Skip to content

Commit

Permalink
✨ [open-formulieren/open-forms#4785] Remove the default requested att…
Browse files Browse the repository at this point in the history
…ributes

... and make the fields in the admin not-required.

The requested attributes are documented (vaguely) on the service
provider metadata page: https://afsprakenstelsel.etoegang.nl/Startpagina/v3/dv-metadata-for-hm
and in more detail on the attribute catalogue page:
https://afsprakenstelsel.etoegang.nl/Startpagina/v3/attribuutcatalogus

These attributes are *additional* attributes you can request from the
eHerkenning/EIDAS flow, on top of the identifier (KVK number) which
you will always get and may not specify as requested attribute. See
https://afsprakenstelsel.etoegang.nl/Startpagina/v3/interface-specifications-dv-hm

I've opted to *keep* the defaults for EIDAS because typically you only
get a PseudoID back from that service, which doesn't give us much
information to work with and there are open issues/requests to use
the retrieved information from EIDAS for authentication/identification
already.
  • Loading branch information
sergei-maertens committed Dec 18, 2024
1 parent e950db4 commit f6bdf84
Show file tree
Hide file tree
Showing 4 changed files with 60 additions and 22 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ class Migration(migrations.Migration):
model_name="eherkenningconfiguration",
name="eh_requested_attributes",
field=models.JSONField(
default=digid_eherkenning.models.eherkenning.get_default_requested_attributes_eherkenning,
default=list,
help_text="A list of additional requested attributes. A single requested attribute can be a string (the name of the attribute) or an object with keys 'name' and 'required', where 'name' is a string and 'required' a boolean'.",
verbose_name="requested attributes",
),
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# Generated by Django 4.2.13 on 2024-12-18 14:58

from django.db import migrations, models


class Migration(migrations.Migration):

dependencies = [
("digid_eherkenning", "0012_move_config_certificate"),
]

operations = [
migrations.AlterField(
model_name="eherkenningconfiguration",
name="eh_requested_attributes",
field=models.JSONField(
blank=True,
default=list,
help_text="A list of additional requested attributes. A single requested attribute can be a string (the name of the attribute) or an object with keys 'name' and 'required', where 'name' is a string and 'required' a boolean'.",
verbose_name="requested attributes",
),
),
migrations.AlterField(
model_name="eherkenningconfiguration",
name="eidas_requested_attributes",
field=models.JSONField(
blank=True,
default=list,
help_text="A list of additional requested attributes. A single requested attribute can be a string (the name of the attribute) or an object with keys 'name' and 'required', where 'name' is a string and 'required' a boolean'.",
verbose_name="requested attributes",
),
),
]
19 changes: 4 additions & 15 deletions digid_eherkenning/models/eherkenning.py
Original file line number Diff line number Diff line change
Expand Up @@ -9,19 +9,6 @@
from .base import BaseConfiguration


def get_default_requested_attributes_eherkenning():
return [
{
"name": "urn:etoegang:1.11:attribute-represented:CompanyName",
"required": True,
"purpose_statements": {
"en": "For testing purposes.",
"nl": "Voor testdoeleinden.",
},
}
]


def get_default_requested_attributes_eidas():
return [
{
Expand Down Expand Up @@ -76,7 +63,8 @@ class EherkenningConfiguration(BaseConfiguration):
)
eh_requested_attributes = models.JSONField(
_("requested attributes"),
default=get_default_requested_attributes_eherkenning,
default=list,
blank=True,
help_text=_(
"A list of additional requested attributes. A single requested attribute "
"can be a string (the name of the attribute) or an object with keys 'name' "
Expand Down Expand Up @@ -115,7 +103,8 @@ class EherkenningConfiguration(BaseConfiguration):
)
eidas_requested_attributes = models.JSONField(
_("requested attributes"),
default=get_default_requested_attributes_eidas,
default=list,
blank=True,
help_text=_(
"A list of additional requested attributes. A single requested attribute "
"can be a string (the name of the attribute) or an object with keys 'name' "
Expand Down
28 changes: 22 additions & 6 deletions docs/metadata.rst
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
.. _metadata:

===================
Metadata generation
===================
Expand All @@ -21,17 +23,19 @@ If you wish, you can still use :ref:`management commands<cli>` to generate the m
eHerkenning / eIDAS
-------------------

.. _metadata_requested_attributes:

Configuring RequestedAttribute
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

In the field ``RequestedAttribute`` one can specify all the attributes that may be requested by the service
when a company/person logs in with eHerkenning or eIDAS.
In the field ``RequestedAttribute`` one can specify all the attributes that may be
requested by the service when a company/person logs in with eHerkenning or eIDAS.

The values specified need to come from the "`Attribuutcatalogus <https://afsprakenstelsel.etoegang.nl/Startpagina/v1/attribuutcatalogus>`_"
(there are multiple catalogues: 'generiek', 'natuurlijke personen' and 'non-natuurlijke personen').
The values specified need to come from the Attribuutcatalogus_ (there are multiple
catalogues: 'generiek', 'natuurlijke personen' and 'non-natuurlijke personen').

In the admin, these can be specified as a list of dictionaries. For example, for eIDAS one could use the following JSON
to request the first name of the person who logged in:
In the admin, these can be specified as a list of dictionaries. For example, for eIDAS
one could use the following JSON to request the first name of the person who logged in:

.. code-block:: json
Expand All @@ -45,3 +49,15 @@ to request the first name of the person who logged in:
}
}
]
.. warning:: YOU MAY NOT REQUEST ATTRIBUTES LISTED IN "Identificerende kenmerken". If
you do so, the metadata will be rejected by the broker. In practice this means:

* don't request the ``KVKNr`` attribute
* don't request the ``Pseudo`` attribute
* don't request the ``RSIN`` attribute
* don't request the ``BSN`` attribute

These attributes are pre-configured and will be returned without asking for them.

.. _Attribuutcatalogus: https://afsprakenstelsel.etoegang.nl/Startpagina/v3/attribuutcatalogus

0 comments on commit f6bdf84

Please sign in to comment.