feat(user): basculer l'authentification vers ProConnect (#731)

## Description

🎸 Inclusion Connect est remplacé par Pro Connect
(https://moncomptepro.beta.gouv.fr/) en tant que fournisseur d'identité
🎸 La migration des comptes est réalisée au fil de l'eau, lors de chaque
première connection d'un utilisateur précédemment inscrit via Inclusion
Connect.

## Type de changement

🚧 technique

### Points d'attention

🦺 renommage de l'app django
🦺 mise à jour des urls
🦺 ajout du paramètre `"acr_values": "eidas1"` lors de l'appel au
end-point `authorize`
🦺 remplacement de `family_name` par `usual_name` lors de l'appel au
end-point `user-info`
🦺 decoder `user_data` à l'aide de la lib `PyJWT`

.env.template

@@ -17,10 +17,10 @@ SIB_API_KEY=__key_to_be_set__
 # for Sentry
 #SENTRY_DSN=__url_to_be_set__
 
-# for Inclusion Connect
-INCLUSION_CONNECT_BASE_URL=http://127.0.0.1:8080
-INCLUSION_CONNECT_CLIENT_ID=local_inclusion_connect
-INCLUSION_CONNECT_CLIENT_SECRET=password
+# for Pro Connect
+OPENID_CONNECT_BASE_URL=http://127.0.0.1:8080
+OPENID_CONNECT_CLIENT_ID=local_openid_connect
+OPENID_CONNECT_CLIENT_SECRET=password
 
 # parking page
 PARKING_PAGE=True

README.md

@@ -146,10 +146,10 @@ Créer les variables d'environnement suivantes dans le configuration provider
 - DJANGO_DEBUG
 - DJANGO_SECRET_KEY
 - DJANGO_SETTINGS_MODULE
-- INCLUSION_CONNECT_BASE_URL
-- INCLUSION_CONNECT_CLIENT_ID
-- INCLUSION_CONNECT_CLIENT_SECRET
-- INCLUSION_CONNECT_REALM
+- OPENID_CONNECT_BASE_URL
+- OPENID_CONNECT_CLIENT_ID
+- OPENID_CONNECT_CLIENT_SECRET
+- OPENID_CONNECT_REALM
 - PORT
 - PYTHONPATH
 - SENTRY_DSN

config/settings/base.py

@@ -77,7 +77,7 @@
     "lacommunaute.forum_moderation",
     "lacommunaute.notification",
     "lacommunaute.event",
-    "lacommunaute.inclusion_connect",
+    "lacommunaute.openid_connect",
     "lacommunaute.pages",
     "lacommunaute.forum_file",
     "lacommunaute.search",
@@ -113,7 +113,7 @@
 MIDDLEWARE = DJANGO_MIDDLEWARE + THIRD_PARTIES_MIDDLEWARE + LOCAL_MIDDLEWARE
 
 ROOT_URLCONF = "config.urls"
-LOGIN_URL = "/inclusion_connect/authorize"
+LOGIN_URL = "/pro_connect/authorize"
 LOGIN_REDIRECT_URL = "/"
 LOGOUT_REDIRECT_URL = "/"
 
@@ -297,9 +297,9 @@
 
 # Inclusion Connect
 # ------------------------------------------------------------------------------
-INCLUSION_CONNECT_BASE_URL = os.getenv("INCLUSION_CONNECT_BASE_URL")
-INCLUSION_CONNECT_CLIENT_ID = os.getenv("INCLUSION_CONNECT_CLIENT_ID")
-INCLUSION_CONNECT_CLIENT_SECRET = os.getenv("INCLUSION_CONNECT_CLIENT_SECRET")
+OPENID_CONNECT_BASE_URL = os.getenv("OPENID_CONNECT_BASE_URL")
+OPENID_CONNECT_CLIENT_ID = os.getenv("OPENID_CONNECT_CLIENT_ID")
+OPENID_CONNECT_CLIENT_SECRET = os.getenv("OPENID_CONNECT_CLIENT_SECRET")
 
 # LOGGING
 # ------------------------------------------------------------------------------

config/urls.py

@@ -12,7 +12,7 @@
 from lacommunaute.forum_member import urls as forum_member_urls
 from lacommunaute.forum_moderation import urls as forum_moderation_urls
 from lacommunaute.forum_upvote import urls as forum_upvote_urls
-from lacommunaute.inclusion_connect import urls as inclusion_connect_urls
+from lacommunaute.openid_connect import urls as openid_connect_urls
 from lacommunaute.pages import urls as pages_urls
 from lacommunaute.partner import urls as partner_urls
 from lacommunaute.search import urls as search_urls
@@ -26,8 +26,8 @@
 
 urlpatterns = [
     path("admin/", admin.site.urls),
-    # Inclusion Connect URLs.
-    path("inclusion_connect/", include(inclusion_connect_urls)),
+    # Pro Connect URLs.
+    path("pro_connect/", include(openid_connect_urls)),
     # www.
     path("", include(pages_urls)),
     path("members/", include(forum_member_urls)),

