France Overview - RUB-NDS/FutureTrust GitHub Wiki

France specified a system for identification and authentication known as “France Connect”^[1]. The development of France Connect started in 2014, and in 2015 the first test application was released. France Connect relies on the OpenID Connect protocol for the user authentication.

In the following section, we describe how the protocol works.

In France Connect three different entities are introduced:

• The Service Provider (SP) – provides some resources requiring eID authentication. In France Connect the SP is called FS.
• The Identity Provider (IdP) – manages the identities of multiple users, processes incoming authentication requests, and issues authentication tokens for authenticated users. In France Connect the IdP is called FC.
• The user – starts the authentication at the SP by navigating his browser and authenticates at the IdP.

An abstract overview of the protocol flow in France Connect is depicted in the Figure 1 and described further.

1. In the first step of the protocol the user navigates his browser to the SP and starts the authentication by clicking on the button “France Connect”.
2. The SP generates an authentication request and redirects the user to the IdP.
3. In step 3, the user calls the IdP and sends the authentication request.
4. In case that the user is already authenticated at the IdP, a code is generated. The code is an opaque string referencing to the authentication token. The code is sent back to the user via an HTTP redirect.
5. In step 5, the user calls the SP and sends the received code.
6. In step 6, the SP receives the code and redeems it at the IdP.
7. In step 7, the SP receives as an answer the ID token of the user and verifies it.
8. In step 8, the SP can request more data regarding the authenticated user by calling the User Info endpoint at the IdP.
9. The IdP responds with the data in step 9.
10. The next steps, depicted in the Figure 1, address the logout of the user at the SP and thus will not be explained further.

The authentication flow strictly follows the OpenID Connect specification by using the code flow (Section 3.1) ((OIDF), OpenID Connect Core 1.0, 2014)^[2]. Interestingly, France Connect does not specify the usage of additional security mechanisms like PKCE^[3].

Figure 1: France Connect protocol flow^[4]

1. ^ FranceConnect. (2017). Mon projet FranceConnect. Mon projet FranceConnect. Retrieved from https://franceconnect.gouv.fr/fournisseur-service
2. ^ (OIDF), T. O. (2 2014). OpenID Connect Core 1.0. Retrieved from http://openid.net/specs/openid-connect-core-1_0.htmln
3. ^ Sakimura, N., Bradley, J., & Agarwal, N. (2015). Proof Key for Code Exchange by OAuth Public Clients. Proof Key for Code Exchange by OAuth Public Clients. Retrieved from https://tools.ietf.org/html/rfc7636
4. ^ https://franceconnect.gouv.fr/fournisseur-service