From f6bdf849e0a58c0b2ed552cf472dee5efbe0ae77 Mon Sep 17 00:00:00 2001 From: Sergei Maertens Date: Wed, 18 Dec 2024 16:10:32 +0100 Subject: [PATCH] :sparkles: [open-formulieren/open-forms#4785] Remove the default requested attributes ... and make the fields in the admin not-required. The requested attributes are documented (vaguely) on the service provider metadata page: https://afsprakenstelsel.etoegang.nl/Startpagina/v3/dv-metadata-for-hm and in more detail on the attribute catalogue page: https://afsprakenstelsel.etoegang.nl/Startpagina/v3/attribuutcatalogus These attributes are *additional* attributes you can request from the eHerkenning/EIDAS flow, on top of the identifier (KVK number) which you will always get and may not specify as requested attribute. See https://afsprakenstelsel.etoegang.nl/Startpagina/v3/interface-specifications-dv-hm I've opted to *keep* the defaults for EIDAS because typically you only get a PseudoID back from that service, which doesn't give us much information to work with and there are open issues/requests to use the retrieved information from EIDAS for authentication/identification already. --- ...ngconfiguration_service_description_url.py | 2 +- ...ration_eh_requested_attributes_and_more.py | 33 +++++++++++++++++++ digid_eherkenning/models/eherkenning.py | 19 +++-------- docs/metadata.rst | 28 ++++++++++++---- 4 files changed, 60 insertions(+), 22 deletions(-) create mode 100644 digid_eherkenning/migrations/0013_alter_eherkenningconfiguration_eh_requested_attributes_and_more.py diff --git a/digid_eherkenning/migrations/0007_eherkenningconfiguration_service_description_url.py b/digid_eherkenning/migrations/0007_eherkenningconfiguration_service_description_url.py index 52e31bf..7bbb063 100644 --- a/digid_eherkenning/migrations/0007_eherkenningconfiguration_service_description_url.py +++ b/digid_eherkenning/migrations/0007_eherkenningconfiguration_service_description_url.py @@ -26,7 +26,7 @@ class Migration(migrations.Migration): model_name="eherkenningconfiguration", name="eh_requested_attributes", field=models.JSONField( - default=digid_eherkenning.models.eherkenning.get_default_requested_attributes_eherkenning, + default=list, help_text="A list of additional requested attributes. A single requested attribute can be a string (the name of the attribute) or an object with keys 'name' and 'required', where 'name' is a string and 'required' a boolean'.", verbose_name="requested attributes", ), diff --git a/digid_eherkenning/migrations/0013_alter_eherkenningconfiguration_eh_requested_attributes_and_more.py b/digid_eherkenning/migrations/0013_alter_eherkenningconfiguration_eh_requested_attributes_and_more.py new file mode 100644 index 0000000..825a2b7 --- /dev/null +++ b/digid_eherkenning/migrations/0013_alter_eherkenningconfiguration_eh_requested_attributes_and_more.py @@ -0,0 +1,33 @@ +# Generated by Django 4.2.13 on 2024-12-18 14:58 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ("digid_eherkenning", "0012_move_config_certificate"), + ] + + operations = [ + migrations.AlterField( + model_name="eherkenningconfiguration", + name="eh_requested_attributes", + field=models.JSONField( + blank=True, + default=list, + help_text="A list of additional requested attributes. A single requested attribute can be a string (the name of the attribute) or an object with keys 'name' and 'required', where 'name' is a string and 'required' a boolean'.", + verbose_name="requested attributes", + ), + ), + migrations.AlterField( + model_name="eherkenningconfiguration", + name="eidas_requested_attributes", + field=models.JSONField( + blank=True, + default=list, + help_text="A list of additional requested attributes. A single requested attribute can be a string (the name of the attribute) or an object with keys 'name' and 'required', where 'name' is a string and 'required' a boolean'.", + verbose_name="requested attributes", + ), + ), + ] diff --git a/digid_eherkenning/models/eherkenning.py b/digid_eherkenning/models/eherkenning.py index e67cda1..78f1ab1 100644 --- a/digid_eherkenning/models/eherkenning.py +++ b/digid_eherkenning/models/eherkenning.py @@ -9,19 +9,6 @@ from .base import BaseConfiguration -def get_default_requested_attributes_eherkenning(): - return [ - { - "name": "urn:etoegang:1.11:attribute-represented:CompanyName", - "required": True, - "purpose_statements": { - "en": "For testing purposes.", - "nl": "Voor testdoeleinden.", - }, - } - ] - - def get_default_requested_attributes_eidas(): return [ { @@ -76,7 +63,8 @@ class EherkenningConfiguration(BaseConfiguration): ) eh_requested_attributes = models.JSONField( _("requested attributes"), - default=get_default_requested_attributes_eherkenning, + default=list, + blank=True, help_text=_( "A list of additional requested attributes. A single requested attribute " "can be a string (the name of the attribute) or an object with keys 'name' " @@ -115,7 +103,8 @@ class EherkenningConfiguration(BaseConfiguration): ) eidas_requested_attributes = models.JSONField( _("requested attributes"), - default=get_default_requested_attributes_eidas, + default=list, + blank=True, help_text=_( "A list of additional requested attributes. A single requested attribute " "can be a string (the name of the attribute) or an object with keys 'name' " diff --git a/docs/metadata.rst b/docs/metadata.rst index 4e4eb47..8c783dc 100644 --- a/docs/metadata.rst +++ b/docs/metadata.rst @@ -1,3 +1,5 @@ +.. _metadata: + =================== Metadata generation =================== @@ -21,17 +23,19 @@ If you wish, you can still use :ref:`management commands` to generate the m eHerkenning / eIDAS ------------------- +.. _metadata_requested_attributes: + Configuring RequestedAttribute ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -In the field ``RequestedAttribute`` one can specify all the attributes that may be requested by the service -when a company/person logs in with eHerkenning or eIDAS. +In the field ``RequestedAttribute`` one can specify all the attributes that may be +requested by the service when a company/person logs in with eHerkenning or eIDAS. -The values specified need to come from the "`Attribuutcatalogus `_" -(there are multiple catalogues: 'generiek', 'natuurlijke personen' and 'non-natuurlijke personen'). +The values specified need to come from the Attribuutcatalogus_ (there are multiple +catalogues: 'generiek', 'natuurlijke personen' and 'non-natuurlijke personen'). -In the admin, these can be specified as a list of dictionaries. For example, for eIDAS one could use the following JSON -to request the first name of the person who logged in: +In the admin, these can be specified as a list of dictionaries. For example, for eIDAS +one could use the following JSON to request the first name of the person who logged in: .. code-block:: json @@ -45,3 +49,15 @@ to request the first name of the person who logged in: } } ] + +.. warning:: YOU MAY NOT REQUEST ATTRIBUTES LISTED IN "Identificerende kenmerken". If + you do so, the metadata will be rejected by the broker. In practice this means: + + * don't request the ``KVKNr`` attribute + * don't request the ``Pseudo`` attribute + * don't request the ``RSIN`` attribute + * don't request the ``BSN`` attribute + + These attributes are pre-configured and will be returned without asking for them. + +.. _Attribuutcatalogus: https://afsprakenstelsel.etoegang.nl/Startpagina/v3/attribuutcatalogus