Grab and save the branch number from eHerkenning service restriction

src/openforms/authentication/contrib/eherkenning/constants.py

@@ -1,5 +1,6 @@
 EHERKENNING_PLUGIN_ID = "eherkenning"
 EHERKENNING_AUTH_SESSION_KEY = f"{EHERKENNING_PLUGIN_ID}:kvk"
 EHERKENNING_AUTH_SESSION_AUTHN_CONTEXTS = f"{EHERKENNING_PLUGIN_ID}:authn_contexts"
+EHERKENNING_BRANCH_NUMBERS_SESSION_KEY = f"{EHERKENNING_PLUGIN_ID}:branch_numbers"
 EIDAS_AUTH_SESSION_KEY = "eidas:pseudo"
 EIDAS_AUTH_SESSION_AUTHN_CONTEXTS = "eidas:authn_contexts"

src/openforms/authentication/contrib/eherkenning/plugin.py

@@ -1,3 +1,4 @@
+import logging
 from typing import Any, NoReturn
 
 from django.http import HttpRequest, HttpResponseBadRequest, HttpResponseRedirect
@@ -24,9 +25,12 @@
 from .constants import (
     EHERKENNING_AUTH_SESSION_AUTHN_CONTEXTS,
     EHERKENNING_AUTH_SESSION_KEY,
+    EHERKENNING_BRANCH_NUMBERS_SESSION_KEY,
     EIDAS_AUTH_SESSION_KEY,
 )
 
+logger = logging.getLogger(__name__)
+
 _LOA_ORDER = [loa.value for loa in AssuranceLevels]
 
 
@@ -108,13 +112,17 @@
                 "attribute": self.provides_auth,
                 "value": identifier,
                 "loa": self.get_session_loa(request.session),
+                **self.get_extra_form_auth_kwargs(request.session),
             }
 
         return HttpResponseRedirect(form_url)
 
     def get_session_loa(self, session):
         return ""
 
+    def get_extra_form_auth_kwargs(self, session) -> dict[str, Any]:
+        return {}
+
     def logout(self, request: HttpRequest):
         if self.session_key in request.session:
             del request.session[self.session_key]
@@ -130,6 +138,21 @@
         authn_contexts = session.get(EHERKENNING_AUTH_SESSION_AUTHN_CONTEXTS, [""])
         return max(authn_contexts, key=loa_order)
 
+    def get_extra_form_auth_kwargs(self, session) -> dict[str, Any]:
+        branch_numbers = session.get(EHERKENNING_BRANCH_NUMBERS_SESSION_KEY)
+        if not branch_numbers:
+            return {}
+        if (num := len(branch_numbers)) > 1:
+            # https://afsprakenstelsel.etoegang.nl/Startpagina/v2/interface-specifications-dv-hm
+            # explicitly mentions that "one or more ServiceRestrictions" can be provided,
+            # we currently only support one.
+            logger.warning(
+                "Got more than one branch number (got %d), this is unexpected!",
+                num,
+            )
+        branch_number = branch_numbers[0]
+        return {"legal_subject_service_restriction": branch_number}
+
     def check_requirements(self, request, config):
         # check LoA requirements
         authenticated_loa = request.session[FORM_AUTH_SESSION_KEY]["loa"]

src/openforms/authentication/contrib/eherkenning/views.py

@@ -17,6 +17,7 @@
 from .constants import (
     EHERKENNING_AUTH_SESSION_AUTHN_CONTEXTS,
     EHERKENNING_AUTH_SESSION_KEY,
+    EHERKENNING_BRANCH_NUMBERS_SESSION_KEY,
     EIDAS_AUTH_SESSION_KEY,
 )
 
@@ -126,6 +127,17 @@
                 "urn:etoegang:1.9:EntityConcernedID:Pseudo"
             ]
 
+        # Extract the branch number service restriction(s) - this is all super vague and
+        # we don't seem to have proper test accounts for this...
+        # See https://afsprakenstelsel.etoegang.nl/Startpagina/v2/interface-specifications-dv-hm,
+        # section "AttributeStatement" for an example response.
+        # This translates to a list of strings (12 chars, all digits)
+        if branch_numbers := attributes.get(
+            "urn:etoegang:1.9:ServiceRestriction:Vestigingsnr"
+        ):
+            logger.info("Got branch numbers: %r", branch_numbers)
+            request.session[EHERKENNING_BRANCH_NUMBERS_SESSION_KEY] = branch_numbers
+
         # store the authn contexts so the plugin can check persmission when
         # accessing/creating an object
         request.session[EHERKENNING_AUTH_SESSION_AUTHN_CONTEXTS] = (