🗑️ [#3283] Deprecate legacy OIDC callback endpoints

With Open Forms 3.0, we can make the breaking change of updating the default. The new OIDC API endpoints all point to a single callback URL, so it means less configuration overhead on the identity provider side. The breaking change means that the new URI's must be added to the allowlist of the identity provider. The new endpoint is '/auth/oidc/callback/', and it applies to all OIDC configuration flavours.
open-formulieren · Dec 19, 2024 · 64f6152 · 64f6152
1 parent f8095b4
commit 64f6152
Show file tree

Hide file tree

Showing 60 changed files with 1,374 additions and 1,379 deletions.
diff --git a/docs/configuration/authentication/oidc_digid.rst b/docs/configuration/authentication/oidc_digid.rst
@@ -45,12 +45,9 @@ omgeving van de OpenID Connect provider.
 
 **Redirect URI (vanaf Open Formulieren 2.7.0)**
 
-.. warning::
+.. versionchanged:: 3.0
 
-    Zorg dat Open Formulieren :ref:`geïnstalleerd <installation_index>` is met de
-    ``USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS=false``
-    :ref:`omgevingsvariabele<installation_environment_config>`, anders worden de legacy
-    (zie hieronder) endpoints gebruikt.
+    Open Forms no longer uses the legacy endpoints by default.
 
 Voor de **Redirect URI** vul je ``https://open-formulieren.gemeente.nl/auth/oidc/callback/`` in,
 waarbij je ``open-formulieren.gemeente.nl`` vervangt door het relevante domein.

diff --git a/docs/configuration/authentication/oidc_eherkenning.rst b/docs/configuration/authentication/oidc_eherkenning.rst
@@ -60,12 +60,9 @@ maken in de omgeving van de OpenID Connect provider.
 
 **Redirect URI (vanaf Open Formulieren 2.7.0)**
 
-.. warning::
+.. versionchanged:: 3.0
 
-    Zorg dat Open Formulieren :ref:`geïnstalleerd <installation_index>` is met de
-    ``USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS=false``
-    :ref:`omgevingsvariabele<installation_environment_config>`, anders worden de legacy
-    (zie hieronder) endpoints gebruikt.
+    Open Forms no longer uses the legacy endpoints by default.
 
 Voor de **Redirect URI** vul je ``https://open-formulieren.gemeente.nl/auth/oidc/callback/`` in,
 waarbij je ``open-formulieren.gemeente.nl`` vervangt door het relevante domein.

diff --git a/docs/configuration/general/oidc.rst b/docs/configuration/general/oidc.rst
@@ -38,12 +38,9 @@ maken in de omgeving van de OpenID Connect provider.
 
 **Redirect URI (vanaf Open Formulieren 2.7.0)**
 
-.. warning::
+.. versionchanged:: 3.0
 
-    Zorg dat Open Formulieren :ref:`geïnstalleerd <installation_index>` is met de
-    ``USE_LEGACY_OIDC_ENDPOINTS=false`` en ``USE_LEGACY_ORG_OIDC_ENDPOINTS=false``
-    :ref:`omgevingsvariabelen<installation_environment_config>`, anders worden de legacy
-    (zie hieronder) endpoints gebruikt.
+    Open Forms no longer uses the legacy endpoints by default.
 
 Voor de **Redirect URI** vul je ``https://open-formulieren.gemeente.nl/auth/oidc/callback/`` in,
 waarbij je ``open-formulieren.gemeente.nl`` vervangt door het relevante domein. Deze

diff --git a/docs/installation/config.rst b/docs/installation/config.rst
@@ -277,23 +277,6 @@ Other settings
   enable :ref:`Organization accounts <configuration_authentication_oidc>`. Defaults
   to ``False``.
 
-* ``USE_LEGACY_OIDC_ENDPOINTS``: Defaults to ``True`` for backwards compatibility
-  reasons. New installations should opt-out. If ``False``, the OIDC callback URL is
-  ``/auth/oidc/callback/``, if ``True``, it is ``/oidc/callback/``.
-
-* ``USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS``: Defaults to ``True`` for backwards compatibility
-  reasons. New installations should opt-out. If ``False``, the OIDC callback URL is
-  ``/auth/oidc/callback/``, if ``True``, they are:
-
-      - ``/digid-oidc/callback/``
-      - ``/eherkenning-oidc/callback/``
-      - ``/digid-machtigen-oidc/callback/``
-      - ``/eherkenning-bewindvoering-oidc/callback/``
-
-* ``USE_LEGACY_ORG_OIDC_ENDPOINTS``: Defaults to ``True`` for backwards compatibility
-  reasons. New installations should opt-out. If ``False``, the OIDC callback URL is
-  ``/auth/oidc/callback/``, if ``True``, it is ``/org-oidc/callback/``.
-
 * ``SESSION_EXPIRE_AT_BROWSER_CLOSE``: Controls if sessions expire at browser close.
   This applies to both the session of end-users filling out forms and staff using the
   administrative interface. Enabling this forces users to log in every time they open

diff --git a/docs/installation/upgrade-300.rst b/docs/installation/upgrade-300.rst
@@ -14,6 +14,29 @@ be aware of, as they may require additional manual actions.
    :depth: 1
    :local:
 
