Merge pull request #1448 from maykinmedia/task/2618-digid-eherkenning

[#2618] Replace digid_eherkenning_oidc_generics with library

docs/configuration/admin_oidc.rst

@@ -36,7 +36,6 @@ All settings:
     ADMIN_OIDC_DEFAULT_GROUPS
     ADMIN_OIDC_GROUPS_CLAIM
     ADMIN_OIDC_MAKE_USERS_STAFF
-    ADMIN_OIDC_OIDC_EXEMPT_URLS
     ADMIN_OIDC_OIDC_NONCE_SIZE
     ADMIN_OIDC_OIDC_OP_AUTHORIZATION_ENDPOINT
     ADMIN_OIDC_OIDC_OP_DISCOVERY_ENDPOINT
@@ -65,12 +64,12 @@ Detailed Information
     Setting             claim mapping
     Description         Mapping from user-model fields to OIDC claims
     Possible values     Mapping: {'some_key': 'Some value'}
-    Default value       {'email': 'email', 'first_name': 'given_name', 'last_name': 'family_name'}
+    Default value       {'email': ['email'], 'first_name': ['given_name'], 'last_name': ['family_name']}
     
     Variable            ADMIN_OIDC_GROUPS_CLAIM
     Setting             groups claim
     Description         The name of the OIDC claim that holds the values to map to local user groups.
-    Possible values     string
+    Possible values     No information available
     Default value       roles
     
     Variable            ADMIN_OIDC_MAKE_USERS_STAFF
@@ -79,12 +78,6 @@ Detailed Information
     Possible values     True, False
     Default value       False
     
-    Variable            ADMIN_OIDC_OIDC_EXEMPT_URLS
-    Setting             URLs exempt from session renewal
-    Description         This is a list of absolute url paths, regular expressions for url paths, or Django view names. This plus the mozilla-django-oidc urls are exempted from the session renewal by the SessionRefresh middleware.
-    Possible values     string, comma-delimited ('foo,bar,baz')
-    Default value       
-    
     Variable            ADMIN_OIDC_OIDC_NONCE_SIZE
     Setting             Nonce size
     Description         Sets the length of the random string used for OpenID Connect nonce verification
@@ -190,5 +183,5 @@ Detailed Information
     Variable            ADMIN_OIDC_USERNAME_CLAIM
     Setting             username claim
     Description         The name of the OIDC claim that is used as the username
-    Possible values     string
+    Possible values     No information available
     Default value       sub

docs/configuration/digid_oidc.rst

@@ -31,10 +31,8 @@ All settings:
 
 ::
 
+    DIGID_OIDC_BSN_CLAIM
     DIGID_OIDC_ENABLED
-    DIGID_OIDC_ERROR_MESSAGE_MAPPING
-    DIGID_OIDC_IDENTIFIER_CLAIM_NAME
-    DIGID_OIDC_OIDC_EXEMPT_URLS
     DIGID_OIDC_OIDC_KEYCLOAK_IDP_HINT
     DIGID_OIDC_OIDC_NONCE_SIZE
     DIGID_OIDC_OIDC_OP_AUTHORIZATION_ENDPOINT
@@ -57,30 +55,18 @@ Detailed Information
 
 ::
 
+    Variable            DIGID_OIDC_BSN_CLAIM
+    Setting             BSN-claim
+    Description         Naam van de claim die het BSN bevat van de ingelogde gebruiker.
+    Possible values     No information available
+    Default value       bsn
+    
     Variable            DIGID_OIDC_ENABLED
     Setting             inschakelen
-    Description         Geeft aan of OpenID Connect voor authenticatie/autorisatie is ingeschakeld. Deze overschrijft het gebruik van SAML voor DigiD-authenticatie.
+    Description         Indicates whether OpenID Connect for authentication/authorization is enabled
     Possible values     True, False
     Default value       False
     
-    Variable            DIGID_OIDC_ERROR_MESSAGE_MAPPING
-    Setting             Foutmelding mapping
-    Description         Mapping die de door de identiteitsprovider geretourneerde foutmeldingen, omzet in leesbare meldingen die aan de gebruiker worden getoond
-    Possible values     Mapping: {'some_key': 'Some value'}
-    Default value       {}
-    
-    Variable            DIGID_OIDC_IDENTIFIER_CLAIM_NAME
-    Setting             BSN claim naam
-    Description         De naam van de claim waarin het BSN nummer van de gebruiker is opgeslagen
-    Possible values     string
-    Default value       bsn
-    
-    Variable            DIGID_OIDC_OIDC_EXEMPT_URLS
-    Setting             URLs exempt from session renewal
-    Description         This is a list of absolute url paths, regular expressions for url paths, or Django view names. This plus the mozilla-django-oidc urls are exempted from the session renewal by the SessionRefresh middleware.
-    Possible values     No information available
-    Default value       
-    
     Variable            DIGID_OIDC_OIDC_KEYCLOAK_IDP_HINT
     Setting             Keycloak-identiteitsprovider hint
     Description         Specifiek voor Keycloak: parameter die aangeeft welke identiteitsprovider gebruikt moet worden (inlogscherm van Keycloak overslaan).
@@ -149,7 +135,7 @@ Detailed Information
     
