Capture authentication context data #4246

sergei-maertens · 2024-04-30T15:49:16Z

Simplified the entire authentication request flow where the user gets redirect to the relevant identity provider. There is now a single 'view' implementation that takes a config class/model to use which can be used to directly obtain the redirect target instead of having to go through multiple redirects on our own URLs. The view takes care of input sanitation and managing the authentication state. This substantially cleans up the inheritance/mixin chains for the OIDC flows and makes the code easier to follow.

The plugin is now able to figure out the final redirect target to the identity provider in one pass rather than having to perform multiple redirects. This also removes the ability of users to tamper with URLs in the

The tests were testing the implementation details way too much, so they've been updated by removing the fluff and asserting the functional aspects instead.

This is a temporary fix, the next steps will refactor the callback view so there's a single URL/entrypoint and that view will load the config to use from the session. But for now, the test suite must pass while we refactor the init phase.

The plugin is now able to figure out the final redirect target to the identity provider in one pass rather than having to perform multiple redirects. This also removes the ability of users to tamper with URLs in the

The tests were testing the implementation details way too much, so they've been updated by removing the fluff and asserting the functional aspects instead.

This is a temporary fix, the next steps will refactor the callback view so there's a single URL/entrypoint and that view will load the config to use from the session. But for now, the test suite must pass while we refactor the init phase.

These separate modules serve no shared purpose anymore, instead we can move the configuration directly into the model classes.

* Moved the eHerkenning tests to the proper module * Restructured the auth flow tests similarly to the remaining tests

The refactor changed some locations where translation strings are defined.

The DigiD/eHerkenning OIDC callback view(s) should not set any token refresh parameters, since there is no middleware hooked up to perform this refresh anyway. In its current form, it is even conflicting with the admin OIDC refresh settings.

Simplified the entire authentication request flow where the user gets redirect to the relevant identity provider. There is now a single 'view' implementation that takes a config class/model to use which can be used to directly obtain the redirect target instead of having to go through multiple redirects on our own URLs. The view takes care of input sanitation and managing the authentication state. This substantially cleans up the inheritance/mixin chains for the OIDC flows and makes the code easier to follow.

The plugin is now able to figure out the final redirect target to the identity provider in one pass rather than having to perform multiple redirects. This also removes the ability of users to tamper with URLs in the

Updating the values of the choices means we need to update the values of existing form definitions and variables, otherwise the code will get non-matching equality comparisons.

authorised_person is a confusing value when the authorizee is actually a company identified by KVK or RSIN, so we rename the value to authorizee instead.

The TODO was handled in previous commits and can be removed.

The value will need to be updated too, but that will involve some migrations and import shims to update the prefill configuration.

…ext data The legacy machtigen data-structure is deprecated, instead, we check more strictly for a BSN in a mandate context set by authentication.