+Legacy OpenID Connect callback endpoints are now disabled by default
+====================================================================
+
+Before Open Forms 3.0, the legacy endpoints were used by default.
+
+The following environment variables now default to ``False`` instead of ``True``:
+
+* ``USE_LEGACY_OIDC_ENDPOINTS``
+* ``USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS``
+* ``USE_LEGACY_ORG_OIDC_ENDPOINTS``
+
+To keep the old behaviour, make sure you deploy with:
+
+.. code-block:: bash
+
+    USE_LEGACY_OIDC_ENDPOINTS=True
+    USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS=True
+    USE_LEGACY_ORG_OIDC_ENDPOINTS=True
+
+To use the new behaviour, you must ensure that
+``https://open-formulieren.gemeente.nl/auth/oidc/callback/`` is listed in the allowed
+**Redirect URI** values of your identity provider.
+
 Removal of price logic
 ======================
 

diff --git a/...ate_email_unique_constraint_violated.yaml → ...ate_email_unique_constraint_violated.yaml b/...ate_email_unique_constraint_violated.yaml → ...ate_email_unique_constraint_violated.yaml
diff --git a/...wTests/OIDCFLowTests.test_happy_flow.yaml → ...wTests/OIDCFlowTests.test_happy_flow.yaml b/...wTests/OIDCFLowTests.test_happy_flow.yaml → ...wTests/OIDCFlowTests.test_happy_flow.yaml
diff --git a/...wTests.test_happy_flow_existing_user.yaml → ...wTests.test_happy_flow_existing_user.yaml b/...wTests.test_happy_flow_existing_user.yaml → ...wTests.test_happy_flow_existing_user.yaml
diff --git a/src/openforms/accounts/tests/test_oidc.py b/src/openforms/accounts/tests/test_oidc.py
@@ -63,7 +63,7 @@ def test_oidc_button_enabled(self):
         )
 
 
-class OIDCFLowTests(OFVCRMixin, WebTest):
+class OIDCFlowTests(OFVCRMixin, WebTest):
     VCR_TEST_FILES = TEST_FILES
 
     @mock_admin_oidc_config()

diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/models.py b/src/openforms/authentication/contrib/digid_eherkenning_oidc/models.py
@@ -31,7 +31,7 @@ class Meta:
     def oidc_authentication_callback_url(cls) -> str:  # type: ignore
         if settings.USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS:
             warnings.warn(
-                "Legacy DigiD-eHerkenning callback endpoints will be removed in 3.0",
+                "Legacy DigiD-eHerkenning callback endpoints will be removed in 4.0",
                 DeprecationWarning,
             )
             return "digid_oidc:callback"
@@ -51,7 +51,7 @@ class Meta:
     def oidc_authentication_callback_url(cls) -> str:  # type: ignore
         if settings.USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS:
             warnings.warn(
-                "Legacy DigiD-eHerkenning callback endpoints will be removed in 3.0",
+                "Legacy DigiD-eHerkenning callback endpoints will be removed in 4.0",
                 DeprecationWarning,
             )
             return "digid_machtigen_oidc:callback"
@@ -71,7 +71,7 @@ class Meta:
     def oidc_authentication_callback_url(cls) -> str:  # type: ignore
         if settings.USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS:
             warnings.warn(
-                "Legacy DigiD-eHerkenning callback endpoints will be removed in 3.0",
+                "Legacy DigiD-eHerkenning callback endpoints will be removed in 4.0",
                 DeprecationWarning,
             )
             return "eherkenning_oidc:callback"
@@ -91,7 +91,7 @@ class Meta:
     def oidc_authentication_callback_url(cls) -> str:  # type: ignore
         if settings.USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS:
             warnings.warn(
-                "Legacy DigiD-eHerkenning callback endpoints will be removed in 3.0",
+                "Legacy DigiD-eHerkenning callback endpoints will be removed in 4.0",
                 DeprecationWarning,
             )
             return "eherkenning_bewindvoering_oidc:callback"