From 95f436730806e0843234e955f380a3fec6255221 Mon Sep 17 00:00:00 2001 From: Ricardo van der Heijden <20791917+ricardovdheijden@users.noreply.github.com> Date: Thu, 7 May 2026 15:38:20 +0200 Subject: [PATCH 1/7] 542 Adds missing application.yml entries --- roles/myconext/templates/application.yml.j2 | 23 +++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/roles/myconext/templates/application.yml.j2 b/roles/myconext/templates/application.yml.j2 index 9e2af3722..23a192d53 100644 --- a/roles/myconext/templates/application.yml.j2 +++ b/roles/myconext/templates/application.yml.j2 @@ -100,6 +100,7 @@ guest_idp_entity_id: https://engine.{{ base_domain }}/authentication/idp/metadat my_conext_url: https://mijn.{{ myconext_base_domain }} domain: {{ myconext_base_domain }} mijn_eduid_entity_id: https://mijn.{{ myconext_base_domain }}/shibboleth +mijn_eduid_service_name: "Mijn eduID" mobile_app_redirect: eduid:///client/mobile # For this RP we nudge the user to use the magic link mobile_app_rp_entity_id: {{ myconext.mobile_app_rp_entity_id }} @@ -256,6 +257,10 @@ account_linking_context_class_ref: validate_names_external: https://eduid.nl/trust/validate-names-external affiliation_student: https://eduid.nl/trust/affiliation-student profile_mfa: https://refeds.org/profile/mfa + linked_institution_mfa: https://eduid.nl/trust/linked-institution/mfa + validate_names_mfa: https://eduid.nl/trust/validate-names/mfa + validate_names_external_mfa: https://eduid.nl/trust/validate-names-external/mfa + affiliation_student_mfa: https://eduid.nl/trust/affiliation-student/mfa account_linking: myconext_sp_entity_id: https://mijn.{{ myconext_base_domain }}/shibboleth @@ -294,6 +299,24 @@ spring: port: 25 main: banner-mode: "off" + security: + oauth2: + client: + registration: + oidcng: + client-id: "{{ myconext.oidc_client_id }}" + client-secret: "{{ myconext.oidc_secret }}" + redirect-uri: "https://{baseHost}{basePort}{basePath}/login/oauth2/code/{registrationId}" + authorization-grant-type: "authorization_code" + scope: openid + provider: + oidcng: + authorization-uri: "https://connect.{{ base_domain }}/oidc/authorize" + token-uri: "https://connect.{{ base_domain }}/oidc/token" + user-info-uri: "https://connect.{{ base_domain }}/oidc/userinfo" + jwk-set-uri: "https://connect.{{ base_domain }}/oidc/certs" + user-name-attribute: sub + user-info-authentication-method: client_secret_basic service_desk_role_auto_provisioning: False service_desk_roles: {{ myconext.service_desk_roles | join(",") }} From 552ba67e874f62eb66ff527a1dea50209498f62c Mon Sep 17 00:00:00 2001 From: Ricardo van der Heijden <20791917+ricardovdheijden@users.noreply.github.com> Date: Wed, 13 May 2026 11:36:44 +0200 Subject: [PATCH 2/7] #542 Updates application.yml due to introduction of OIDC in the myconext app --- roles/myconext/templates/application.yml.j2 | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/roles/myconext/templates/application.yml.j2 b/roles/myconext/templates/application.yml.j2 index 23a192d53..28a90918f 100644 --- a/roles/myconext/templates/application.yml.j2 +++ b/roles/myconext/templates/application.yml.j2 @@ -89,11 +89,13 @@ mongodb_db: {{ myconext.mongo_database }} base_domain: {{ myconext_base_domain }} saml_metadata_base_path: https://login.{{ myconext_base_domain }} base_path: https://mijn.{{ myconext_base_domain }} +base_path_service_desk: https://servicedesk.{{ myconext_base_domain }} continue_after_login_url: https://login.{{ myconext_base_domain }}/saml/guest-idp/continue idp_redirect_url: https://login.{{ myconext_base_domain }} rp_id: login.{{ myconext_base_domain }} rp_origin: https://login.{{ myconext_base_domain }} sp_redirect_url: https://mijn.{{ myconext_base_domain }} +sp_servicedesk_redirect_url: https://servicedesk.{{ myconext_base_domain }} sp_entity_id: {{ myconext.sp_entity_id }} sp_entity_metadata_url: {{ myconext.sp_entity_metadata_url }} guest_idp_entity_id: https://engine.