     Variable            DIGID_OIDC_OIDC_RP_SCOPES_LIST
     Setting             OpenID Connect scopes
-    Description         OpenID Connect-scopes die worden bevraagd tijdens het inloggen. Deze zijn hardcoded en moeten worden ondersteund door de identiteitsprovider.
+    Description         OpenID Connect scopes that are requested during login. These scopes are hardcoded and must be supported by the identity provider.
     Possible values     No information available
     Default value       openid, bsn
     

docs/configuration/eherkenning_oidc.rst

@@ -32,9 +32,7 @@ All settings:
 ::
 
     EHERKENNING_OIDC_ENABLED
-    EHERKENNING_OIDC_ERROR_MESSAGE_MAPPING
-    EHERKENNING_OIDC_IDENTIFIER_CLAIM_NAME
-    EHERKENNING_OIDC_OIDC_EXEMPT_URLS
+    EHERKENNING_OIDC_LEGAL_SUBJECT_CLAIM
     EHERKENNING_OIDC_OIDC_KEYCLOAK_IDP_HINT
     EHERKENNING_OIDC_OIDC_NONCE_SIZE
     EHERKENNING_OIDC_OIDC_OP_AUTHORIZATION_ENDPOINT
@@ -59,27 +57,15 @@ Detailed Information
 
     Variable            EHERKENNING_OIDC_ENABLED
     Setting             inschakelen
-    Description         Geeft aan of OpenID Connect voor authenticatie/autorisatie is ingeschakeld. Deze heeft voorrang op het gebruik van SAML voor eHerkenning-authenticatie.
+    Description         Indicates whether OpenID Connect for authentication/authorization is enabled
     Possible values     True, False
     Default value       False
     
-    Variable            EHERKENNING_OIDC_ERROR_MESSAGE_MAPPING
-    Setting             Foutmelding mapping
-    Description         Mapping die de door de identiteitsprovider geretourneerde foutmeldingen, omzet in leesbare meldingen die aan de gebruiker worden getoond
-    Possible values     Mapping: {'some_key': 'Some value'}
-    Default value       {}
-    
-    Variable            EHERKENNING_OIDC_IDENTIFIER_CLAIM_NAME
-    Setting             KVK claim naam
-    Description         De naam van de claim waarin het KVK nummer van de gebruiker is opgeslagen
-    Possible values     string
-    Default value       kvk
-    
-    Variable            EHERKENNING_OIDC_OIDC_EXEMPT_URLS
-    Setting             URLs exempt from session renewal
-    Description         This is a list of absolute url paths, regular expressions for url paths, or Django view names. This plus the mozilla-django-oidc urls are exempted from the session renewal by the SessionRefresh middleware.
-    Possible values     string, comma-delimited ('foo,bar,baz')
-    Default value       
+    Variable            EHERKENNING_OIDC_LEGAL_SUBJECT_CLAIM
+    Setting             bedrijfsidenticatie-claim
+    Description         Naam van de claim die de identificatie van het ingelogde/vertegenwoordigde bedrijf bevat.
+    Possible values     No information available
+    Default value       urn:etoegang:core:LegalSubjectID
     
     Variable            EHERKENNING_OIDC_OIDC_KEYCLOAK_IDP_HINT
     Setting             Keycloak-identiteitsprovider hint
@@ -149,7 +135,7 @@ Detailed Information
     
     Variable            EHERKENNING_OIDC_OIDC_RP_SCOPES_LIST
     Setting             OpenID Connect scopes
-    Description         OpenID Connect-scopes die worden bevraagd tijdens het inloggen. Deze zijn hardcoded en moeten worden ondersteund door de identiteitsprovider.
+    Description         OpenID Connect scopes that are requested during login. These scopes are hardcoded and must be supported by the identity provider.
     Possible values     string, comma-delimited ('foo,bar,baz')
     Default value       openid, kvk
     

docs/configuration/eherkenning_saml.rst

@@ -134,7 +134,7 @@ Detailed Information
     
     Variable            EHERKENNING_SAML_EH_LOA
     Setting             eHerkenning LoA
-    Description         Level of Assurance (LoA) to use for the eHerkenning service.
+    Description         Betrouwbaarheidsniveau (LoA) voor de eHerkenningservice.
     Possible values     urn:etoegang:core:assurance-class:loa1, urn:etoegang:core:assurance-class:loa2, urn:etoegang:core:assurance-class:loa2plus, urn:etoegang:core:assurance-class:loa3, urn:etoegang:core:assurance-class:loa4
     Default value       urn:etoegang:core:assurance-class:loa3
     
