Merge pull request #4912 from open-formulieren/cleanup/3283-enable-new-oidc-endpoint-default

💥 Disable legacy OIDC endpoints by default

Author: sergei-maertens

docs/configuration/authentication/oidc_digid.rst

@@ -45,12 +45,9 @@ omgeving van de OpenID Connect provider.
 
 **Redirect URI (vanaf Open Formulieren 2.7.0)**
 
-.. warning::
+.. versionchanged:: 3.0
 
-    Zorg dat Open Formulieren :ref:`geïnstalleerd <installation_index>` is met de
-    ``USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS=false``
-    :ref:`omgevingsvariabele<installation_environment_config>`, anders worden de legacy
-    (zie hieronder) endpoints gebruikt.
+    Open Forms no longer uses the legacy endpoints by default.
 
 Voor de **Redirect URI** vul je ``https://open-formulieren.gemeente.nl/auth/oidc/callback/`` in,
 waarbij je ``open-formulieren.gemeente.nl`` vervangt door het relevante domein.

docs/configuration/authentication/oidc_eherkenning.rst

@@ -60,12 +60,9 @@ maken in de omgeving van de OpenID Connect provider.
 
 **Redirect URI (vanaf Open Formulieren 2.7.0)**
 
-.. warning::
+.. versionchanged:: 3.0
 
-    Zorg dat Open Formulieren :ref:`geïnstalleerd <installation_index>` is met de
-    ``USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS=false``
-    :ref:`omgevingsvariabele<installation_environment_config>`, anders worden de legacy
-    (zie hieronder) endpoints gebruikt.
+    Open Forms no longer uses the legacy endpoints by default.
 
 Voor de **Redirect URI** vul je ``https://open-formulieren.gemeente.nl/auth/oidc/callback/`` in,
 waarbij je ``open-formulieren.gemeente.nl`` vervangt door het relevante domein.

docs/configuration/general/oidc.rst

@@ -38,12 +38,9 @@ maken in de omgeving van de OpenID Connect provider.
 
 **Redirect URI (vanaf Open Formulieren 2.7.0)**
 
-.. warning::
+.. versionchanged:: 3.0
 
-    Zorg dat Open Formulieren :ref:`geïnstalleerd <installation_index>` is met de
-    ``USE_LEGACY_OIDC_ENDPOINTS=false`` en ``USE_LEGACY_ORG_OIDC_ENDPOINTS=false``
-    :ref:`omgevingsvariabelen<installation_environment_config>`, anders worden de legacy
-    (zie hieronder) endpoints gebruikt.
+    Open Forms no longer uses the legacy endpoints by default.
 
 Voor de **Redirect URI** vul je ``https://open-formulieren.gemeente.nl/auth/oidc/callback/`` in,
 waarbij je ``open-formulieren.gemeente.nl`` vervangt door het relevante domein. Deze

docs/installation/config.rst

@@ -277,23 +277,6 @@ Other settings
   enable :ref:`Organization accounts <configuration_authentication_oidc>`. Defaults
   to ``False``.
 
-* ``USE_LEGACY_OIDC_ENDPOINTS``: Defaults to ``True`` for backwards compatibility
-  reasons. New installations should opt-out. If ``False``, the OIDC callback URL is
-  ``/auth/oidc/callback/``, if ``True``, it is ``/oidc/callback/``.
-
-* ``USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS``: Defaults to ``True`` for backwards compatibility
-  reasons. New installations should opt-out. If ``False``, the OIDC callback URL is
-  ``/auth/oidc/callback/``, if ``True``, they are:
-
-      - ``/digid-oidc/callback/``
-      - ``/eherkenning-oidc/callback/``
-      - ``/digid-machtigen-oidc/callback/``
-      - ``/eherkenning-bewindvoering-oidc/callback/``
-
-* ``USE_LEGACY_ORG_OIDC_ENDPOINTS``: Defaults to ``True`` for backwards compatibility
-  reasons. New installations should opt-out. If ``False``, the OIDC callback URL is
-  ``/auth/oidc/callback/``, if ``True``, it is ``/org-oidc/callback/``.
-
 * ``SESSION_EXPIRE_AT_BROWSER_CLOSE``: Controls if sessions expire at browser close.
   This applies to both the session of end-users filling out forms and staff using the
   administrative interface. Enabling this forces users to log in every time they open

docs/installation/upgrade-300.rst

@@ -14,6 +14,29 @@ be aware of, as they may require additional manual actions.
    :depth: 1
    :local:
 
