🔈 About FranceConnect and AgentConnect

• FranceConnect is the SSO solution developed by the French government for its citizens, based on the OpenID Connect protocol. It allows the citizens to login on many public and private online services using their existing credentials from certified public and private identity providers (IMPOTS, AMELI, La poste identité numérique, ...).

• AgentConnect is the SSO solution developed by the French government for its agents, based on the OpenID Connect protocol. It allows the public servants to login on many internal governmental services using their identities from the existing directories of the agencies they work for.

💚 OBJECTIVES

As official French SSO, it is crucial for us to ensure a high level of security on our platform. Here is a list of the typical scenarios we are concerned about:

• Users' data exfiltration
• Users' misused identity
• Users' redirections towards malicious websites

👷 ELIGIBILITY, DISCLOSURE & CONFIDENTIALITY

• You must be the first reporter of the vulnerability.
• The vulnerability must not have been already taken in account internally to qualify.
• The vulnerability must be a qualifying vulnerability (see below).
• As many endpoints use the same codebase, if two or more endpoints use the same codebase and a single fix can be deployed to fix all the different endpoints, only one endpoint will be considered as eligible for a reward and other reports will be closed as Informative. Such reports will be reviewed on a case by case basis.
• You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
• You must avoid tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit yourself in terms of requests per second).
• You must not leak, manipulate, or destroy any user data. We kindly ask you to not use collaborative tools for your research notes in order to avoid any unwanted disclosure or leak potentially exploitable by a third party.
• You must not be a former or current employee / contractor / auditor of DINUM / FranceConnect / AgentConnect.

👥 Reports of leaks and exposed credentials

In the context of this program, we do not intend to encourage, accept or reward reports of leaks or exposed credentials.
We will only consider vulnerabilities or leaks that are identified directly on the scope of this program.

Also, in order not to encourage dark and grey economies, in particular the purchase, resale and trade of identifiers or stolen information, as well as all types of dangerous behavior (e.g. social engineering, ...), we will not accept or reward any report based on information whose source is not the result of failure on the part of our organization or one of our employees/service providers.

This excludes, but is not limited to:

• Stolen credentials gathered from unidentified sources (e.g. …)
• Exposed credentials on an out-of-scope assets
• Exposed GitHub/GitLab (or similar) instance
• Exposed secrets (e.g. API tokens/keys or other technical credentials)
• Exposed PII on an out-of-scope asset

To summarize our policy, you may refer to this table :

🚨 Hunting requirements

🦺 TESTING ON OUR INTEGRATION PLATFORM

Please refrain absolutely from using any URL suffixed by ".gouv.fr" to prevent production disruption and therefore being targeted as a real threat.

🛂 USER AGENT

Please append to your user-agent header the following value: ywh-pubbb-1 when testing on *.integ01.dev-franceconnect.fr. This will help us to identify your requests and avoid blocking you. You can also use words like "BugBounty" in your parameters to help us identify your requests.

🌱 How can I start hunting ?

🧪 Quick Start Guide

💡 Easy Black-box testing

This section covers the easiest way to test our platform. It is also the only way to test our platform if you do not wish to use the local stack (see below).

A good starting point for your journey is to start by accessing a fake (mock) service provider (SP/RP in OpenID Connect terminology) and test the connection on our integration platform. You can use this RP for FranceConnect+ and this RP for AgentConnect. A connection works as follow:

1. On the RP, click on the FranceConnect/AgentConnect ("S'identifier avec...") button at the bottom of the page (do not change any parameter for now).
2. Select your fake (mock) Identity Provider (IDP/OP in OpenID Connect terminology) and click on the "Continuer" button:
   • For FranceConnect+, they are identified by the image that contain 1 to 3 locks looking like this.
   • For AgentConnect, they can be found by searching "identity provider". You will find them under the "Démonstration" section
3. Once you clicked on your choosen IDP, you will be prompted to login:
   • Use test / 123 for FranceConnect+ or any in the following list
   • Use test / 123 for FranceConnect or any in the following list
   • Use test / 123 for AgentConnect
4. You will be prompted to consent to the sharing of the data with the RP. Click on the "Continuer" button.
5. 🎉 Congratulation, you are connected ! You can also after login use the "Révoquer token" button to revoke the current access_token or "Recharger userinfo" to reload the user data from the IDP. You can also use the "Se déconnecter" button to disconnect from the IDP.
6. 🎉 You can now tweak the parameters on the mock RP of the connection to test different scenarios. See the OpenID Connect documentation for more information.

To better understand the scope, you can access the integration user dashboard at https://tableaudebord.integ01.dev-franceconnect.fr, it acts like a service provider. Mind that it is out of the scope of the program and only at your disposal to help you better grasp the workflow.

⚗️ Dig a little deeper, run a full local stack

If you want to dig a little deeper, you can use the local stack. You can find instructions here. You will need an access to our docker repository to deploy it. For this, you can use the credentials provided in the bug bounty program.