{{ base_domain }}/authentication/idp/metadata @@ -303,12 +305,20 @@ spring: oauth2: client: registration: - oidcng: - client-id: "{{ myconext.oidc_client_id }}" - client-secret: "{{ myconext.oidc_secret }}" - redirect-uri: "https://{baseHost}{basePort}{basePath}/login/oauth2/code/{registrationId}" + mijn_eduid: + client-id: "{{ myconext.mijn_eduid_oidc_client_id }}" + client-secret: "{{ myconext.mijn_eduid_oidc_secret }}" + redirect-uri: "https://mijn.{{ myconext_base_domain }}/login/oauth2/code/{registrationId}" + authorization-grant-type: "authorization_code" + scope: openid + provider: oidcng + service_desk: + client-id: "{{ myconext.service_desk_oidc_client_id }}" + client-secret: "{{ myconext.service_desk_oidc_secret }}" + redirect-uri: "https://servicedesk.{{ myconext_base_domain }}/login/oauth2/code/{registrationId}" authorization-grant-type: "authorization_code" scope: openid + provider: oidcng provider: oidcng: authorization-uri: "https://connect.{{ base_domain }}/oidc/authorize" From d6e4d0199c60faa02012f663c5ee7747caa0e4bf Mon Sep 17 00:00:00 2001 From: Ricardo van der Heijden <20791917+ricardovdheijden@users.noreply.github.com> Date: Tue, 19 May 2026 16:23:33 +0200 Subject: [PATCH 3/7] #542 Renames mijn_eduid to my_conext --- roles/myconext/templates/application.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/myconext/templates/application.yml.j2 b/roles/myconext/templates/application.yml.j2 index 28a90918f..f973d3218 100644 --- a/roles/myconext/templates/application.yml.j2 +++ b/roles/myconext/templates/application.yml.j2 @@ -305,7 +305,7 @@ spring: oauth2: client: registration: - mijn_eduid: + my_conext: client-id: "{{ myconext.mijn_eduid_oidc_client_id }}" client-secret: "{{ myconext.mijn_eduid_oidc_secret }}" redirect-uri: "https://mijn.{{ myconext_base_domain }}/login/oauth2/code/{registrationId}" From 60d3caebab575b679d9300a178de40dfd8b56ea3 Mon Sep 17 00:00:00 2001 From: Peter Havekes Date: Tue, 26 May 2026 09:40:26 +0200 Subject: [PATCH 4/7] New config for eduID 8.3.0 --- roles/myconext/templates/application.yml.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/myconext/templates/application.yml.j2 b/roles/myconext/templates/application.yml.j2 index 9e2af3722..0898a506a 100644 --- a/roles/myconext/templates/application.yml.j2 +++ b/roles/myconext/templates/application.yml.j2 @@ -103,6 +103,7 @@ mijn_eduid_entity_id: https://mijn.{{ myconext_base_domain }}/shibboleth mobile_app_redirect: eduid:///client/mobile # For this RP we nudge the user to use the magic link mobile_app_rp_entity_id: {{ myconext.mobile_app_rp_entity_id }} +mijn_eduid_service_name: "Mijn eduID" create-from-institution: return-url-allowed-domains: @@ -256,6 +257,10 @@ account_linking_context_class_ref: validate_names_external: https://eduid.nl/trust/validate-names-external affiliation_student: https://eduid.nl/trust/affiliation-student profile_mfa: https://refeds.org/profile/mfa + linked_institution_mfa: https://eduid.nl/trust/linked-institution/mfa + validate_names_mfa: https://eduid.nl/trust/validate-names/mfa + validate_names_external_mfa: https://eduid.nl/trust/validate-names-external/mfa + affiliation_student_mfa: https://eduid.nl/trust/affiliation-student/mfa account_linking: myconext_sp_entity_id: https://mijn.{{ myconext_base_domain }}/shibboleth From 20a019fbdc3cb2dde0fdc969da0b55e9e78e2d45 Mon Sep 17 00:00:00 2001 From: Peter Havekes Date: Mon, 22 Jun 2026 09:30:40 +0200 Subject: [PATCH 5/7] Remove shib leftovers --- roles/myconext/tasks/main.yml | 6 ------ roles/myconext/templates/application.yml.j2 | 4 ---- 2 files changed, 10 deletions(-) diff --git a/roles/myconext/tasks/main.yml b/roles/myconext/tasks/main.yml index 326668702..564f6890f 100644 --- a/roles/myconext/tasks/main.yml +++ b/roles/myconext/tasks/main.yml @@ -190,9 +190,6 @@ OPENCONEXT_INSTANCENAME: "{{ instance_name }}" OPENCONEXT_ENGINE_LOGOUT_URL: "https://engine.