From f02e4efc41f82ec0ad56da6b223b6df9a3fe633e Mon Sep 17 00:00:00 2001
From: Sergei Maertens <sergei@maykinmedia.nl>
Date: Wed, 22 May 2024 08:33:21 +0200
Subject: [PATCH] tests

---
 .github/ISSUE_TEMPLATE/prepare-release.md     |   1 +
 src/digid_eherkenning_oidc_generics/models.py |   4 +
 .../digid_eherkenning_oidc/backends.py        |  11 +-
 .../digid_eherkenning_oidc/tests/README.md    |  25 +
 ..._for_cancelled_login_anon_django_user.yaml |  91 +++
 ...ancelled_login_with_staff_django_user.yaml |  91 +++
 ...Tests.test_failing_claim_verification.yaml | 371 +++++++++++
 ...hen_login_cancelled_by_anonymous_user.yaml | 579 ++++++++++++++++
 ....test_redirects_after_successful_auth.yaml | 623 +-----------------
 ...InitTests.test_idp_availability_check.yaml |  26 +
 ...s.test_keycloak_idp_hint_is_respected.yaml |  59 ++
 ...start_flow_redirects_to_oidc_provider.yaml |  59 ++
 .../tests/digid/test_auth_procedure.py        | 293 --------
 .../tests/test_auth_flow.py                   | 177 ++++-
 src/openforms/authentication/tests/utils.py   |   7 +-
 15 files changed, 1498 insertions(+), 919 deletions(-)
 create mode 100644 src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/README.md
 create mode 100644 src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDCallbackTests/DigiDCallbackTests.test_digid_error_reported_for_cancelled_login_anon_django_user.yaml
 create mode 100644 src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDCallbackTests/DigiDCallbackTests.test_digid_error_reported_for_cancelled_login_with_staff_django_user.yaml
 create mode 100644 src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDCallbackTests/DigiDCallbackTests.test_failing_claim_verification.yaml
 create mode 100644 src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDCallbackTests/DigiDCallbackTests.test_redirect_to_form_when_login_cancelled_by_anonymous_user.yaml
 create mode 100644 src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDInitTests/DigiDInitTests.test_idp_availability_check.yaml
 create mode 100644 src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDInitTests/DigiDInitTests.test_keycloak_idp_hint_is_respected.yaml
 create mode 100644 src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDInitTests/DigiDInitTests.test_start_flow_redirects_to_oidc_provider.yaml
 delete mode 100644 src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/digid/test_auth_procedure.py

diff --git a/.github/ISSUE_TEMPLATE/prepare-release.md b/.github/ISSUE_TEMPLATE/prepare-release.md
index 92b0df4807..66f37a507e 100644
--- a/.github/ISSUE_TEMPLATE/prepare-release.md
+++ b/.github/ISSUE_TEMPLATE/prepare-release.md
@@ -12,6 +12,7 @@ assignees: sergei-maertens
   - [ ] Appoinments: Qmatic
   - [ ] Suwinet
   - [ ] DigiD/eHerkenning (Signicat)
+  - [ ] DigiD/eHerkenning via OIDC (`openforms.authentication.contrib.digid_eherkenning_oidc`)
   - [ ] Haal Centraal BRP Personen bevragen
   - [ ] `src.soap.tests.test_client`
   - [ ] BRK (Kadaster)
diff --git a/src/digid_eherkenning_oidc_generics/models.py b/src/digid_eherkenning_oidc_generics/models.py
index f3330b38e9..5e0de956c2 100644
--- a/src/digid_eherkenning_oidc_generics/models.py
+++ b/src/digid_eherkenning_oidc_generics/models.py
@@ -61,6 +61,10 @@ class Meta:
         verbose_name = _("OpenID Connect configuration")
         abstract = True
 
+    @classproperty
+    def oidcdb_check_idp_availability(cls) -> bool:
+        return True
+
 
 class OpenIDConnectPublicConfig(OpenIDConnectBaseConfig):
     """
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/backends.py b/src/openforms/authentication/contrib/digid_eherkenning_oidc/backends.py
index ac0a3e5c7e..48d93c45f2 100644
--- a/src/openforms/authentication/contrib/digid_eherkenning_oidc/backends.py
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/backends.py
@@ -1,7 +1,7 @@
 import logging
 
 from django.contrib.auth.models import AnonymousUser
-from django.core.exceptions import SuspiciousOperation
+from django.core.exceptions import PermissionDenied, SuspiciousOperation
 from django.http import HttpRequest
 
 from glom import Path, PathAccessError, glom
@@ -58,7 +58,14 @@ def get_or_create_user(
         claims_verified = self.verify_claims(user_info)
         if not claims_verified:
             msg = "Claims verification failed"
-            raise SuspiciousOperation(msg)
+            # Raise PermissionDenied rather than SuspiciousOperation - this makes it
+            # Django stops trying other (OIDC) authentication backends, which fail
+            # because the code was already exchanged for an access token.
+            # Note that this backend only runs for the DigiD/eHerkenning configs at all,
+            # and those aren't particularly compatible with the admin-OIDC flow anyway.
+            # See :meth:`_check_candidate_backend` that prevents this backend from being
+            # used for admin OIDC.
+            raise PermissionDenied(msg)
 
         self._extract_and_store_claims(payload)
 
