maykinmedia · stevenbal · Nov 20, 2025 · Nov 17, 2025 · Nov 17, 2025 · Nov 17, 2025
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -2,6 +2,38 @@
 Change history
 ==============
 
+3.5.0 (TBD)
+-----------
+
+.. warning::
+
+    Changes to format of ``setup_configuration`` data for OpenID connect
+
+    In this release, ``mozilla-django-oidc-db`` has been updated to version 1.1.0, which requires the new data format.
+    The old format is deprecated and will be removed in future releases.
+
+    The new configuration must be used, as it splits the previous solo model configuration into ``OIDCProvider`` and ``OIDCClient``
+    configurations, making it easier to re-use identity provider settings across multiple client IDs.
+
+    Additionally, any configuration using ``django-setup-configuration`` must be updated to reflect these changes,
+    as it is now split into two distinct sections: one for ``providers`` and one for ``clients``.
+    This separation also exists in the admin interface, so both sections can be configured directly through the user interface.
+    For example:
+
+    .. code-block:: yaml
+
+        providers:
+          - identifier: example-provider
+            # other provider settings
+        clients:
+          - identifier: admin-oidc
+            oidc_provider_identifier: example-provider
+            # other client settings
+
+    For detailed configuration, see :ref:`Admin OIDC Configuration Step  <ref_step_mozilla_django_oidc_db.setup_configuration.steps.AdminOIDCConfigurationStep>`.
+    Make sure to check which fields are marked as ``DEPRECATED`` and replace them with the fields that are mentioned as replacements.
+
+
 3.4.0 (2025-10-28)
 ------------------
 

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -4,8 +4,9 @@ services:
     # See: https://hub.docker.com/_/postgres/
     image: postgis/postgis:17-3.5
     environment:
-      - POSTGRES_USER=${DB_USER:-objects}
-      - POSTGRES_PASSWORD=${DB_PASSWORD:-objects}
+      - POSTGRES_HOST_AUTH_METHOD=trust
+    volumes:
+      - ./docker/postgres.entrypoint-initdb.d:/docker-entrypoint-initdb.d:ro
     networks:
       - objects-dev
 
@@ -22,6 +23,8 @@ services:
     environment: &web_env
       DJANGO_SETTINGS_MODULE: objects.conf.docker
       SECRET_KEY: ${SECRET_KEY:-1(@f(-6s_u(5fd&1sg^uvu2s(c-9sapw)1era8q&)g)h@cwxxg}
+      DB_NAME: objects
+      DB_USER: objects
       IS_HTTPS: no
       ALLOWED_HOSTS: '*'
       CACHE_DEFAULT: redis:6379/0
@@ -78,8 +81,8 @@ services:
   objecttypes-web:
     image: maykinmedia/objecttypes-api:latest
     environment: &app-env
-      DB_USER: objects
-      DB_PASSWORD: objects
+      DB_NAME: objecttypes
+      DB_USER: objecttypes
       DJANGO_SETTINGS_MODULE: objecttypes.conf.docker
       SECRET_KEY: ${SECRET_KEY:-fgv=c0hz&tl*8*3m3893@m+1pstrvidc9e^5@fpspmg%cyf15d}
       ALLOWED_HOSTS: '*'

diff --git a/keycloak/docker-compose.keycloak.yml → docker/docker-compose.keycloak.yml b/keycloak/docker-compose.keycloak.yml → docker/docker-compose.keycloak.yml
@@ -9,9 +9,9 @@
 # DO NOT USE THIS IN PRODUCTION.
 #
 # Start a Keycloak instance in your local environment from the parent directory:
-# 
+#
 #     docker compose -f docker-compose.keycloak.yml up -d
-# 
+#
 
 version: '3'
 
