💥 Remove legacy machtigen context

docs/installation/upgrade-300.rst

@@ -32,6 +32,21 @@ in the error monitoring if that's set up correctly.
 .. note:: Existing, automatically converted forms are crash-free because we create an
    explicit fallback logic rule that mimicks the old behaviour.
 
+Removed legacy "machtigen" context
+==================================
+
+Open Forms 2.7.0 revamped how mandates ("machtigingen") are captured when DigiD
+Machtigen or eHerkenning Bewindvoering are used. We kept the old structure in place to
+give some time to transition and are now removing this in favour of the new setup. For
+the time being, the new setup still defaults to "Lax" mode, meaning it will continue to
+work when some information is missing that is considered required. We recommend to opt
+in to strict mode though, through the ``DIGID_EHERKENNING_OIDC_STRICT`` feature
+flag/environment variable.
+
+You are affected by this if you use the static variable ``auth.machtigen`` in your
+registration backends. Instead, you should use the ``auth_context`` static variable.
+Since Open Forms 2.7.0, the same data has been saved to both datastructures.
+
 Form components/fields changes
 ==============================
 

docs/manual/forms/variables.rst

@@ -62,12 +62,11 @@ auth_context       object    ``{"source": "...", ...}``  De volledige authentica
 **Verouderde variabelen**
 
 Deze variabelen zijn nog wel beschikbaar, maar we raden aan om deze niet meer te
-gebruiken. In versie 3.0 van Open Formulieren kunnen deze verwijderd worden.
+gebruiken. In versie 4.0 van Open Formulieren kunnen deze verwijderd worden.
 
 =============== ========= =========================== =========================================================================
 Variabele       Type      Voorbeeldwaarde             Toelichting
 =============== ========= =========================== =========================================================================
-auth.machtigen  object                                Verouderd, wordt in 3.0 verwijderd.
 auth.attribute  string    ``bsn``                     Kan de waarden ``bsn``, ``kvk`` of ``pseudo`` hebben (verouderd,
                                                       gebruik bij voorkeur ``auth_type``).
 =============== ========= =========================== =========================================================================
@@ -87,14 +86,17 @@ Wanneer er niet ingelogd is op het formulier, dan is de waarde van deze variabel
 .. note::
 
     De ``auth_context`` variabele gaat op termijn de ``auth`` variabele vervangen,
-    maar voorlopig wordt deze laatste niet verwijderd. We verwachten in Open Formulieren
-    3.0 enkel de ``auth.machtigen`` variabele te verwijderen omdat de structuur
-    hiervan altijd vaag en onbetrouwbaar was.
+    maar voorlopig wordt deze laatste niet verwijderd.
 
     Tip: in plaats van ``auth.plugin`` kan je beter ``auth_context_source`` of
     ``auth_type`` gebruiken - de eerste is minder flexibel/uitwisselbaar, terwijl de
     tweede wel goed de semantische betekenis bevat of het om een burger of bedrijf gaat.
 
+.. versionremoved:: 3.0
+
+    De ``auth.machtigen`` variabele is verwijderd omdat de structuur hiervan vaag en
+    onbetrouwbaar was. Gebruik ``auth_context`` in de plaats.
+
 De variabele bevat een bak aan informatie, gestructureerd volgens het
 authenticatiecontextdatamodel_. De structuur is als volgt:
 

src/openforms/authentication/admin.py

@@ -20,11 +20,9 @@ class Meta:
             "legal_subject_identifier_value",
             "legal_subject_service_restriction",
             "mandate_context",
-            "machtigen",
             "attribute_hashed",
         )
         widgets = {
-            "machtigen": forms.Textarea(attrs={"cols": 20, "rows": 1}),
             "plugin": forms.TextInput(attrs={"size": 20}),
             "value": forms.TextInput(attrs={"size": 20}),
         }
@@ -81,7 +79,7 @@ class AuthInfoInline(admin.StackedInline):
         (
             _("Mandate"),
             {
-                "fields": ("mandate_context", "machtigen"),
+                "fields": ("mandate_context",),
                 "classes": ("collapse",),
             },
         ),
@@ -137,7 +135,7 @@ class AuthInfoAdmin(admin.ModelAdmin):
                 )
             },
         ),
-        (_("Mandate"), {"fields": ("mandate_context", "machtigen")}),
+        (_("Mandate"), {"fields": ("mandate_context",)}),
         (
             _("Misc"),
             {"fields": ("attribute_hashed",), "classes": ("collapse in",)},

