org-oidc auth plugin employee login #4947
Conversation
robinmolen
changed the title
robinmolen
force-pushed
the
bug/4863-oidc-org-employee-login
branch
from
e7374cd to
e70fab7
Compare
| case (AuthAttribute.employee_id, ""): | ||
| employee_context: EmployeeContext = { | ||
| "source": "custom", | ||
| "levelOfAssurance": self.loa, | ||
| "representee": { | ||
| "identifierType": "employee_id", | ||
| "identifier": self.value, | ||
| }, | ||
| } | ||
| return employee_context |
There was a problem hiding this comment.
Some background to explain more about how things work in Open Forms!
The model AuthInfo (which defines the to_auth_context_data method) captures who is authenticated for the submission. This means that if an employee of the organization (after OIDC login) logs in for the form for themselves (the other flow I will describe below), they are the authorizee.legalSubject (representing themselves). This is a rather simple setup of employee context that needs to be returned if we follow the established pattern (where representee is implied from the authorizee/legal subject).
{
"source": "custom",
"loa": "unknown",
"authorizee": {
"legalSubject": {
"identifierType": "opaque",
"identifier": self.value
}
}
}Identifier type opaque means you can't derive any meaning/format validation from it.
The other flow is where an employee is logged in with OIDC, and they enter the BSN or KVK of the customer. In the code, this brings you to openforms.authentication.signals.set_auth_attribute_on_session in the branch with if registrator_subject. In that situation, on the AuthInfo instance not the employee details are stored, but the BSN/KVK nr of the actual customer, and the attribute is then set to bsn or kvk rather than employee_id, so you can never end up in this case in those flows. Meaning, the to_auth_context_data only needs to consider the situation where an employee is acting on their own behalf which is nice because it simplifies things a bit.
Looking at the Sentry error, this is the right place to patch this up.
So, key takeaways:
- the context dict/shape here needs to use
authorizee > legalSubjectstructure, similar to DigiD without machtigen (first case) - we don't need to consider "acting on behalf of someone else" for employee_id attribute
There was a problem hiding this comment.
Okay.. I think i'm starting to understand this a bit more..
Should the context then not also contain the representee data? (Although this would probably be the same information.., right?)
There was a problem hiding this comment.
if no representee is specified, it is indeed (implicitly) equal to authorizee.legalSubject. Therefore, this information is not duplicated.
|
|
||
|
|
||
| class EmployeeRepresenteeEntity(TypedDict): | ||
| identifierType: Literal["employee_id"] |
There was a problem hiding this comment.
I'd use either opaque or custom here. I gravitate towards the former because it's already used for the eHerkenning acting subject too
There was a problem hiding this comment.
Check, yeah i'll use opaque then it that case, to keep things consistent 👍
docker/keycloak/README.md
Outdated
| @@ -52,6 +52,7 @@ VCR.py). The primary reason this setup exists, is for automated testing reasons. | |||
| attributes from `eherkenning-bewindvoering`. | |||
| - `admin` / `admin`, intended to create as django user (can be made staff). The email address is | |||
| `[email protected]`. | |||
| - `employee` / `employee`, has the `employee_id` attribute (for org-oidc) | |||
There was a problem hiding this comment.
this isn't necessary, since you can populate the user model field from already existing claims, see the documentation: https://open-forms.readthedocs.io/en/stable/configuration/authentication/oidc_org.html#configuring-oidc-for-login-of-organization-members
In these cases I would probably just map the sub or username or email claim to the employee_id field.
There was a problem hiding this comment.
But isn't this needed for the login itself?
There was a problem hiding this comment.
you can use the admin/admin user for that :)
robinmolen
force-pushed
the
bug/4863-oidc-org-employee-login
branch
2 times, most recently
from
b03d4c5 to
d2e30b2
Compare
robinmolen
force-pushed
the
bug/4863-oidc-org-employee-login
branch
from
d2e30b2 to
147b2cf
Compare
robinmolen
added
the
needs-backport
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #4947 +/- ##
=======================================
Coverage 96.61% 96.62%
=======================================
Files 760 760
Lines 25825 25837 +12
Branches 3384 3385 +1
=======================================
+ Hits 24952 24964 +12
Misses 608 608
Partials 265 265 ☔ View full report in Codecov by Sentry. |
Closes #4863
Changes
This should solve the problem of employee login on forms with the org-oidc auth plugin.
Currently this is a WIP. I'm not sure if this is the right approach, and solves the right issue (this might be a very superficial solution, but im not sure). This currently contains:
(Which is highly experimental, and probably should/will change)
This that still should be done:
to_auth_context_data(I think this requires passing employee id from the org-oidc plugin
handle_return())Checklist
Check off the items that are completed or not relevant.
Impact on features
Release management
I have updated the translations assets (you do NOT need to provide translations)
./bin/makemessages_js.sh./bin/compilemessages_js.shDockerfile/scripts
./binfolderCommit hygiene