diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/plugin.py b/src/openforms/authentication/contrib/digid_eherkenning_oidc/plugin.py index 7b8c52d741..972136f279 100644 --- a/src/openforms/authentication/contrib/digid_eherkenning_oidc/plugin.py +++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/plugin.py @@ -212,7 +212,7 @@ def get_logo(self, request) -> LoginLogo | None: return LoginLogo(title=self.get_label(), **get_eherkenning_logo(request)) def transform_claims(self, normalized_claims: EHClaims) -> FormAuth: - return { + form_auth: FormAuth = { "plugin": self.identifier, # TODO: look at `identifier_type_claim` and return kvk or rsin accordingly. # Currently we have no support for RSIN at all, so that will need to be @@ -225,6 +225,9 @@ def transform_claims(self, normalized_claims: EHClaims) -> FormAuth: "acting_subject_claim" ], } + if service_restriction := normalized_claims.get("branch_number_claim", ""): + form_auth["legal_subject_service_restriction"] = service_restriction + return form_auth class DigiDmachtigenClaims(TypedDict): @@ -340,7 +343,7 @@ def transform_claims(self, normalized_claims: EHBewindvoeringClaims) -> FormAuth } ) - return { + form_auth: FormAuth = { "plugin": self.identifier, "attribute": self.provides_auth, "value": normalized_claims["representee_claim"], @@ -368,6 +371,10 @@ def transform_claims(self, normalized_claims: EHBewindvoeringClaims) -> FormAuth }, } + if service_restriction := normalized_claims.get("branch_number_claim", ""): + form_auth["legal_subject_service_restriction"] = service_restriction + return form_auth + def get_label(self) -> str: return "eHerkenning bewindvoering" diff --git a/src/openforms/authentication/models.py b/src/openforms/authentication/models.py index b626bf1a86..a2296111d9 100644 --- a/src/openforms/authentication/models.py +++ b/src/openforms/authentication/models.py @@ -317,6 +317,10 @@ def to_auth_context_data( }, }, } + if branch_number := self.legal_subject_service_restriction: + eh_context["authorizee"]["legalSubject"][ + "branchNumber" + ] = branch_number return eh_context # EHerkenning with machtigen/mandate @@ -340,6 +344,10 @@ def to_auth_context_data( }, "mandate": self.mandate_context, } + if branch_number := self.legal_subject_service_restriction: + ehm_context["authorizee"]["legalSubject"][ + "branchNumber" + ] = branch_number return ehm_context case _: # pragma: no cover raise RuntimeError(f"Unknown attribute: {self.attribute}") diff --git a/src/openforms/authentication/tests/test_authentication_context.py b/src/openforms/authentication/tests/test_authentication_context.py index 9d355d7fc9..d67a807c03 100644 --- a/src/openforms/authentication/tests/test_authentication_context.py +++ b/src/openforms/authentication/tests/test_authentication_context.py @@ -81,6 +81,30 @@ def test_plain_eherkenning_auth(self): auth_context = auth_info.to_auth_context_data() self.assertValidContext(auth_context) + self.assertNotIn("branchNumber", auth_context["authorizee"]["legalSubject"]) + + def test_plain_eherkenning_auth_with_service_restriction(self): + auth_info = AuthInfo( + submission=SubmissionFactory.build(), + plugin="dummy", + attribute=AuthAttribute.kvk, + value="90002768", + attribute_hashed=False, + loa=AssuranceLevels.substantial, + legal_subject_identifier_type="", + legal_subject_identifier_value="", + legal_subject_service_restriction="123123123123", + acting_subject_identifier_type=ActingSubjectIdentifierType.opaque, + acting_subject_identifier_value=( + "4B75A0EA107B3D36C82FD675B5B78CC2F181B22E33D85F2D4A5DA63452EE3018" + "@2D8FF1EF10279BC2643F376D89835151" + ), + ) + + auth_context = auth_info.to_auth_context_data() + + self.assertValidContext(auth_context) + self.assertIn("branchNumber", auth_context["authorizee"]["legalSubject"]) def test_eherkenning_machtigen_bewindvoering_auth(self): auth_info = AuthInfo( @@ -111,3 +135,36 @@ def test_eherkenning_machtigen_bewindvoering_auth(self): auth_context = auth_info.to_auth_context_data() self.assertValidContext(auth_context) + self.assertNotIn("branchNumber", auth_context["authorizee"]["legalSubject"]) + + def test_eherkenning_machtigen_bewindvoering_auth_with_service_restriction(self): + auth_info = AuthInfo( + submission=SubmissionFactory.build(), + plugin="dummy", + attribute=AuthAttribute.bsn, + value="999991607", + attribute_hashed=False, + loa=AssuranceLevels.substantial, + legal_subject_identifier_type=LegalSubjectIdentifierType.kvk, + legal_subject_identifier_value="90002768", + legal_subject_service_restriction="123123123123", + acting_subject_identifier_type=ActingSubjectIdentifierType.opaque, + acting_subject_identifier_value=( + "4B75A0EA107B3D36C82FD675B5B78CC2F181B22E33D85F2D4A5DA63452EE3018" + "@2D8FF1EF10279BC2643F376D89835151" + ), + mandate_context={ + "role": "bewindvoerder", + "services": [ + { + "id": "urn:etoegang:DV:00000001002308836000:services:9113", + "uuid": "34085d78-21aa-4481-a219-b28d7f3282fc", + } + ], + }, + ) + + auth_context = auth_info.to_auth_context_data() + + self.assertValidContext(auth_context) + self.assertIn("branchNumber", auth_context["authorizee"]["legalSubject"]) diff --git a/src/openforms/authentication/types.py b/src/openforms/authentication/types.py index f86c5ebe8c..4057a2667e 100644 --- a/src/openforms/authentication/types.py +++ b/src/openforms/authentication/types.py @@ -39,6 +39,7 @@ class DigiDMachtigenContext(DigiDContext): class EHerkenningLegalSubject(TypedDict): identifierType: Literal["kvkNummer"] identifier: str + branchNumber: NotRequired[str] class EHerkenningActingSubject(TypedDict): diff --git a/src/openforms/authentication/typing.py b/src/openforms/authentication/typing.py index 4680159013..31baf682a2 100644 --- a/src/openforms/authentication/typing.py +++ b/src/openforms/authentication/typing.py @@ -23,6 +23,7 @@ class FormAuth(BaseAuth): acting_subject_identifier_value: NotRequired[str] legal_subject_identifier_type: NotRequired[str] legal_subject_identifier_value: NotRequired[str] + legal_subject_service_restriction: NotRequired[str] mandate_context: NotRequired[JSONObject] # deprecated