The Get an Identity service is integrated into the NPQ application to abstract identity verification away from the NPQ application. This allows the NPQ application to be agnostic of the identity verification process and allows the identity verification process to be changed without affecting the NPQ application.
The Get an Identity service is integrated into the NPQ app as an oauth provider called tra_openid_connect, the strategy for which is set up in Omniauth::Strategies::TraOpenidConnect.
The GetAnIdentity provider implements the OpenId protocol with pkce enabled, details of which are available here. The auth flow specifically detailed in this section.
This handshaking is handled by the omniauth and omniauth-oauth2, with the specifics of this protocol detailde in the strategy linked above.
Upon login a user record is linked to the get_an_identity_id provided by the Get an Identity service. This allows the NPQ application to identify the user in the future. For emails in use prior to the Get an Identity integration, the user record with the email address provided by the Get an Identity service is assigned the get_an_identity_id. Otherwise a new user is created. This is handled in the OmniauthController.
The user is then logged in and can proceed onwwards.
The Get an Identity service provides a webhook to notify the NPQ application of changes to a user's identity verification status and to their personal details. This is handled in the Api::V1::GetAnIdentity::WebhookMessagesController.
Messages are stored immediately upon being received and are processed in the background by the GetAnIdentity::ProcessWebhookMessageJob. This job is enqueued by the GetAnIdentity::WebhookMessage model.
Different messages are supported by different handlers, which are provided by the message model itself via processor_klass method.
Documentation on the different messages can be found at https://github.com/DFE-Digital/get-an-identity/blob/main/docs/webhooks.md.
- UserUpdated via GetAnIdentityService::Webhooks::UserUpdatedProcessor