{{ base_domain }}/logout" OPENCONEXT_HELP_EMAIL: "{{ support_email }}" - SHIB_ENTITYID: "https://mijn.{{ myconext_base_domain }}/shibboleth" - SHIB_REMOTE_ENTITYID: "https://engine.{{ base_domain }}/authentication/idp/metadata" - SHIB_REMOTE_METADATA: "{{ shibboleth_metadata_sources.engine }}" - name: Create the account gui community.docker.docker_container: @@ -256,7 +253,4 @@ OPENCONEXT_INSTANCENAME: "{{ instance_name }}" OPENCONEXT_ENGINE_LOGOUT_URL: "https://engine.{{ base_domain }}/logout" OPENCONEXT_HELP_EMAIL: "{{ support_email }}" - SHIB_ENTITYID: "https://servicedesk.{{ myconext_base_domain }}/shibboleth" - SHIB_REMOTE_ENTITYID: "https://engine.{{ base_domain }}/authentication/idp/metadata" - SHIB_REMOTE_METADATA: "{{ shibboleth_metadata_sources.engine }}" when: myconext.deploy_servicedesk | default(false) | bool diff --git a/roles/myconext/templates/application.yml.j2 b/roles/myconext/templates/application.yml.j2 index f973d3218..29a77eb31 100644 --- a/roles/myconext/templates/application.yml.j2 +++ b/roles/myconext/templates/application.yml.j2 @@ -101,7 +101,6 @@ sp_entity_metadata_url: {{ myconext.sp_entity_metadata_url }} guest_idp_entity_id: https://engine.{{ base_domain }}/authentication/idp/metadata my_conext_url: https://mijn.{{ myconext_base_domain }} domain: {{ myconext_base_domain }} -mijn_eduid_entity_id: https://mijn.{{ myconext_base_domain }}/shibboleth mijn_eduid_service_name: "Mijn eduID" mobile_app_redirect: eduid:///client/mobile # For this RP we nudge the user to use the magic link @@ -264,9 +263,6 @@ account_linking_context_class_ref: validate_names_external_mfa: https://eduid.nl/trust/validate-names-external/mfa affiliation_student_mfa: https://eduid.nl/trust/affiliation-student/mfa -account_linking: - myconext_sp_entity_id: https://mijn.{{ myconext_base_domain }}/shibboleth - eduid_api: oidcng_introspection_uri: https://connect.{{ base_domain }}/oidc/introspect oidcng_discovery_url: "https://connect.{{ base_domain }}/oidc/.well-known/openid-configuration" From 2c537027a37ded35fb28ab70c2a4ca96371fb871 Mon Sep 17 00:00:00 2001 From: Peter Havekes Date: Thu, 25 Jun 2026 08:39:59 +0200 Subject: [PATCH 6/7] Remove diplicate key in myconext config --- roles/myconext/templates/application.yml.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/myconext/templates/application.yml.j2 b/roles/myconext/templates/application.yml.j2 index 6915dac92..a067ff5e9 100644 --- a/roles/myconext/templates/application.yml.j2 +++ b/roles/myconext/templates/application.yml.j2 @@ -105,7 +105,6 @@ mijn_eduid_service_name: "Mijn eduID" mobile_app_redirect: eduid:///client/mobile # For this RP we nudge the user to use the magic link mobile_app_rp_entity_id: {{ myconext.mobile_app_rp_entity_id }} -mijn_eduid_service_name: "Mijn eduID" create-from-institution: return-url-allowed-domains: From a2f0a34ff57944744369c015d1fb2dbe37226613 Mon Sep 17 00:00:00 2001 From: Peter Havekes Date: Thu, 25 Jun 2026 08:58:05 +0200 Subject: [PATCH 7/7] Add mijn_eduid_entity_id --- roles/myconext/templates/application.yml.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/myconext/templates/application.yml.j2 b/roles/myconext/templates/application.yml.j2 index a067ff5e9..9078ed415 100644 --- a/roles/myconext/templates/application.yml.j2 +++ b/roles/myconext/templates/application.yml.j2 @@ -94,6 +94,7 @@ continue_after_login_url: https://login.{{ myconext_base_domain }}/saml/guest-id idp_redirect_url: https://login.{{ myconext_base_domain }} rp_id: login.{{ myconext_base_domain }} rp_origin: https://login.{{ myconext_base_domain }} +mijn_eduid_entity_id: https://mijn.{{ myconext_base_domain }} sp_redirect_url: https://mijn.{{ myconext_base_domain }} sp_servicedesk_redirect_url: https://servicedesk.{{ myconext_base_domain }} sp_entity_id: {{ myconext.sp_entity_id }}