@@ -23,7 +23,7 @@ services:
       - KEYCLOAK_ADMIN=admin
       - KEYCLOAK_ADMIN_PASSWORD=admin
     volumes:
-      - ./data:/opt/keycloak/data/import
+      - ./keycloak/data:/opt/keycloak/data/import
     ports:
       - 8080:8080
     networks:

diff --git a/keycloak/data/test-realm.json → docker/keycloak/data/test-realm.json b/keycloak/data/test-realm.json → docker/keycloak/data/test-realm.json
diff --git a/docker/postgres.entrypoint-initdb.d/0001-objects.sql b/docker/postgres.entrypoint-initdb.d/0001-objects.sql
@@ -0,0 +1,2 @@
+CREATE USER objects;
+CREATE DATABASE objects WITH OWNER objects;
diff --git a/docker/postgres.entrypoint-initdb.d/0002-objecttypes.sql b/docker/postgres.entrypoint-initdb.d/0002-objecttypes.sql
@@ -0,0 +1,2 @@
+CREATE USER objecttypes;
+CREATE DATABASE objecttypes WITH OWNER objecttypes;
diff --git a/docker/postgres.entrypoint-initdb.d/0003-objects-extensions.sh b/docker/postgres.entrypoint-initdb.d/0003-objects-extensions.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+set -e
+
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "objects" <<-EOSQL
+    CREATE EXTENSION postgis;
+EOSQL
diff --git a/docker/setup_configuration/data.yaml b/docker/setup_configuration/data.yaml
@@ -79,14 +79,44 @@ tokenauth:
 
 oidc_db_config_enable: true
 oidc_db_config_admin_auth:
+  providers:
+  - identifier: admin-oidc
+    oidc_use_nonce: true
+    oidc_nonce_size: 32
+    oidc_state_size: 32
+    endpoint_config:
+        oidc_op_authorization_endpoint: http://localhost:8080/realms/test/protocol/openid-connect/auth
+        oidc_op_jwks_endpoint: http://localhost:8080/realms/test/protocol/openid-connect/certs
+        oidc_op_token_endpoint: http://localhost:8080/realms/test/protocol/openid-connect/token
+        oidc_op_user_endpoint: http://localhost:8080/realms/test/protocol/openid-connect/userinfo
   items:
-    - identifier: admin-oidc
-      oidc_rp_client_id: client-id
-      oidc_rp_client_secret: secret
-      endpoint_config:
-        oidc_op_authorization_endpoint: https://example.com/realms/test/protocol/openid-connect/auth
-        oidc_op_token_endpoint: https://example.com/realms/test/protocol/openid-connect/token
-        oidc_op_user_endpoint: https://example.com/realms/test/protocol/openid-connect/userinfo
-
-      # workaround for https://github.com/maykinmedia/django-setup-configuration/issues/27
-      userinfo_claims_source: id_token
+  - identifier: admin-oidc
+    enabled: true
+    oidc_rp_client_id: testid
+    oidc_rp_client_secret: 7DB3KUAAizYCcmZufpHRVOcD0TOkNO3I
+    oidc_rp_scopes_list:
+    - openid
+    - email
+    - profile
+    oidc_rp_sign_algo: RS256
+    oidc_provider_identifier: admin-oidc
+    userinfo_claims_source: id_token
+    options:
+      user_settings:
+        claim_mappings:
+          username:
+            - sub
+          first_name:
+            - given_name
+          email:
+            - email
+        username_case_sensitive: true
+      groups_settings:
+        claim_mapping:
+          - groups
+        sync: true
+        sync_pattern: '*'
+        default_groups: []
+        make_users_staff: true
+        superuser_group_names:
+          - Registreerders
diff --git a/requirements/base.txt b/requirements/base.txt
@@ -160,7 +160,7 @@ django-sendfile2==0.7.0
     # via django-privates
 django-sessionprofile==3.0.0
     # via open-api-framework
-django-setup-configuration==0.9.0
+django-setup-configuration==0.11.0
     # via
     #   -r requirements/base.in
     #   mozilla-django-oidc-db
@@ -173,7 +173,6 @@ django-solo==2.2.0
     # via
     #   commonground-api-common
     #   django-log-outgoing-requests
-    #   mozilla-django-oidc-db
     #   notifications-api-common
     #   zgw-consumers
 django-structlog==9.1.1
@@ -252,7 +251,7 @@ maykin-common==0.11.0
     # via -r requirements/base.in
 mozilla-django-oidc==4.0.0
     # via mozilla-django-oidc-db
-mozilla-django-oidc-db==0.22.0
+mozilla-django-oidc-db==1.1.0
     # via
     #   -r requirements/base.in
     #   open-api-framework

