Authentication & authorization
Authentication
We use OIDC (the French government OIDC called “Cerbère”) to authenticate users.
frontend: An Authorization Code Flow With Proof Key of Code Exchange (PKCE) is used in our frontend SPA to gather the access_token
backend: Our backend is a seen as a Resource Server, the access_token is verified within an API security filter.
Authorization
We store users authorization is a custom user_authorizations table : the hashed email (SHA256) of the JWT email is used to authorize users.