lacommunaute/event/tests/tests_views.py

@@ -75,7 +75,7 @@ def setUpTestData(cls):
     def test_login_is_required(self):
         response = self.client.get(self.url)
         self.assertEqual(response.status_code, 302)
-        self.assertEqual(response.url, reverse("inclusion_connect:authorize") + "?next=" + self.url)
+        self.assertEqual(response.url, reverse("openid_connect:authorize") + "?next=" + self.url)
 
     def test_event_is_created(self):
         self.client.force_login(self.user)
@@ -191,7 +191,7 @@ def setUpTestData(cls):
     def test_login_is_required(self):
         response = self.client.get(self.url)
         self.assertEqual(response.status_code, 302)
-        self.assertEqual(response.url, reverse("inclusion_connect:authorize") + "?next=" + self.url)
+        self.assertEqual(response.url, reverse("openid_connect:authorize") + "?next=" + self.url)
 
         self.client.force_login(self.user)
         response = self.client.get(self.url)

lacommunaute/forum/tests/__snapshots__/tests_views.ambr

@@ -321,7 +321,7 @@
   <div class="d-inline-block" id="upvotesarea10000">
 
 
-              <a class="btn btn-sm btn-ico btn-link btn-secondary px-2" data-bs-placement="top" data-bs-toggle="tooltip" href="/inclusion_connect/authorize?next=%2Fforum%2Ftest-forum-10000%2F%2310000" rel="nofollow" title="Connectez-vous pour sauvegarder">
+              <a class="btn btn-sm btn-ico btn-link btn-secondary px-2" data-bs-placement="top" data-bs-toggle="tooltip" href="/pro_connect/authorize?next=%2Fforum%2Ftest-forum-10000%2F%2310000" rel="nofollow" title="Connectez-vous pour sauvegarder">
                   <i aria-hidden="true" class="ri-bookmark-line me-1"></i><span>0</span>
               </a>
 
@@ -480,7 +480,7 @@
   <div class="d-inline-block" id="upvotesarea10000">
 
 
-              <a class="btn btn-sm btn-ico btn-link btn-secondary px-2" data-bs-placement="top" data-bs-toggle="tooltip" href="/inclusion_connect/authorize?next=%2Fforum%2Ftest-forum-forum-[PK of Forum]%2F%23[PK of Forum]" rel="nofollow" title="Connectez-vous pour sauvegarder">
+              <a class="btn btn-sm btn-ico btn-link btn-secondary px-2" data-bs-placement="top" data-bs-toggle="tooltip" href="/pro_connect/authorize?next=%2Fforum%2Ftest-forum-forum-[PK of Forum]%2F%23[PK of Forum]" rel="nofollow" title="Connectez-vous pour sauvegarder">
                   <i aria-hidden="true" class="ri-bookmark-line me-1"></i><span>0</span>
               </a>
 
@@ -493,7 +493,7 @@
   <div class="d-inline-block" id="upvotesarea10000">
 
 
-              <a class="btn btn-sm btn-ico btn-link btn-secondary px-2" data-bs-placement="top" data-bs-toggle="tooltip" href="/inclusion_connect/authorize?next=%2Fforum%2Ftest-forum-forum-[PK of Forum]%2F%23[PK of Forum]" rel="nofollow" title="Connectez-vous pour sauvegarder">
+              <a class="btn btn-sm btn-ico btn-link btn-secondary px-2" data-bs-placement="top" data-bs-toggle="tooltip" href="/pro_connect/authorize?next=%2Fforum%2Ftest-forum-forum-[PK of Forum]%2F%23[PK of Forum]" rel="nofollow" title="Connectez-vous pour sauvegarder">
                   <i aria-hidden="true" class="ri-bookmark-line me-1"></i><span>0</span>
               </a>
 
@@ -522,7 +522,7 @@
   <div class="d-inline-block" id="upvotesarea10000">
 
 
-              <a class="btn btn-sm btn-ico btn-link btn-secondary px-2" data-bs-placement="top" data-bs-toggle="tooltip" href="/inclusion_connect/authorize?next=%2Fforum%2Ftest-forum-forum-[PK of Forum]%2F%23[PK of Forum]" rel="nofollow" title="Connectez-vous pour sauvegarder">
+              <a class="btn btn-sm btn-ico btn-link btn-secondary px-2" data-bs-placement="top" data-bs-toggle="tooltip" href="/pro_connect/authorize?next=%2Fforum%2Ftest-forum-forum-[PK of Forum]%2F%23[PK of Forum]" rel="nofollow" title="Connectez-vous pour sauvegarder">
                   <i aria-hidden="true" class="ri-bookmark-line me-1"></i><span>1</span>
               </a>
 