src/openforms/authentication/contrib/digid_eherkenning_oidc/plugin.py

@@ -281,10 +281,6 @@ def transform_claims(self, normalized_claims: DigiDmachtigenClaims) -> FormAuth:
             "legal_subject_identifier_type": "bsn",
             "legal_subject_identifier_value": authorizee,
             "mandate_context": mandate_context,
-            # DeprecationWarning - legacy, remove in 3.0
-            "machtigen": {
-                "identifier_value": authorizee,
-            },
         }
 
     def get_label(self) -> str:
@@ -375,10 +371,6 @@ def transform_claims(self, normalized_claims: EHBewindvoeringClaims) -> FormAuth
                 "role": "bewindvoerder",
                 "services": services,
             },
-            # DeprecationWarning - legacy, remove in 3.0
-            "machtigen": {
-                "identifier_value": authorizee,
-            },
         }
 
         if service_restriction := normalized_claims.get("branch_number_claim", ""):

src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/test_auth_context_data.py

@@ -178,10 +178,6 @@ def test_record_auth_context(self):
             auth_context["authorizee"]["legalSubject"],
             {"identifierType": "bsn", "identifier": "999999999"},
         )
-        # TODO: remove in Open Forms 3.0
-        with self.subTest("legacy structure"):
-            machtigen = submission.auth_info.machtigen
-            self.assertEqual(machtigen, {"identifier_value": "999999999"})
 
     @mock_digid_machtigen_config(mandate_service_id_claim=["required-but-absent-claim"])
     def test_new_required_claims_are_backwards_compatible(self):
@@ -195,7 +191,7 @@ def test_new_required_claims_are_backwards_compatible(self):
         runtime implications.
         """
         warnings.warn(
-            "Legacy behaviour will be removed in Open Forms 3.0", DeprecationWarning
+            "Legacy behaviour will be removed in Open Forms 4.0", DeprecationWarning
         )
         self._login_and_start_form(
             "digid_machtigen_oidc",
@@ -218,10 +214,6 @@ def test_new_required_claims_are_backwards_compatible(self):
             auth_context["authorizee"]["legalSubject"],
             {"identifierType": "bsn", "identifier": "999999999"},
         )
-        # TODO: remove in Open Forms 3.0
-        with self.subTest("legacy structure"):
-            machtigen = submission.auth_info.machtigen
-            self.assertEqual(machtigen, {"identifier_value": "999999999"})
 
 
 @override_settings(ALLOWED_HOSTS=["*"])
@@ -274,11 +266,6 @@ def test_record_auth_context(self):
             },
         )
 
-        # TODO: remove in Open Forms 3.0
-        with self.subTest("legacy structure"):
-            machtigen = submission.auth_info.machtigen
-            self.assertEqual(machtigen, {"identifier_value": "12345678"})
-
     @mock_eherkenning_bewindvoering_config(
         mandate_service_id_claim=["required-but-absent-claim1"],
         mandate_service_uuid_claim=["required-but-absent-claim2"],
@@ -294,7 +281,7 @@ def test_new_required_claims_are_backwards_compatible(self):
         runtime implications.
         """
         warnings.warn(
-            "Legacy behaviour will be removed in Open Forms 3.0", DeprecationWarning
+            "Legacy behaviour will be removed in Open Forms 4.0", DeprecationWarning
         )
         self._login_and_start_form(
             "eherkenning_bewindvoering_oidc",
@@ -327,11 +314,6 @@ def test_new_required_claims_are_backwards_compatible(self):
             {"role": "bewindvoerder", "services": []},
         )
 
-        # TODO: remove in Open Forms 3.0
-        with self.subTest("legacy structure"):
-            machtigen = submission.auth_info.machtigen
-            self.assertEqual(machtigen, {"identifier_value": "12345678"})
-
     @mock_eherkenning_bewindvoering_config(branch_number_claim=["vestiging"])
     def test_record_vestiging_restriction(self):
         self._login_and_start_form(

src/openforms/authentication/migrations/0004_remove_authinfo_machtigen.py

@@ -0,0 +1,20 @@
+# Generated by Django 4.2.17 on 2024-12-12 16:54
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        (
+            "of_authentication",
+            "0003_authinfo_legal_subject_service_restriction_and_more",
+        ),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name="authinfo",
+            name="machtigen",
+        ),
+    ]

src/openforms/authentication/models.py

@@ -208,16 +208,6 @@ class AuthInfo(BaseAuthInfo):
         null=True,
     )
 
