variables
- With
-
How easy is it to onboard new users to GOV.UK sign-on
- New users require a GOV.UK Sign-on account to be created, this can only be done by ?>. After which they receive an invite to the publishing platform to create an account, and can then be added by admins to the application
-
How easy is it to onboard existing users to our service on GOV.UK Sign-on
- A signon admin must add the user to the application
-
How can we interact with our Forms API using the authenticated user
- The
gds-ssogem createsUseraccounts for us automatically, extracting the fields that are returned and storing them in the database for each new user. - This allows us to get the logged in user in controllers, and see things such as their permissions which are added via signon
- Using these permissions we can add roles for different users further down the line
- The
For at least private beta, GOV.UK Sign on may be a viable option. However there's some longer term things to consider:
- User management
- Creating users has to be done on the sign on service, rather than on our own. As such users would not be able to self-service create accounts, and would need us to manage it for them.
- Deleting accounts (and revoking access) at the moment would require being done in sign on
- Managing users permissions (the ones that come from Sign on) would also create an admin overhead for our team/the sign on team
- How could we create our own user management layer on top of sign on to mitigate some of the concerns
- E.g. PaaS style teams, where users of our service can add/remove users to their "team" automatically even if the account is still active on sign on
Go back Home