diff --git a/requirements/ci.txt b/requirements/ci.txt
@@ -275,7 +275,7 @@ django-sessionprofile==3.0.0
     #   -c requirements/base.txt
     #   -r requirements/base.txt
     #   open-api-framework
-django-setup-configuration==0.9.0
+django-setup-configuration==0.11.0
     # via
     #   -c requirements/base.txt
     #   -r requirements/base.txt
@@ -291,7 +291,6 @@ django-solo==2.2.0
     #   -r requirements/base.txt
     #   commonground-api-common
     #   django-log-outgoing-requests
-    #   mozilla-django-oidc-db
     #   notifications-api-common
     #   zgw-consumers
 django-structlog==9.1.1
@@ -460,7 +459,7 @@ mozilla-django-oidc==4.0.0
     #   -c requirements/base.txt
     #   -r requirements/base.txt
     #   mozilla-django-oidc-db
-mozilla-django-oidc-db==0.22.0
+mozilla-django-oidc-db==1.1.0
     # via
     #   -c requirements/base.txt
     #   -r requirements/base.txt

diff --git a/requirements/dev.txt b/requirements/dev.txt
@@ -319,7 +319,7 @@ django-sessionprofile==3.0.0
     #   -c requirements/ci.txt
     #   -r requirements/ci.txt
     #   open-api-framework
-django-setup-configuration==0.9.0
+django-setup-configuration==0.11.0
     # via
     #   -c requirements/ci.txt
     #   -r requirements/ci.txt
@@ -337,7 +337,6 @@ django-solo==2.2.0
     #   -r requirements/ci.txt
     #   commonground-api-common
     #   django-log-outgoing-requests
-    #   mozilla-django-oidc-db
     #   notifications-api-common
     #   zgw-consumers
 django-structlog==9.1.1
@@ -550,7 +549,7 @@ mozilla-django-oidc==4.0.0
     #   -c requirements/ci.txt
     #   -r requirements/ci.txt
     #   mozilla-django-oidc-db
-mozilla-django-oidc-db==0.22.0
+mozilla-django-oidc-db==1.1.0
     # via
     #   -c requirements/ci.txt
     #   -r requirements/ci.txt

diff --git a/src/objects/accounts/tests/factories.py b/src/objects/accounts/tests/factories.py
@@ -2,6 +2,13 @@
 
 import factory
 from factory.django import DjangoModelFactory
+from mozilla_django_oidc_db.constants import OIDC_ADMIN_CONFIG_IDENTIFIER
+from mozilla_django_oidc_db.tests.factories import (
+    OIDCClientFactory as BaseOIDCClientFactory,
+    OIDCProviderFactory,
+)
+
+from objects.utils.tests.keycloak import KEYCLOAK_BASE_URL
 
 User = get_user_model()
 
@@ -24,3 +31,27 @@ class Params:
 
 class StaffUserFactory(UserFactory):
     is_staff = True
+
+
+class OIDCClientFactory(BaseOIDCClientFactory):
+    enabled = True
+
+    class Params:  # pyright: ignore[reportIncompatibleVariableOverride]
+        with_keycloak_provider = factory.Trait(
+            oidc_provider=factory.SubFactory(
+                OIDCProviderFactory,
+                identifier="keycloak-provider",
+                oidc_op_jwks_endpoint=f"{KEYCLOAK_BASE_URL}/certs",
+                oidc_op_authorization_endpoint=f"{KEYCLOAK_BASE_URL}/auth",
+                oidc_op_token_endpoint=f"{KEYCLOAK_BASE_URL}/token",
+                oidc_op_user_endpoint=f"{KEYCLOAK_BASE_URL}/userinfo",
+                oidc_op_logout_endpoint=f"{KEYCLOAK_BASE_URL}/logout",
+            ),
+            oidc_rp_client_id="testid",
+            oidc_rp_client_secret="7DB3KUAAizYCcmZufpHRVOcD0TOkNO3I",
+            oidc_rp_sign_algo="RS256",
+        )
+        with_admin = factory.Trait(
+            identifier=OIDC_ADMIN_CONFIG_IDENTIFIER,
+            oidc_rp_scopes_list=["email", "profile", "openid"],
+        )
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		CREATE USER objects;
		CREATE DATABASE objects WITH OWNER objects;
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		CREATE USER objecttypes;
		CREATE DATABASE objecttypes WITH OWNER objecttypes;