open-formulieren
diff --git a/‎docker/keycloak/README.md
+9-7 b/‎docker/keycloak/README.md
+9-7
diff --git a/‎docker/keycloak/import/test-realm.json
+44 b/‎docker/keycloak/import/test-realm.json
+44
diff --git a/‎docs/manual/forms/variables.rst
+6-1 b/‎docs/manual/forms/variables.rst
+6-1
diff --git a/‎src/openforms/authentication/contrib/digid_eherkenning_oidc/plugin.py
+9-2 b/‎src/openforms/authentication/contrib/digid_eherkenning_oidc/plugin.py
+9-2
@@ -43,13 +43,15 @@ VCR.py). The primary reason this setup exists, is for automated testing reasons.
 
 - `testuser` / `testuser`, has the `bsn`, `kvk`, `name_qualifier`, `legalSubjectID` and
   `actingSubjectID` attributes (authentication plugins: DigiD, eHerkenning)
-- `digid-machtigen` / `digid-machtigen`, has the `aanvrager.bsn`, `gemachtigde.bsn` and
-  `service_id` attributes (for DigiD machtigen)
-- `eherkenning-bewindvoering` / `eherkenning-bewindvoering`, has the `legalSubjectID`
-  (kvk), `actingSubjectID` (pseudo ID), `representeeBSN`, `service_id`, `service_uuid`,
-  and `name_qualifier`  attributes (for eHerkenning bewindvoering)
-- `admin` / `admin`, intended to create as django user (can be made staff). The email
-  address is `admin@example.com`.
+- `digid-machtigen` / `digid-machtigen`, has the `aanvrager.bsn`, `gemachtigde.bsn` and `service_id`
+  attributes (for DigiD machtigen)
+- `eherkenning-bewindvoering` / `eherkenning-bewindvoering`, has the `legalSubjectID` (kvk),
+  `actingSubjectID` (pseudo ID), `representeeBSN`, `service_id`, `service_uuid`, and
+  `name_qualifier` attributes (for eHerkenning bewindvoering)
+- `eherkenning-vestiging` / `eherkenning-vestiging`, has the `vestiging` attribute plus the
+  attributes from `eherkenning-bewindvoering`.
+- `admin` / `admin`, intended to create as django user (can be made staff). The email address is
+  `admin@example.com`.
 
 ## Exporting the Realm
 
 
@@ -460,6 +460,35 @@
     "realmRoles" : [ "default-roles-test" ],
     "notBefore" : 0,
     "groups" : [ ]
+  }, {
+    "id" : "44be45f6-a7ae-42c2-9486-30f078cf5b39",
+    "createdTimestamp" : 1719999585061,
+    "username" : "eherkenning-vestiging",
+    "enabled" : true,
+    "totp" : false,
+    "emailVerified" : false,
+    "attributes" : {
+      "service_uuid" : [ "81216fa4-80a1-4686-a8ac-5c8e5c030c93" ],
+      "representeeBSN" : [ "000000000" ],
+      "legalSubjectID" : [ "12345678" ],
+      "actingSubjectID" : [ "4B75A0EA107B3D36" ],
+      "service_id" : [ "urn:etoegang:DV:00000001002308836000:services:9113" ],
+      "name_qualifier" : [ "urn:etoegang:1.9:EntityConcernedID:KvKnr" ],
+      "vestiging" : [ "123456789012" ]
+    },
+    "credentials" : [ {
+      "id" : "5e4a5b82-f5b1-48b6-9335-e25d3b417cef",
+      "type" : "password",
+      "userLabel" : "My password",
+      "createdDate" : 1719999593682,
+      "secretData" : "{\"value\":\"etDGywOL01Nr9RD1tG2x95/A37HEsf0zk2Kol8GNIJ0=\",\"salt\":\"pnnxOICMkQRoCM/ywGSOww==\",\"additionalParameters\":{}}",
+      "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}"
+    } ],
+    "disableableCredentialTypes" : [ ],
+    "requiredActions" : [ ],
+    "realmRoles" : [ "default-roles-test" ],
+    "notBefore" : 0,
+    "groups" : [ ]
   }, {
     "id" : "a28aac19-6ac5-4ce5-bbe3-b6c24051914a",
     "createdTimestamp" : 1707141299906,
@@ -1346,6 +1375,21 @@
         "claim.name" : "service_id",
         "jsonType.label" : "String"
       }
+    }, {
+      "id" : "5ba6ed6e-e6c5-4c74-9049-185c875df8ad",
+      "name" : "vestiging",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usermodel-attribute-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "user.attribute" : "vestiging",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "vestiging",
+        "jsonType.label" : "String"
+      }
     }, {
       "id" : "e12f9cee-121e-4b29-be63-0eda4cc0e8ba",
       "name" : "legalSubjectID",
 
@@ -112,7 +112,8 @@ authenticatiecontextdatamodel_. De structuur is als volgt:
         "authorizee": {
             "legalSubject": {
                 "identifierType": "string",
-                "identifier": "string"
+                "identifier": "string",
+                "branchNumber": "string"
             },
             "actingSubject": {
                 "identifierType": "string",
@@ -169,6 +170,10 @@ De onderdelen van deze structuur worden ook als individuele variabelen aangebode
     Identificatie van de (wettelijke) vertegenwoordiger. Leeg indien het formulier
     zonder inloggen gestart is.
 
+``auth_context_branch_number``
+    Vestigingsnummer waarvoor de medewerker ingelogd is. Leeg indien het geen
+    eHerkenning-login betreft.
+
 ``auth_context_acting_subject_identifier_type``
     In de praktijk zal de waarde altijd ``opaque`` of leeg zijn. Geeft aan hoe de
     identificatie van de handelende persoon ("de persoon aan de knoppen")
 
@@ -212,7 +212,7 @@ def get_logo(self, request) -> LoginLogo | None:
         return LoginLogo(title=self.get_label(), **get_eherkenning_logo(request))
 
     def transform_claims(self, normalized_claims: EHClaims) -> FormAuth:
-        return {
+        form_auth: FormAuth = {
             "plugin": self.identifier,
             # TODO: look at `identifier_type_claim` and return kvk or rsin accordingly.
             # Currently we have no support for RSIN at all, so that will need to be
@@ -225,6 +225,9 @@ def transform_claims(self, normalized_claims: EHClaims) -> FormAuth:
                 "acting_subject_claim"
             ],
         }
+        if service_restriction := normalized_claims.get("branch_number_claim", ""):
+            form_auth["legal_subject_service_restriction"] = service_restriction
+        return form_auth
 
 
 class DigiDmachtigenClaims(TypedDict):
@@ -340,7 +343,7 @@ def transform_claims(self, normalized_claims: EHBewindvoeringClaims) -> FormAuth
                 }
             )
 
-        return {
+        form_auth: FormAuth = {
             "plugin": self.identifier,
             "attribute": self.provides_auth,
             "value": normalized_claims["representee_claim"],
@@ -368,6 +371,10 @@ def transform_claims(self, normalized_claims: EHBewindvoeringClaims) -> FormAuth
             },
         }
 
+        if service_restriction := normalized_claims.get("branch_number_claim", ""):
+            form_auth["legal_subject_service_restriction"] = service_restriction
+        return form_auth
+
     def get_label(self) -> str:
         return "eHerkenning bewindvoering"