+Legacy OpenID Connect callback endpoints are now disabled by default
+====================================================================
+
+Before Open Forms 3.0, the legacy endpoints were used by default.
+
+The following environment variables now default to ``False`` instead of ``True``:
+
+* ``USE_LEGACY_OIDC_ENDPOINTS``
+* ``USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS``
+* ``USE_LEGACY_ORG_OIDC_ENDPOINTS``
+
+To keep the old behaviour, make sure you deploy with:
+
+.. code-block:: bash
+
+    USE_LEGACY_OIDC_ENDPOINTS=True
+    USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS=True
+    USE_LEGACY_ORG_OIDC_ENDPOINTS=True
+
+To use the new behaviour, you must ensure that
+``https://open-formulieren.gemeente.nl/auth/oidc/callback/`` is listed in the allowed
+**Redirect URI** values of your identity provider.
+
 Removal of price logic
 ======================
 

src/openforms/accounts/tests/data/vcr_cassettes/OIDCFLowTests/OIDCFLowTests.test_duplicate_email_unique_constraint_violated.yaml src/openforms/accounts/tests/data/vcr_cassettes/OIDCFlowTests/OIDCFlowTests.test_duplicate_email_unique_constraint_violated.yaml

@@ -63,7 +63,7 @@ def test_oidc_button_enabled(self):
         )
 
 
-class OIDCFLowTests(OFVCRMixin, WebTest):
+class OIDCFlowTests(OFVCRMixin, WebTest):
     VCR_TEST_FILES = TEST_FILES
 
     @mock_admin_oidc_config()

src/openforms/accounts/tests/data/vcr_cassettes/OIDCFLowTests/OIDCFLowTests.test_happy_flow.yaml src/openforms/accounts/tests/data/vcr_cassettes/OIDCFlowTests/OIDCFlowTests.test_happy_flow.yaml

@@ -31,7 +31,7 @@ class Meta:
     def oidc_authentication_callback_url(cls) -> str:  # type: ignore
         if settings.USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS:
             warnings.warn(
-                "Legacy DigiD-eHerkenning callback endpoints will be removed in 3.0",
+                "Legacy DigiD-eHerkenning callback endpoints will be removed in 4.0",
                 DeprecationWarning,
             )
             return "digid_oidc:callback"
@@ -51,7 +51,7 @@ class Meta:
     def oidc_authentication_callback_url(cls) -> str:  # type: ignore
         if settings.USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS:
             warnings.warn(
-                "Legacy DigiD-eHerkenning callback endpoints will be removed in 3.0",
+                "Legacy DigiD-eHerkenning callback endpoints will be removed in 4.0",
                 DeprecationWarning,
             )
             return "digid_machtigen_oidc:callback"
@@ -71,7 +71,7 @@ class Meta:
     def oidc_authentication_callback_url(cls) -> str:  # type: ignore
         if settings.USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS:
             warnings.warn(
-                "Legacy DigiD-eHerkenning callback endpoints will be removed in 3.0",
+                "Legacy DigiD-eHerkenning callback endpoints will be removed in 4.0",
                 DeprecationWarning,
             )
             return "eherkenning_oidc:callback"
@@ -91,7 +91,7 @@ class Meta:
     def oidc_authentication_callback_url(cls) -> str:  # type: ignore
         if settings.USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS:
             warnings.warn(
-                "Legacy DigiD-eHerkenning callback endpoints will be removed in 3.0",
+                "Legacy DigiD-eHerkenning callback endpoints will be removed in 4.0",
                 DeprecationWarning,
             )
             return "eherkenning_bewindvoering_oidc:callback"