Authentication & authorization
================================

Authentication
--------------

We use OIDC (the French government OIDC called "Cerbère") to authenticate users.

* frontend: An Authorization Code Flow With Proof Key of Code Exchange (PKCE) is used in our frontend SPA to gather the `access_token`
* backend: Our backend is a seen as a Resource Server, the `access_token` is verified within an API security filter.

Authorization
-------------

We store users authorization is a custom `user_authorizations` table : the hashed email (SHA256) of the JWT email is used to authorize users.