Mandates / machtigen phase 2: specify "category" for form and pass this to the identity provider

[sergei-maertens]

Follow up from phase 1 - #3623

Now that we can store the authentication context / mandate details in the whole chain of applications from forms to Open Zaak, we can focus on the second phase which is to restrict forms to certain services.

A service is the atomic bit of possible authorization limitations. In particular, a mandate may only apply to one (or more) services rather than the authorizee being able to manage every service for the representee. These services are grouped in categories (e.g. Burgerzaken / Schuldhulpverlening / ... to name some possible concepts).

When mandates are enabled for a form, it should be possible to specify which category/group applies to it, and pass along this information to the identity provider so that they can act as gatekeeper and inform the user when their mandate doesn't cover the group/services that are specified.

Tasks

• Figure out how and where these categories are defined.
• Figure out how to expose these categories/services in Open Forms and specify them to the authentication plugin options.
• Establish pattern on how to pass this information to the identity provider and ensure that tampering is not possible.

[joeribekker]

Vanuit Rotterdam is stakeholder hier: Katja Vermeulen (Rotterdam) en Jan Verbeek (Den Haag), via Open Product? Het moet even opnieuw duidelijk worden wie dit administratief oppakt.