🗑️ [#3283] Deprecate legacy OIDC callback endpoints

With Open Forms 3.0, we can make the breaking change of updating the
default.

The new OIDC API endpoints all point to a single callback URL, so it
means less configuration overhead on the identity provider side. The
breaking change means that the new URI's must be added to the
allowlist of the identity provider.

The new endpoint is '/auth/oidc/callback/', and it applies to all
OIDC configuration flavours.

Author: sergei-maertens

docs/configuration/authentication/oidc_digid.rst

@@ -45,12 +45,9 @@ omgeving van de OpenID Connect provider.
 
 **Redirect URI (vanaf Open Formulieren 2.7.0)**
 
-.. warning::
+.. versionchanged:: 3.0
 
-    Zorg dat Open Formulieren :ref:`geïnstalleerd <installation_index>` is met de
-    ``USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS=false``
-    :ref:`omgevingsvariabele<installation_environment_config>`, anders worden de legacy
-    (zie hieronder) endpoints gebruikt.
+    Open Forms no longer uses the legacy endpoints by default.
 
 Voor de **Redirect URI** vul je ``https://open-formulieren.gemeente.nl/auth/oidc/callback/`` in,
 waarbij je ``open-formulieren.gemeente.nl`` vervangt door het relevante domein.

docs/configuration/authentication/oidc_eherkenning.rst

@@ -60,12 +60,9 @@ maken in de omgeving van de OpenID Connect provider.
 
 **Redirect URI (vanaf Open Formulieren 2.7.0)**
 
-.. warning::
+.. versionchanged:: 3.0
 
-    Zorg dat Open Formulieren :ref:`geïnstalleerd <installation_index>` is met de
-    ``USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS=false``
-    :ref:`omgevingsvariabele<installation_environment_config>`, anders worden de legacy
-    (zie hieronder) endpoints gebruikt.
+    Open Forms no longer uses the legacy endpoints by default.
 
 Voor de **Redirect URI** vul je ``https://open-formulieren.gemeente.nl/auth/oidc/callback/`` in,
 waarbij je ``open-formulieren.gemeente.nl`` vervangt door het relevante domein.

docs/configuration/general/oidc.rst

@@ -38,12 +38,9 @@ maken in de omgeving van de OpenID Connect provider.
 
 **Redirect URI (vanaf Open Formulieren 2.7.0)**
 
-.. warning::
+.. versionchanged:: 3.0
 
-    Zorg dat Open Formulieren :ref:`geïnstalleerd <installation_index>` is met de
-    ``USE_LEGACY_OIDC_ENDPOINTS=false`` en ``USE_LEGACY_ORG_OIDC_ENDPOINTS=false``
-    :ref:`omgevingsvariabelen<installation_environment_config>`, anders worden de legacy
-    (zie hieronder) endpoints gebruikt.
+    Open Forms no longer uses the legacy endpoints by default.
 
 Voor de **Redirect URI** vul je ``https://open-formulieren.gemeente.nl/auth/oidc/callback/`` in,
 waarbij je ``open-formulieren.gemeente.nl`` vervangt door het relevante domein. Deze

docs/installation/config.rst

@@ -277,23 +277,6 @@ Other settings
   enable :ref:`Organization accounts <configuration_authentication_oidc>`. Defaults
   to ``False``.
 
-* ``USE_LEGACY_OIDC_ENDPOINTS``: Defaults to ``True`` for backwards compatibility
-  reasons. New installations should opt-out. If ``False``, the OIDC callback URL is
-  ``/auth/oidc/callback/``, if ``True``, it is ``/oidc/callback/``.
-
-* ``USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS``: Defaults to ``True`` for backwards compatibility
-  reasons. New installations should opt-out. If ``False``, the OIDC callback URL is
-  ``/auth/oidc/callback/``, if ``True``, they are:
-
-      - ``/digid-oidc/callback/``
-      - ``/eherkenning-oidc/callback/``
-      - ``/digid-machtigen-oidc/callback/``
-      - ``/eherkenning-bewindvoering-oidc/callback/``
-
-* ``USE_LEGACY_ORG_OIDC_ENDPOINTS``: Defaults to ``True`` for backwards compatibility
-  reasons. New installations should opt-out. If ``False``, the OIDC callback URL is
-  ``/auth/oidc/callback/``, if ``True``, it is ``/org-oidc/callback/``.
-
 * ``SESSION_EXPIRE_AT_BROWSER_CLOSE``: Controls if sessions expire at browser close.
   This applies to both the session of end-users filling out forms and staff using the
   administrative interface. Enabling this forces users to log in every time they open

docs/installation/upgrade-300.rst

@@ -14,6 +14,29 @@ be aware of, as they may require additional manual actions.
    :depth: 1
    :local:
 
