Co-signing does not work with a DigiD Gateway (e.g. OIDC) or DigiD SSO

[SilviaAmAm]

Product versie / Product version

1.1

Omschrijf het probleem / Describe the bug

When using OpenID Connect, clicking on the co-sign option redirects directly to the form and doesnt give the chance to sign in as someone else with DigiD.

Proposed solution

Update: Den Haag agrees with the Open Forms flow and abandons their own mixed flow. With this, the BSN check is also removed and can later be added.

Use out-of-band email, form code. This solves co-signing when DigiD SSO or DigiD via a gateway is used. Note that the email that is sent never contains a link, but contains instructions to find a fixed "co-sign form" where the co-sign user can fill in their code.

Latest sequence diagram

Original sequence diagram link to refine further

Tasks

• [x] Refactor co-sign component to be a component that has 1 field: E-mailaddress of co-signer (so it no longer allows you to actually co-sign). This can be required or not.
• [x] Once a submission is submitted with co-signing email filled in, sent an email to the co-signer emailadress.
• [x] Generate a form/submission code/hash (can be typically the internal reference number) upon submitting
• [x] Make sure sending the submission to a registration backend is blocked (and stored for X days)
• [ ] Make the email sent to the co-signer configurable in the admin config. Make sure the email contains the form/submission code and the number of days its possible to fill in.
• [x] Create fixed co-sign form view (in SDK)
• [x] Step 1: Login to co-sign form with DigiD/e-Herkenning/eIDAS
• [x] Step 2: Fill in form/submission code
• [x] Step 3: Retrieve and show the summary page of the original form submission
• [x] Submit and thus complete so-sign.
• [x] Sent the blocked submission to the registration backend
• [ ] Sent reminder after configurable Y days (Y < X) to the co-signer.
• [ ] Sent an email to the user and co-signer once the submission is processed OR the the user if it expired.

More specific tasks

Form builder:

• [x] Add new co-sign component (special email component)
• [x] Add warning about having no more than 1 co-sign component per form
• [x] Add migration to convert old co-sign components to the new version https://github.com/open-formulieren/open-forms/pull/3079
• [x] Add a warning or an error in case the plugin specified for the cosign is not enabled on the form.

Backend:

• [x] Add method to model to extract co-sign component
• [x] Add attribute to submission "cosign_complete"
• [x] Update the on_completion tasks: the registration happens only if co-sign has been completed or if it's not required.
• [x] Add a task to send an email to the co-signer
• [x] Modify confirmation email template to mention that the form will be processed after cosign https://github.com/open-formulieren/open-forms/pull/3085
• [ ] Add an admin filter for forms with cosign and custom confirmation templates => Then the form designers can easily find which templates should be updated to mention the cosign.
• [ ] Make a note of manual intervention in the CHANGELOG about updating the confirmation template to mention cosign. https://github.com/open-formulieren/open-forms/issues/3122
• [ ] Add a task for a confirmation email after co-sign to the main person with the co-signer in CC => Needs https://github.com/maykinmedia/mail-cleaner/issues/2 first
• [x] Expose that a form is a co-sign form
• [x] Add to auth module a signal for when a co-signer logs in
• [x] Implement backend view to search for the submission https://github.com/open-formulieren/open-forms/pull/3090
• [x] Implement endpoint to persist co-sign https://github.com/open-formulieren/open-forms/pull/3118
• [ ] Make co-sign email template configurable (Add a dev view to visualise it). It should include the deadline for cosigning.
• [x] Add 'log out' button to the 'search submission' view. https://github.com/open-formulieren/open-forms/pull/3134
• [ ] Add a reminder email when approaching the deadline for cosigning
• [ ] Add a notification if the cosigner failed to cosign on time.

Frontend:

• [x] Add co-sign component
• [x] Move old co-sign component https://github.com/open-formulieren/open-forms-sdk/pull/411
• [x] Add co-sign button to a form https://github.com/open-formulieren/open-forms-sdk/pull/423 + https://github.com/open-formulieren/open-forms/pull/3107
• [x] Submission summary view: add privacy notice, log-out button https://github.com/open-formulieren/open-forms-sdk/pull/427
• [x] Confirmation view: download PDF report
• [x] Add route to cosign summary page

More things that came to mind:

• [ ] If a form has a cosign component, maybe that step should have 'login required' checked?
• [x] The cosign component should have the authPlugin attribute as required?
• [ ] Refactor the cosign_data attribute on the submission to also use Auth info model

Clean up:

• [ ] Remove the old co-sign component (Frontend/Backend)
• [ ] Remove co-sign flow from all plugins
• [ ] Following this discussion: https://github.com/open-formulieren/open-forms/pull/3085#discussion_r1206547012 remove the try/except clauses around the send email
• [ ] Use json path query to get form definitions: https://github.com/open-formulieren/open-forms/pull/3085#discussion_r1206543366
• [ ] Deal with the case where an MTA sends us a report that the co-sign email was undeliverable https://github.com/open-formulieren/open-forms/issues/3126

See additional comment: https://github.com/open-formulieren/open-forms/issues/1530#issuecomment-1586858384

[sergei-maertens]

We've seen other situations where a gateway is used for DigiD authentication and the same problem applies.

[joeribekker]

Discussed with The Hague, to refactor cosigning to be done out of bound via email. The form submission will be on hold, until cosigning is complete. The user can still submit it but the co signer has 7 days to co-sign and only then will the process continue in the background.

There is 1 major downside to this: It contradicts the principle to not send links in emails. We are looking into this because it is the user that triggers this mail, and not the organisation... Feels a bit like a password reset email.

[joeribekker]

More thoughts: we could also mail a code, that people can fill in some dedicated open forms page to get the cosigning process, without sending a link

[joeribekker]

Updated the ticket with a sequence diagram that respects the no-link policy and solves the SSO/Gateway issue.

[SilviaAmAm]

Todo:

Form builder:

• [x] Add new co-sign component (special email component)
• [x] Add warning about having no more than 1 co-sign component per form
• [x] Add migration to convert old co-sign components to the new version https://github.com/open-formulieren/open-forms/pull/3079
• [ ] Add a warning or an error in case the plugin specified for the cosign is not enabled on the form.

Backend:

• [x] Add method to model to extract co-sign component
• [x] Add attribute to submission "cosign_complete"
• [x] Update the on_completion tasks: the registration happens only if co-sign has been completed or if it's not required.
• [x] Add a task to send an email to the co-signer
• [x] Modify confirmation email template to mention that the form will be processed after cosign https://github.com/open-formulieren/open-forms/pull/3085
• [ ] Add an admin filter for forms with cosign and custom confirmation templates => Then the form designers can easily find which templates should be updated to mention the cosign.
• [ ] Make a note of manual intervention in the CHANGELOG about updating the confirmation template to mention cosign.
• [ ] Add a task for a confirmation email after co-sign to the main person with the co-signer in CC
• [ ] Expose that a form is a co-sign form
• [ ] Add to auth module a signal for when a co-signer logs in
• [x] Implement backend view to search for the submission https://github.com/open-formulieren/open-forms/pull/3090
• [ ] Implement endpoint to persist co-sign
• [ ] Make co-sign email template configurable (Add a dev view to visualise it)
• [ ] Deal with the case where an MTA sends us a report that the co-sign email was undeliverable

Frontend:

• [x] Add co-sign component
• [x] Move old co-sign component https://github.com/open-formulieren/open-forms-sdk/pull/411
• [ ] Add co-sign button to a form
• [ ] Submission summary view: add privacy notice, log-out button
• [ ] Confirmation view: download PDF report
• [ ] Add route to cosign summary page

Clean up:

• [ ] Remove the old co-sign component (Frontend/Backend)
• [ ] Remove auth flow from all plugins

[SilviaAmAm]

Still to do:

• [x] Send email to the cosigner (to instead of cc => do the CC afterall) once processed. https://github.com/open-formulieren/open-forms/pull/3157
• [x] Warning for missing auth https://github.com/open-formulieren/open-forms/pull/3162
• [x] Add a compulsory template tag for co-sign in the global configuration and per form and add migration so that it is added before the payment tag
• [x] The cosign component should have the authPlugin attribute as required?
• [x] Test that the old cosign works: It does work, but it looks like the component variable for the cosign component doesn't get any data, which results in this in the summary/pdf: (But I think that this is not an issue related to the new cosign component).
• [x] Fix styling of backend view to retrieve the submission