-    # deprecated!
-    machtigen = models.JSONField(
-        verbose_name=_("machtigen"),
-        help_text=_(
-            "Data related to any 'machtiging' (authorising someone else to perform actions on your behalf)."
-        ),
-        blank=True,
-        null=True,
-    )
-
     identifying_attributes = BaseAuthInfo.identifying_attributes + (
         "acting_subject_identifier_value",
         "legal_subject_identifier_value",

src/openforms/authentication/signals.py

@@ -126,7 +126,6 @@ def set_auth_attribute_on_session(
                 "attribute": form_auth["attribute"],
                 "plugin": form_auth["plugin"],
             }
-            # TODO the "machtigingen" key disappeared
             store_auth_details(instance, auth_save)
             store_registrator_details(instance, registrator_save)
     else:

src/openforms/authentication/static_variables/static_variables.py

@@ -48,8 +48,6 @@ def get_initial_value(
             plugin=submission.auth_info.plugin,
             attribute=submission.auth_info.attribute,
             value=submission.auth_info.value,
-            # DeprecationWarning -> delete machtigen in Open Forms 3.0
-            machtigen=submission.auth_info.machtigen,
         )
 
         return auth_data

src/openforms/authentication/tests/factories.py

@@ -14,7 +14,6 @@ class AuthInfoFactory(factory.django.DjangoModelFactory):
     plugin = "digid"
     attribute = AuthAttribute.bsn
     value = "123456782"
-    machtigen = {}
     submission = factory.SubFactory(
         "openforms.submissions.tests.factories.SubmissionFactory"
     )

src/openforms/authentication/tests/test_signals.py

@@ -279,31 +279,6 @@ def test_setting_auth_attributes_flips_hashed_flag(self):
         self.assertEqual(submission.auth_info.value, "123456789")
         self.assertFalse(submission.auth_info.attribute_hashed)
 
-    def test_auth_with_legacy_digid_machtigen(self):
-        submission = SubmissionFactory.create(
-            form__authentication_backends=["digid_machtigen_oidc"]
-        )
-        user = UserFactory()
-        request = factory.get("/foo")
-        request.user = user
-        request.session = {
-            FORM_AUTH_SESSION_KEY: {
-                "plugin": "digid_machtigen_oidc",
-                "attribute": "bsn",
-                "value": "123123123",
-                "machtigen": {"identifier_value": "123456782"},
-            }
-        }
-
-        set_auth_attribute_on_session(sender=None, instance=submission, request=request)
-
-        submission.refresh_from_db()
-
-        self.assertTrue(submission.is_authenticated)
-        self.assertEqual(
-            submission.auth_info.machtigen["identifier_value"], "123456782"
-        )
-
 
 @freeze_time("2021-11-26T17:00:00+00:00")
 class SetCosignDataTests(APITestCase):

src/openforms/authentication/tests/test_static_variables.py

@@ -14,7 +14,6 @@ def test_auth_static_data(self):
             plugin="test-plugin",
             attribute=AuthAttribute.bsn,
             value="111222333",
-            machtigen={AuthAttribute.bsn: "123456789"},
         )
 
         static_data = {
@@ -27,7 +26,6 @@ def test_auth_static_data(self):
                 "plugin": "test-plugin",
                 "attribute": AuthAttribute.bsn,
                 "value": "111222333",
-                "machtigen": {AuthAttribute.bsn: "123456789"},
             },
             "auth_bsn": "111222333",
             "auth_kvk": "",

src/openforms/authentication/typing.py

@@ -23,6 +23,3 @@ class FormAuth(BaseAuth):
     legal_subject_identifier_value: NotRequired[str]
     legal_subject_service_restriction: NotRequired[str]
     mandate_context: NotRequired[JSONObject]
-
-    # deprecated
-    machtigen: NotRequired[dict | None]

src/openforms/conf/base.py

@@ -1193,7 +1193,7 @@
         {
             "condition": "boolean",
             # DeprecationWarning
-            # TODO: set default to `True` in Open Forms 3.0
+            # TODO: set default to `True` in Open Forms 4.0
             "value": config("DIGID_EHERKENNING_OIDC_STRICT", default=False),
         }
     ],

src/openforms/prefill/contrib/haalcentraal_brp/plugin.py

@@ -89,7 +89,6 @@ def get_identifier_value(
             return submission.auth_info.value
 
         if identifier_role == IdentifierRoles.authorizee:
-            legacy_fallback = submission.auth_info.machtigen.get("identifier_value")
             auth_context = submission.auth_info.to_auth_context_data()
             # check if we have new-style authentication context capturing, and favour
             # that over the legacy format
@@ -99,8 +98,8 @@ def get_identifier_value(
                 "representee" not in auth_context
                 or legal_subject["identifierType"] != "bsn"
             ):
-                return legacy_fallback
-            return legal_subject["identifier"] or legacy_fallback
+                return None
+            return legal_subject["identifier"]
 
     @classmethod
     def get_prefill_values(