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/README.md b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/README.md
new file mode 100644
index 0000000000..03037c38ea
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/README.md
@@ -0,0 +1,25 @@
+# README
+
+The integration tests for the OIDC flavour of DigiD/eHerkenning uses VCR.py. To (re-) record the
+cassettes, perform the following steps (from the root of the repo):
+
+1. Bring up the Keycloak instance
+
+   ```bash
+   cd docker/
+   docker compose -f docker-compose.keycloak.yml up -d
+   ```
+
+2. Delete the old cassettes
+
+   ```bash
+   rm -rf src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes
+   ```
+
+3. Run the tests
+
+   ```bash
+   python src/manage.py test openforms.authentication.contrib.digid_eherkenning_oidc
+   ```
+
+4. Inspect the diff and commit the changes.
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDCallbackTests/DigiDCallbackTests.test_digid_error_reported_for_cancelled_login_anon_django_user.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDCallbackTests/DigiDCallbackTests.test_digid_error_reported_for_cancelled_login_anon_django_user.yaml
new file mode 100644
index 0000000000..6950e14935
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDCallbackTests/DigiDCallbackTests.test_digid_error_reported_for_cancelled_login_anon_django_user.yaml
@@ -0,0 +1,91 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/883g6/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=badscope&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Fdigid-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: ''
+    headers:
+      Location:
+      - http://testserver/digid-oidc/callback/?error=invalid_scope&error_description=Invalid+scopes%3A+badscope&state=not-a-random-string&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '0'
+    status:
+      code: 302
+      message: Found
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDCallbackTests/DigiDCallbackTests.test_digid_error_reported_for_cancelled_login_with_staff_django_user.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDCallbackTests/DigiDCallbackTests.test_digid_error_reported_for_cancelled_login_with_staff_django_user.yaml
new file mode 100644
index 0000000000..6950e14935
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDCallbackTests/DigiDCallbackTests.test_digid_error_reported_for_cancelled_login_with_staff_django_user.yaml
@@ -0,0 +1,91 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/883g6/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=badscope&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Fdigid-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: ''
+    headers:
+      Location:
+      - http://testserver/digid-oidc/callback/?error=invalid_scope&error_description=Invalid+scopes%3A+badscope&state=not-a-random-string&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '0'
+    status:
+      code: 302
+      message: Found
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDCallbackTests/DigiDCallbackTests.test_failing_claim_verification.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDCallbackTests/DigiDCallbackTests.test_failing_claim_verification.yaml
new file mode 100644
index 0000000000..4106c4f293
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDCallbackTests/DigiDCallbackTests.test_failing_claim_verification.yaml
@@ -0,0 +1,371 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/883g6/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=openid+bsn&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Fdigid-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/883g6/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n        <script type=\"module\">\n            import
+        { checkCookiesAndSetTimer } from \"/resources/883g6/login/keycloak/js/authChecker.js\";\n\n
+        \           checkCookiesAndSetTimer(\n              \"c4c9304a-8064-4fee-810b-7758117865e8\",\n
+        \             \"x6lSo1VkS5w\",\n              \"/realms/test/login-actions/restart?client_id=testid&tab_id=x6lSo1VkS5w&skip_logout=true\"\n
+        \           );\n        </script>\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       Sign in to your account\n\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-form\">\n
+        \         <div id=\"kc-form-wrapper\">\n                <form id=\"kc-form-login\"
+        onsubmit=\"login.disabled = true; return true;\" action=\"http://localhost:8080/realms/test/login-actions/authenticate?session_code=3C_hoZ9csSDaHhlTpM3Lkdq3WJmrsudSOM3JhO3J5Gk&amp;execution=6f3a64ce-e337-4638-b1af-f6a92e763f3a&amp;client_id=testid&amp;tab_id=x6lSo1VkS5w\"
+        method=\"post\">\n                        <div class=\"form-group\">\n                            <label
+        for=\"username\" class=\"pf-c-form__label pf-c-form__label-text\">Username
+        or email</label>\n\n                            <input tabindex=\"1\" id=\"username\"
+        class=\"pf-c-form-control\" name=\"username\" value=\"\"  type=\"text\" autofocus
