Module: Trusted ids

Is your feature request related to a problem? Please describe.
Decidim does not have a irrefutable identification system per se. This system aims to allow users to be authenticated with a fully secure (oauth) system that respects the GDPR. For this reason, it must be integrated with public entity services (such as validated electronic identities). This module enables this agnostic system. Currently, it is a legal necessity for public governmental bodies in Catalonia, where the IDCAT system is already integrated with ViaOberta.

Describe the solution you'd like
The main goal is to provide an, opinionated, easy to use, and secure authentication method for Decidim with strong authentication systems. That is, OAuth authentication systems that provide a unique identifier for each user. Preferably from official entities. Each user logged using this system will be verified automatically using the integrated verification method that this plugin provides, and will save the unique identifier as metadata.

Later on, this metadata will be used to connect to an additional, configurable, API to retrieve more information about the user. This information will be used to verify the user's identity with more granularity (for instance, restrict user actions to certain user properties, such as which census belongs to).

This solution is implemented here: https://github.com/ConsorciAOC-PRJ/decidim-module-trusted-ids. The readme has a full explanation of this module.

Describe alternatives you've considered

Free to consider!

Additional context

The actual use case, any institutional government in catalonia can use it. But the aim is to have more international public institutions using this system. We explain the current case:

On of the goals of this module is to decouple the authentication method from the IdCat Mòbil and pursue a more agnostic with a registry of providers. It also implements additional user options for extended verification methods using Via Oberta (or other providers) with improved user's control over personal data management.

First stage:

A OAuth 2.0 authentication (login & register) method that is configurable. At the moment the default provider is valid (is a built-in identity validator from the AOC consortium. However, it is possible to add other (external) providers, not necessarily available in this plugin. PRs are welcome to add OAuth registration/login in this plugin itself if they come from official sources. See the CONTRIBUTING file for more information.

Automatic creation of the first authorization with OAuth metadata. This authorization will be used to verify the user's identity in the second stage. It saves some data from the OAuth provider, such as the unique identifier, the provider name, and the expiration date of the authorization or other. The saved data is configurable in this plugin. This data should be the one necessary to authenticate the users, without their intervention to an external census API provider in the second stage.

Second stage:

A second authorization ("Census authorization") can be issued to verify the user's identity. This authorization will be used to connect to an external API to retrieve more information about the user (mainly if belongs to a particular census). This authorization is optional and configurable in this plugin. It can be disabled if not needed.

The default census authorization uses Via Oberta but others can be used instead (either internal or external). If you want to incorporate a new provider see the CONTRIBUTING file for more information.

Once the user has obtained the census authorization, you can use it to ensure that the user belongs to a particular census. This increases the security and avoids spoofing attacks (if the second authorization methods does not uses user inputs).

Does this issue could impact on users private data?

GDPR regulations are very present in this workflow, so user consent is a must. This plugins adds some additional steps to the registration process to give the user more control over the data that is being used, and to give the user the ability to revoke consent at any time.

Funded by
This module is an evolution of the original IdCat Mòbil that was funded by the Department d'Exteriors of Generalitat de Catalunya and developed by CodiTramuntana. Extension and all the work done is funded by AOC.