From d2e30b28742c88256d6e7db733f61c1efb7e0251 Mon Sep 17 00:00:00 2001
From: robinvandermolen <robin@maykinmedia.nl>
Date: Thu, 19 Dec 2024 12:41:58 +0100
Subject: [PATCH] :sparkles: [#4863] Allow authentication with employee_id

---
 src/openforms/authentication/models.py | 21 +++++++++++++++++++++
 src/openforms/authentication/types.py  | 16 ++++++++++++++++
 2 files changed, 37 insertions(+)

diff --git a/src/openforms/authentication/models.py b/src/openforms/authentication/models.py
index 940bb467b1..803e449b75 100644
--- a/src/openforms/authentication/models.py
+++ b/src/openforms/authentication/models.py
@@ -20,6 +20,7 @@
     DigiDMachtigenContext,
     EHerkenningContext,
     EHerkenningMachtigenContext,
+    EmployeeContext,
 )
 
 logger = logging.getLogger(__name__)
@@ -254,6 +255,7 @@ def to_auth_context_data(
         | DigiDMachtigenContext
         | EHerkenningContext
         | EHerkenningMachtigenContext
+        | EmployeeContext
     ):
         if self.attribute_hashed:
             logger.debug(
@@ -347,6 +349,25 @@ def to_auth_context_data(
                         "branchNumber"
                     ] = branch_number
                 return ehm_context
+
+            # Employee login
+            # ---
+            # Experimental feature that is different from the defined authentication context.
+            # This will have to be re-worked and re-thought-out, and will most definitely change.
+            # This fixes the issue of #4863
+            case (AuthAttribute.employee_id, ""):
+                employee_context: EmployeeContext = {
+                    "source": "custom",
+                    "levelOfAssurance": "unknown",
+                    "authorizee": {
+                        "legalSubject": {
+                            "identifierType": "opaque",
+                            "identifier": self.value,
+                        }
+                    },
+                }
+                return employee_context
+
             case _:  # pragma: no cover
                 raise RuntimeError(f"Unknown attribute: {self.attribute}")
 
diff --git a/src/openforms/authentication/types.py b/src/openforms/authentication/types.py
index 96da16bb45..efa7265c74 100644
--- a/src/openforms/authentication/types.py
+++ b/src/openforms/authentication/types.py
@@ -80,3 +80,19 @@ class EHMandate(TypedDict):
 class EHerkenningMachtigenContext(EHerkenningContext):
     representee: EHRepresenteeEntity
     mandate: EHMandate
+
+
+class EmployeeLegalSubject(TypedDict):
+    identifierType: Literal["opaque"]
+    identifier: str
+
+
+class EmployeeAuthorizee(TypedDict):
+    legalSubject: EmployeeLegalSubject
+
+
+# This type definition is highly experimental, and will most definitely change
+class EmployeeContext(TypedDict):
+    source: Literal["custom"]
+    levelOfAssurance: Literal["unknown"]
+    authorizee: EmployeeAuthorizee