+Legacy OpenID Connect callback endpoints are now disabled by default
+====================================================================
+
+Before Open Forms 3.0, the legacy endpoints were used by default.
+
+The following environment variables now default to ``False`` instead of ``True``:
+
+* ``USE_LEGACY_OIDC_ENDPOINTS``
+* ``USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS``
+* ``USE_LEGACY_ORG_OIDC_ENDPOINTS``
+
+To keep the old behaviour, make sure you deploy with:
+
+.. code-block:: bash
+
+    USE_LEGACY_OIDC_ENDPOINTS=True
+    USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS=True
+    USE_LEGACY_ORG_OIDC_ENDPOINTS=True
+
+To use the new behaviour, you must ensure that
+``https://open-formulieren.gemeente.nl/auth/oidc/callback/`` is listed in the allowed
+**Redirect URI** values of your identity provider.
+
 Removal of price logic
 ======================
 

src/openforms/accounts/tests/data/vcr_cassettes/OIDCFLowTests/OIDCFLowTests.test_duplicate_email_unique_constraint_violated.yaml src/openforms/accounts/tests/data/vcr_cassettes/OIDCFlowTests/OIDCFlowTests.test_duplicate_email_unique_constraint_violated.yaml

@@ -63,7 +63,7 @@ def test_oidc_button_enabled(self):
         )
 
 
-class OIDCFLowTests(OFVCRMixin, WebTest):
+class OIDCFlowTests(OFVCRMixin, WebTest):
     VCR_TEST_FILES = TEST_FILES
 
     @mock_admin_oidc_config()

src/openforms/accounts/tests/data/vcr_cassettes/OIDCFLowTests/OIDCFLowTests.test_happy_flow.yaml src/openforms/accounts/tests/data/vcr_cassettes/OIDCFlowTests/OIDCFlowTests.test_happy_flow.yaml

@@ -31,7 +31,7 @@ class Meta:
     def oidc_authentication_callback_url(cls) -> str:  # type: ignore
         if settings.USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS:
             warnings.warn(
-                "Legacy DigiD-eHerkenning callback endpoints will be removed in 3.0",
+                "Legacy DigiD-eHerkenning callback endpoints will be removed in 4.0",
                 DeprecationWarning,
             )
             return "digid_oidc:callback"
@@ -51,7 +51,7 @@ class Meta:
     def oidc_authentication_callback_url(cls) -> str:  # type: ignore
         if settings.USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS:
             warnings.warn(
-                "Legacy DigiD-eHerkenning callback endpoints will be removed in 3.0",
+                "Legacy DigiD-eHerkenning callback endpoints will be removed in 4.0",
                 DeprecationWarning,
             )
             return "digid_machtigen_oidc:callback"
@@ -71,7 +71,7 @@ class Meta:
     def oidc_authentication_callback_url(cls) -> str:  # type: ignore
         if settings.USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS:
             warnings.warn(
-                "Legacy DigiD-eHerkenning callback endpoints will be removed in 3.0",
+                "Legacy DigiD-eHerkenning callback endpoints will be removed in 4.0",
                 DeprecationWarning,
             )
             return "eherkenning_oidc:callback"
@@ -91,7 +91,7 @@ class Meta:
     def oidc_authentication_callback_url(cls) -> str:  # type: ignore
         if settings.USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS:
             warnings.warn(
-                "Legacy DigiD-eHerkenning callback endpoints will be removed in 3.0",
+                "Legacy DigiD-eHerkenning callback endpoints will be removed in 4.0",
                 DeprecationWarning,
             )
             return "eherkenning_bewindvoering_oidc:callback"