⚠️ You'll need to follow new intructions on https://github.com/france-connect/sources/pull/5 to setup a local stack. It's a temporary mesure to get the stacks to work.

You will find a Docker-stack Quick Start guide here. Once setup, you can also use the command docker-stack help to get a list of all the available commands.

You can read more on FranceConnect and AgentConnect here:

• france-connect-fs.txt
• agent-connect-fs.txt

💡 The recommended local stacks to use

Those stacks are used with docker-stack up <stack>. Do not forget to use docker-stack start-all to start all the services after. Use docker-stack prune to stop all the services.

• min-fcp-high (light stack) or bdd-fcp-high (full stack) for FranceConnect+
• min-fca-low (light stack) or bdd-fca-low (full stack) for AgentConnect
• min-eidas-high (light stack) or all-eidas-high (full stack) for eIDAS
• bdd-ud for the user dashboard

See https://hello.docker.dev-franceconnect.fr to find all running services and their URL. Generally you can use https://<container-name>.docker.dev-franceconnect.fr to access the service (Ex. https://fsp1-high.docker.dev-franceconnect.fr for FranceConnect+ mock RP, used as in the black box section).

📈 Diagrams

FranceConnect+:

AgentConnect:

🔀 Github repositories

• AgentConnect
• FranceConnect+
• FranceConnect
• eIDAS Bridge
• User Dashboard

📝 Contact

Please use support.partenaires@franceconnect.gouv.fr for any question you may have. Please use [ywh-pubbb-1] at the beginning of the object to help us qualify the ticket. We will do our best to answer promptly.

🚀 Special scenarios

⚠️ All scenarios MUST follow the general rules of the Bug Bounty.
💡 Please note that Something happens is only for the sake of the example. It can be anything at any given time that is not expected, the team will validate the submitted behavior.
💡 Please use only our mocks on the integration environment for the bug bounty to avoid service disruption. If you want to test your solution in production,
you MUST submit a request to the team before.

FranceConnect+

• Connect using a forged identity (existing or not) 20k€

Example:

1. Use FranceConnect+ button on a service provider
2. Select an identity provider
3. Use credentials of an existing user
4. Something happens

5. Your forged identity is connected on the service provider

6. Connect with subtantial (eidas2) acr from the identity provider when the requested acr was high (eidas3) 15k€

Example:

1. Use FranceConnect+ button on a service provider with a high acr (authorize "acr_values" must contains "eidas3")
2. Select an identity provider (using mocks, you can force the returned acr to be eidas2)
3. Use credentials of an existing user
4. Something happens
5. There is no error returning from the identity provider

6. User is connected on the service provider with acr eidas2

7. Connect using a deactivated identity provider 15k€

Example:

1. Use FranceConnect+ button on a service provider
2. Something happens
3. Select an identity provider that is disabled
4. Use credentials of an existing user
5. There is no error returning from the identity provider
6. User is connected on the service provider

AgentConnect, FranceConnect

• Connect using a forged identity (existing or not) 10k€

Example:

1. Use FranceConnect+ button on a service provider
2. Select an identity provider
3. Use credentials of an existing user
4. Something happens

5. Your forged identity is connected on the service provider

6. Connect using a deactivated identity provider 10k€

Example:

1. Use FranceConnect+ button on a service provider
2. Something happens
3. Select an identity provider that is disabled
4. Use credentials of an existing user
5. There is no error returning from the identity provider
6. User is connected on the service provider

eIDAS Bridge

• Connect to an European service provider using a forged identity (existing or not) 15k€

Example:

1. Use the european mock service provider
2. Select "France" for your identity country
3. Select an identity provider on FranceConnect+ page
4. Use credentials of an existing user
5. Something happens
6. Your forged identity is connected on the european mock service provider

User Dashboard

• Authorize an identity provider blacklisted by a user - 10k€

Example:

1. Connect to the user dashboard
2. Add an identity provider to an existing user blacklist
3. Something happens
4. Connect to a service provider using FranceConnect+ or FranceConnect
5. Select the blacklisted identity provider
6. Use credentials of an existing user
7. There is no error returning from the identity provider

8. User is connected on the service provider

9. Alter the connection history page of a user 10k

10. Something happens

11. Connect to the user dashboard
12. Access the connection history page of an existing user
13. The connection history is altered

FranceConnect+

• Connect using a forged identity (existing or not) 20k€
• Connect with subtantial (eidas2) acr from the identity provider when the requested acr was high (eidas3) 15k€
• Connect using a deactivated identity provider 15k€

AgentConnect, FranceConnect

• Connect using a forged identity (existing or not) 10k€
• Connect using a deactivated identity provider 10k€

eIDAS Bridge

• Connect to an European service provider using a forged identity (existing or not) 15k€

User Dashboard

• Authorize an identity provider blacklisted by a user - 10k€
• Alter the connection history page of a user 10k