@@ -535,7 +535,7 @@
   <div class="d-inline-block" id="upvotesarea10000">
 
 
-              <a class="btn btn-sm btn-ico btn-link btn-secondary px-2" data-bs-placement="top" data-bs-toggle="tooltip" href="/inclusion_connect/authorize?next=%2Fforum%2Ftest-forum-forum-[PK of Forum]%2F%23[PK of Forum]" rel="nofollow" title="Connectez-vous pour sauvegarder">
+              <a class="btn btn-sm btn-ico btn-link btn-secondary px-2" data-bs-placement="top" data-bs-toggle="tooltip" href="/pro_connect/authorize?next=%2Fforum%2Ftest-forum-forum-[PK of Forum]%2F%23[PK of Forum]" rel="nofollow" title="Connectez-vous pour sauvegarder">
                   <i aria-hidden="true" class="ri-bookmark-line me-1"></i><span>1</span>
               </a>
 
@@ -564,7 +564,7 @@
   <div class="d-inline-block" id="upvotesarea10000">
 
 
-              <a class="btn btn-sm btn-ico btn-link btn-secondary px-2" data-bs-placement="top" data-bs-toggle="tooltip" href="/inclusion_connect/authorize?next=%2Fforum%2Ftest-forum-forum-[PK of Forum]%2F%23[PK of Forum]" rel="nofollow" title="Connectez-vous pour sauvegarder">
+              <a class="btn btn-sm btn-ico btn-link btn-secondary px-2" data-bs-placement="top" data-bs-toggle="tooltip" href="/pro_connect/authorize?next=%2Fforum%2Ftest-forum-forum-[PK of Forum]%2F%23[PK of Forum]" rel="nofollow" title="Connectez-vous pour sauvegarder">
                   <i aria-hidden="true" class="ri-bookmark-line me-1"></i><span>2</span>
               </a>
 
@@ -577,7 +577,7 @@
   <div class="d-inline-block" id="upvotesarea10000">
 
 
-              <a class="btn btn-sm btn-ico btn-link btn-secondary px-2" data-bs-placement="top" data-bs-toggle="tooltip" href="/inclusion_connect/authorize?next=%2Fforum%2Ftest-forum-forum-[PK of Forum]%2F%23[PK of Forum]" rel="nofollow" title="Connectez-vous pour sauvegarder">
+              <a class="btn btn-sm btn-ico btn-link btn-secondary px-2" data-bs-placement="top" data-bs-toggle="tooltip" href="/pro_connect/authorize?next=%2Fforum%2Ftest-forum-forum-[PK of Forum]%2F%23[PK of Forum]" rel="nofollow" title="Connectez-vous pour sauvegarder">
                   <i aria-hidden="true" class="ri-bookmark-line me-1"></i><span>2</span>
               </a>
 

lacommunaute/openid_connect/constants.py

@@ -0,0 +1,26 @@
+import datetime
+
+from django.conf import settings
+
+
+OPENID_CONNECT_SCOPES = "openid email given_name usual_name"
+
+OPENID_CONNECT_CLIENT_ID = settings.OPENID_CONNECT_CLIENT_ID
+OPENID_CONNECT_CLIENT_SECRET = settings.OPENID_CONNECT_CLIENT_SECRET
+
+OPENID_CONNECT_ENDPOINT = "{base_url}".format(
+    base_url=settings.OPENID_CONNECT_BASE_URL,
+)
+OPENID_CONNECT_ENDPOINT_AUTHORIZE = f"{OPENID_CONNECT_ENDPOINT}/authorize"
+OPENID_CONNECT_ENDPOINT_REGISTRATIONS = f"{OPENID_CONNECT_ENDPOINT}/register"
+OPENID_CONNECT_ENDPOINT_TOKEN = f"{OPENID_CONNECT_ENDPOINT}/token"
+OPENID_CONNECT_ENDPOINT_USERINFO = f"{OPENID_CONNECT_ENDPOINT}/userinfo"
+OPENID_CONNECT_ENDPOINT_LOGOUT = f"{OPENID_CONNECT_ENDPOINT}/session/end"
+
+# These expiration times have been chosen arbitrarily.
+OPENID_CONNECT_TIMEOUT = 60
+
+OPENID_CONNECT_SESSION_KEY = "pro_connect"
+
+# This expiration time has been chosen arbitrarily.
+OIDC_STATE_EXPIRATION = datetime.timedelta(hours=1)

lacommunaute/openid_connect/migrations/0001_initial.py

@@ -0,0 +1,20 @@
+# Generated by Django 5.0.7 on 2024-07-31 13:05
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    initial = True
+
+    dependencies = []
+
+    operations = [
+        migrations.CreateModel(
+            name="OpenID_State",
+            fields=[
+                ("id", models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name="ID")),
+                ("created_at", models.DateTimeField(auto_now_add=True)),
+                ("csrf", models.CharField(max_length=12, unique=True)),
+            ],
+        ),
+    ]