✨ [#3969] Add parameter to auth plugin

To specify if that auth plugin supports overriding the LoA in the authentication request
open-formulieren · Mar 22, 2024 · eb507d4 · eb507d4
1 parent 078e0b2
commit eb507d4
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 2 deletions.
diff --git a/src/openforms/authentication/api/serializers.py b/src/openforms/authentication/api/serializers.py
@@ -23,6 +23,13 @@ class AuthPluginSerializer(PluginBaseSerializer):
         label=_("Provides authentication attributes"),
         help_text=_("The authentication attribute provided by this plugin."),
     )
+    supports_loa_override = serializers.BooleanField(
+        label=_("supports loa override"),
+        help_text=_(
+            "Does the Identity Provider support overriding the minimum "
+            "Level of Assurance (LoA) through the authentication request?"
+        ),
+    )
     assurance_levels = serializers.ListField(
         child=TextChoiceSerializer(),
         label=_("Levels of assurance"),

diff --git a/src/openforms/authentication/base.py b/src/openforms/authentication/base.py
@@ -39,6 +39,7 @@ class Choice(TypedDict):
 
 class BasePlugin(AbstractBasePlugin):
     provides_auth: AuthAttribute
+    supports_loa_override = False
     assurance_levels: type[TextChoices] = TextChoices
     return_method = "GET"
     is_for_gemachtigde = False

diff --git a/src/openforms/authentication/contrib/digid/plugin.py b/src/openforms/authentication/contrib/digid/plugin.py
@@ -34,6 +34,7 @@ def loa_order(loa: str) -> int:
 class DigidAuthentication(BasePlugin):
     verbose_name = _("DigiD")
     provides_auth = AuthAttribute.bsn
+    supports_loa_override = True
     assurance_levels = DigiDAssuranceLevels
 
     def start_login(

diff --git a/src/openforms/authentication/contrib/eherkenning/plugin.py b/src/openforms/authentication/contrib/eherkenning/plugin.py
@@ -124,7 +124,6 @@ def logout(self, request: HttpRequest):
 class EHerkenningAuthentication(AuthenticationBasePlugin):
     verbose_name = _("eHerkenning")
     provides_auth = AuthAttribute.kvk
-    assurance_levels = AssuranceLevels
     session_key = EHERKENNING_AUTH_SESSION_KEY
 
     def get_session_loa(self, session) -> str:
@@ -134,7 +133,7 @@ def get_session_loa(self, session) -> str:
     def check_requirements(self, request, config):
         # check LoA requirements
         authenticated_loa = request.session[FORM_AUTH_SESSION_KEY]["loa"]
-        required = config.get("loa") or EherkenningConfiguration.get_solo().loa
+        required = EherkenningConfiguration.get_solo().loa
         return loa_order(authenticated_loa) >= loa_order(required)
 
     def get_logo(self, request) -> LoginLogo | None: