Connectivity changes (different IP address) can cause the DigiD login flow to error out

[sergei-maertens]

Sentry 343314

This likely affects mobile users who change 4G/5G connection towers and receive a new IP address in the process. Our digid-eherkenning library has an additional security mechanism to protect against session hijacking, which results in an aborted DigiD assertion consumer view.

It doesn't happen frequently, the main concern I have is if the end-user gets useful error feedback to inform them to "try again" or if they get a generic/cryptic error.

It should be easy to reproduce this by:

1. Initiate a DigiD login
2. Before completing the digid login, switch off wifi so you use your mobile connection (and thus force a different IP address)
3. Complete the login process which sends you back to our backend
4. The error should be displayed.

Relevant code handling this:

open-forms/src/openforms/authentication/contrib/digid/views.py

Line 73 in 9ff5f75

else:

[joeribekker]

Refinement: Agreement to remove the IP-check in the library to prevent this issue. Security implications are covered by session-protection and allowing an IP-change gives a better user experience. Also, the exception should be templated (or not stringified) to allow stacking in Sentry.