@@ -164,7 +164,7 @@ Detailed Information
     
     Variable            EHERKENNING_SAML_EIDAS_LOA
     Setting             eIDAS LoA
-    Description         Level of Assurance (LoA) to use for the eIDAS service.
+    Description         Betrouwbaarheidsniveau (LoA) voor de eIDAS-service.
     Possible values     urn:etoegang:core:assurance-class:loa1, urn:etoegang:core:assurance-class:loa2, urn:etoegang:core:assurance-class:loa2plus, urn:etoegang:core:assurance-class:loa3, urn:etoegang:core:assurance-class:loa4
     Default value       urn:etoegang:core:assurance-class:loa3
     

requirements/base.in

@@ -79,7 +79,7 @@ elastic-apm  # Elastic APM integration
 beautifulsoup4
 
 # DigidLocal
-django-digid-eherkenning
+django-digid-eherkenning[oidc]
 maykin-python3-saml
 pyopenssl
 django-sessionprofile

requirements/base.txt

@@ -190,7 +190,7 @@ django-csp==3.7
     # via -r requirements/base.in
 django-csp-reports==1.8.1
     # via -r requirements/base.in
-django-digid-eherkenning==0.13.1
+django-digid-eherkenning[oidc]==0.16.0
     # via -r requirements/base.in
 django-elasticsearch-dsl==7.4
     # via -r requirements/base.in
@@ -403,10 +403,12 @@ maykin-python3-saml==1.16.1
     #   django-digid-eherkenning
 messagebird==2.1.0
     # via -r requirements/base.in
-mozilla-django-oidc==2.0.0
+mozilla-django-oidc==4.0.1
     # via mozilla-django-oidc-db
-mozilla-django-oidc-db==0.14.1
-    # via -r requirements/base.in
+mozilla-django-oidc-db==0.19.0
+    # via
+    #   -r requirements/base.in
+    #   django-digid-eherkenning
 notifications-api-common==0.2.2
     # via -r requirements/base.in
 oath==1.4.4
@@ -544,6 +546,7 @@ tinycss2==1.1.1
 typing-extensions==4.10.0
     # via
     #   -r requirements/base.in
+    #   mozilla-django-oidc-db
     #   pydantic
     #   pydantic-core
     #   pyee

requirements/ci.txt

@@ -314,10 +314,11 @@ django-csp-reports==1.8.1
     # via
     #   -c requirements/base.txt
     #   -r requirements/base.txt
-django-digid-eherkenning==0.13.1
+django-digid-eherkenning[oidc]==0.16.0
     # via
     #   -c requirements/base.txt
     #   -r requirements/base.txt
+    #   django-digid-eherkenning
 django-elasticsearch-dsl==7.4
     # via
     #   -c requirements/base.txt
@@ -743,15 +744,16 @@ messagebird==2.1.0
     # via
     #   -c requirements/base.txt
     #   -r requirements/base.txt
-mozilla-django-oidc==2.0.0
+mozilla-django-oidc==4.0.1
     # via
     #   -c requirements/base.txt
     #   -r requirements/base.txt
     #   mozilla-django-oidc-db
-mozilla-django-oidc-db==0.14.1
+mozilla-django-oidc-db==0.19.0
     # via
     #   -c requirements/base.txt
     #   -r requirements/base.txt
+    #   django-digid-eherkenning
 multidict==6.0.5
     # via yarl
 mypy-extensions==1.0.0
@@ -1066,6 +1068,7 @@ typing-extensions==4.10.0
     # via
     #   -c requirements/base.txt
     #   -r requirements/base.txt
+    #   mozilla-django-oidc-db
     #   polyfactory
     #   pydantic
     #   pydantic-core

requirements/dev.txt

@@ -356,10 +356,11 @@ django-csp-reports==1.8.1
     #   -r requirements/ci.txt
 django-debug-toolbar==3.2.2
     # via -r requirements/dev.in
-django-digid-eherkenning==0.13.1
+django-digid-eherkenning[oidc]==0.16.0
     # via
     #   -c requirements/ci.txt
     #   -r requirements/ci.txt
+    #   django-digid-eherkenning
 django-elasticsearch-dsl==7.4
     # via
     #   -c requirements/ci.txt
@@ -845,15 +846,16 @@ messagebird==2.1.0
     # via
     #   -c requirements/ci.txt
     #   -r requirements/ci.txt
-mozilla-django-oidc==2.0.0
+mozilla-django-oidc==4.0.1
     # via
     #   -c requirements/ci.txt
     #   -r requirements/ci.txt
     #   mozilla-django-oidc-db
-mozilla-django-oidc-db==0.14.1
+mozilla-django-oidc-db==0.19.0
     # via
     #   -c requirements/ci.txt
     #   -r requirements/ci.txt
+    #   django-digid-eherkenning
 msgpack==1.0.7
     # via locust
 multidict==6.0.5
@@ -1269,6 +1271,7 @@ typing-extensions==4.10.0
     # via
     #   -c requirements/ci.txt
     #   -r requirements/ci.txt
+    #   mozilla-django-oidc-db
     #   polyfactory
     #   pydantic
     #   pydantic-core