[#2932] Skip KVK branch selection if vestigingsnummer already selected

[pi-sigma]

The KVK branch selection page should be skipped for users who have already selected a branch on a different platform

• Update eHerkenning OIDC flow: get vestigingsnummer from OIDC claim (if present) and store in session
• Update eHerkenning SAML flow: get vestigingsnummer from SAML attributes (if present) and store in session
• Skip KVK branch selection if vestigingsnummer already in session

Taiga: https://taiga.maykinmedia.nl/project/open-inwoner/task/2932

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 94.26%. Comparing base (235ec5a) to head (fcb4c6b).

Additional details and impacted files

@@           Coverage Diff            @@
##           develop    #1526   +/-   ##
========================================
  Coverage    94.25%   94.26%           
========================================
  Files         1068     1068           
  Lines        40466    40508   +42     
========================================
+ Hits         38141    38183   +42     
  Misses        2325     2325           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[swrichards]

Braindump: @pi-sigma this is technically orthogonal to the issue here (skipping the branch if already selected during the eHerkenning flow), but it's also important that users can see only vestigingen they're authorized to see according to the eHerkenning scope. I am not sure if that flows from this claim (Selected branch) versus some other claim that may or may not exist (all authorized branches).

[pi-sigma]

@swrichards Good point. Is this already covered by our use of get_kvk_branch_number to scope the retrieval of roles, zaken, and vragen to a particular vestiging, or are we missing something?

[swrichards]

Just one question about the claims: I'll leave it up to you whether we need to fix this now or whether it needs fixing at all.

[swrichards]

Very small nitpicks, otherwise GTG!

[swrichards]

Should this be in this method? It's strictly speaking about the vestigingsnummer. If we're logging anything here, I'd say we log that we did (or did not) find a vestigingsnummer, and leave the "we created or updated a user" in the function where that happens.

[pi-sigma]

You're right, that "retrieve/create" dichotomy indicates that the message is rather specific to the calling functions. I'll change and simplify accordingly.

[swrichards]

Just out of interest: did we figure out if there are ever multiple claims? No need to hold up the PR for that, just curious.

[pi-sigma]

No. I'm not sure what the use case would be, but the library definitely makes room for this.

[swrichards]

Are we fetching this only for the logging? In that case I'd also say we log this earlier in the chain, there's a lot of escape hatches in this function making it slightly harder to follow, if we can simplify it that'd be better.

[pi-sigma]

I think the escape hatch for the identifier_type_claim is unnecessary. If you're logging in with eHerkenning, the KVK or RSIN needs to be in the claims

[swrichards]

My sense is this is an optional in a "you might not have eHerkenning set up" kind of way, but if we make it to this function, eHerkenning is evidently configured, and then I feel a Sentry ping would be in order to at least alert us to the incomplete configuration.

[pi-sigma]

In fact, the _check_candidate_backend already takes care of this, and since the config class provides a default for the claim field, this is guaranteed to exist. Will simplify