From b4a6e5bf5803115308c7f1ed1a39916ba6d4f778 Mon Sep 17 00:00:00 2001
From: Ricardo van der Heijden
 <20791917+ricardovdheijden@users.noreply.github.com>
Date: Thu, 7 May 2026 15:38:20 +0200
Subject: [PATCH 1/2] # 542 Adds missing application.yml entries

---
 roles/myconext/templates/application.yml.j2 | 25 ++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/roles/myconext/templates/application.yml.j2 b/roles/myconext/templates/application.yml.j2
index 6af4e6ae9..5aed4e027 100644
--- a/roles/myconext/templates/application.yml.j2
+++ b/roles/myconext/templates/application.yml.j2
@@ -100,13 +100,14 @@ guest_idp_entity_id: https://engine.{{ base_domain }}/authentication/idp/metadat
 my_conext_url: https://mijn.{{ myconext_base_domain }}
 domain: {{ myconext_base_domain }}
 mijn_eduid_entity_id: https://mijn.{{ myconext_base_domain }}/shibboleth
+mijn_eduid_service_name: "Mijn eduID"
 mobile_app_redirect: eduid:///client/mobile
 # For this RP we nudge the user to use the magic link
 mobile_app_rp_entity_id: {{ myconext.mobile_app_rp_entity_id }}
 
 create-from-institution:
   return-url-allowed-domains:
-  {% for url in create_from_institution_return_url_allowed_domains %}
+  {% for url in myconext.create_from_institution_return_url_allowed_domains %}
     - "{{ url }}"
   {% endfor %}
 
@@ -254,6 +255,10 @@ account_linking_context_class_ref:
   validate_names_external: https://eduid.nl/trust/validate-names-external
   affiliation_student: https://eduid.nl/trust/affiliation-student
   profile_mfa: https://refeds.org/profile/mfa
+  linked_institution_mfa: https://eduid.nl/trust/linked-institution/mfa
+  validate_names_mfa: https://eduid.nl/trust/validate-names/mfa
+  validate_names_external_mfa: https://eduid.nl/trust/validate-names-external/mfa
+  affiliation_student_mfa: https://eduid.nl/trust/affiliation-student/mfa
 
 account_linking:
   myconext_sp_entity_id: https://mijn.{{ myconext_base_domain }}/shibboleth
@@ -292,6 +297,24 @@ spring:
     port: 25
   main:
     banner-mode: "off"
+  security:
+    oauth2:
+      client:
+        registration:
+          oidcng:
+            client-id: "{{ myconext.oidc_client_id }}"
+            client-secret: "{{ myconext.oidc_secret }}"
+            redirect-uri: "https://{baseHost}{basePort}{basePath}/login/oauth2/code/{registrationId}"
+            authorization-grant-type: "authorization_code"
+            scope: openid
+        provider:
+          oidcng:
+            authorization-uri: "https://connect.{{ base_domain }}/oidc/authorize"
+            token-uri: "https://connect.{{ base_domain }}/oidc/token"
+            user-info-uri: "https://connect.{{ base_domain }}/oidc/userinfo"
+            jwk-set-uri: "https://connect.{{ base_domain }}/oidc/certs"
+            user-name-attribute: sub
+            user-info-authentication-method: client_secret_basic
 
 service_desk_role_auto_provisioning: False
 service_desk_roles: {{ myconext.service_desk_roles | join(",") }}

From eb45941aa7b4222fcbed74393f4bbc4c3ffcef18 Mon Sep 17 00:00:00 2001
From: Ricardo van der Heijden
 <20791917+ricardovdheijden@users.noreply.github.com>
Date: Wed, 13 May 2026 11:36:44 +0200
Subject: [PATCH 2/2] #542 Updates application.yml due to introduction of OIDC
 in the myconext app

---
 roles/myconext/templates/application.yml.j2 | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/roles/myconext/templates/application.yml.j2 b/roles/myconext/templates/application.yml.j2
index 5aed4e027..afe99006b 100644
--- a/roles/myconext/templates/application.yml.j2
+++ b/roles/myconext/templates/application.yml.j2
@@ -89,11 +89,13 @@ mongodb_db: {{ myconext.mongo_database }}
 base_domain: {{ myconext_base_domain }}
 saml_metadata_base_path: https://login.{{ myconext_base_domain }}
 base_path: https://mijn.{{ myconext_base_domain }}
+base_path_service_desk: https://servicedesk.{{ myconext_base_domain }}
 continue_after_login_url: https://login.{{ myconext_base_domain }}/saml/guest-idp/continue
 idp_redirect_url: https://login.{{ myconext_base_domain }}
 rp_id: login.{{ myconext_base_domain }}
 rp_origin: https://login.{{ myconext_base_domain }}
 sp_redirect_url: https://mijn.{{ myconext_base_domain }}
+sp_servicedesk_redirect_url: https://servicedesk.{{ myconext_base_domain }}
 sp_entity_id: {{ myconext.sp_entity_id }}
 sp_entity_metadata_url: {{ myconext.sp_entity_metadata_url }}
 guest_idp_entity_id: https://engine.{{ base_domain }}/authentication/idp/metadata
@@ -301,12 +303,20 @@ spring:
     oauth2:
       client:
         registration:
-          oidcng:
-            client-id: "{{ myconext.oidc_client_id }}"
-            client-secret: "{{ myconext.oidc_secret }}"
-            redirect-uri: "https://{baseHost}{basePort}{basePath}/login/oauth2/code/{registrationId}"
+          mijn_eduid:
+            client-id: "{{ myconext.mijn_eduid_oidc_client_id }}"
+            client-secret: "{{ myconext.mijn_eduid_oidc_secret }}"
+            redirect-uri: "https://mijn.{{ myconext_base_domain }}/login/oauth2/code/{registrationId}"
+            authorization-grant-type: "authorization_code"
+            scope: openid
+            provider: oidcng
+          service_desk:
+            client-id: "{{ myconext.service_desk_oidc_client_id }}"
+            client-secret: "{{ myconext.service_desk_oidc_secret }}"
+            redirect-uri: "https://servicedesk.{{ myconext_base_domain }}/login/oauth2/code/{registrationId}"
             authorization-grant-type: "authorization_code"
             scope: openid
+            provider: oidcng
         provider:
           oidcng:
             authorization-uri: "https://connect.{{ base_domain }}/oidc/authorize"