+        autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n\n\n                        </div>\n\n                    <div
+        class=\"form-group\">\n                        <label for=\"password\" class=\"pf-c-form__label
+        pf-c-form__label-text\">Password</label>\n\n                        <div class=\"pf-c-input-group\">\n
+        \                           <input tabindex=\"2\" id=\"password\" class=\"pf-c-form-control\"
+        name=\"password\" type=\"password\" autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n                            <button class=\"pf-c-button
+        pf-m-control\" type=\"button\" aria-label=\"Show password\"\n                                    aria-controls=\"password\"
+        \ data-password-toggle\n                                    data-icon-show=\"fa
+        fa-eye\" data-icon-hide=\"fa fa-eye-slash\"\n                                    data-label-show=\"Show
+        password\" data-label-hide=\"Hide password\">\n                                <i
+        class=\"fa fa-eye\" aria-hidden=\"true\"></i>\n                            </button>\n
+        \                       </div>\n\n\n                    </div>\n\n                    <div
+        class=\"form-group login-pf-settings\">\n                        <div id=\"kc-form-options\">\n
+        \                           </div>\n                            <div class=\"\">\n
+        \                           </div>\n\n                      </div>\n\n                      <div
+        id=\"kc-form-buttons\" class=\"form-group\">\n                          <input
+        type=\"hidden\" id=\"id-hidden-input\" name=\"credentialId\" />\n                          <input
+        tabindex=\"4\" class=\"pf-c-button pf-m-primary pf-m-block btn-lg\" name=\"login\"
+        id=\"kc-login\" type=\"submit\" value=\"Sign In\"/>\n                      </div>\n
+        \               </form>\n            </div>\n        </div>\n        <script
+        type=\"module\" src=\"/resources/883g6/login/keycloak/js/passwordVisibility.js\"></script>\n\n\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - AUTH_SESSION_ID=c4c9304a-8064-4fee-810b-7758117865e8; Version=1; Path=/realms/test/;
+        SameSite=None; Secure; HttpOnly
+      - AUTH_SESSION_ID_LEGACY=c4c9304a-8064-4fee-810b-7758117865e8; Version=1; Path=/realms/test/;
+        HttpOnly
+      - KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9kaWdpZC1vaWRjL2NhbGxiYWNrLyIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIGJzbiIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovL3Rlc3RzZXJ2ZXIvZGlnaWQtb2lkYy9jYWxsYmFjay8iLCJzdGF0ZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmciLCJub25jZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmcifX0.HScBoNNJvmVcGQXpymd_ftVGkGUJBQnuwqgk59VJnYI;
+        Version=1; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '4466'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: username=testuser&password=testuser&credentialId=&login=Sign+In
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '63'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      Cookie:
+      - AUTH_SESSION_ID_LEGACY=c4c9304a-8064-4fee-810b-7758117865e8; KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9kaWdpZC1vaWRjL2NhbGxiYWNrLyIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIGJzbiIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovL3Rlc3RzZXJ2ZXIvZGlnaWQtb2lkYy9jYWxsYmFjay8iLCJzdGF0ZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmciLCJub25jZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmcifX0.HScBoNNJvmVcGQXpymd_ftVGkGUJBQnuwqgk59VJnYI
+      User-Agent:
+      - python-requests/2.31.0
+    method: POST
+    uri: http://localhost:8080/realms/test/login-actions/authenticate?session_code=3C_hoZ9csSDaHhlTpM3Lkdq3WJmrsudSOM3JhO3J5Gk&execution=6f3a64ce-e337-4638-b1af-f6a92e763f3a&client_id=testid&tab_id=x6lSo1VkS5w
+  response:
+    body:
+      string: ''
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Location:
+      - http://testserver/digid-oidc/callback/?state=not-a-random-string&session_state=c4c9304a-8064-4fee-810b-7758117865e8&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest&code=8087d048-c5e9-40a4-97db-c950bf8e5c42.c4c9304a-8064-4fee-810b-7758117865e8.adf4ad83-4550-4619-9231-73bd8d700f45
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - KEYCLOAK_LOCALE=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      - KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/; HttpOnly
+      - KC_AUTH_STATE=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/
+      - KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0MTAzMjUsImlhdCI6MTcxNjM3NDMyNSwianRpIjoiYTA0ZGYzNjctMjU1MS00ZmEwLTkxMGYtYjcxMzFmZmVmM2FlIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiJjNGM5MzA0YS04MDY0LTRmZWUtODEwYi03NzU4MTE3ODY1ZTgiLCJzaWQiOiJjNGM5MzA0YS04MDY0LTRmZWUtODEwYi03NzU4MTE3ODY1ZTgiLCJzdGF0ZV9jaGVja2VyIjoiMG5jNno3WjJiRlh2YkxGanZBaHg3OXNCc1ZRWkdjcUVsbmJjMGhzU2ZzOCJ9.g9ZhgpP0zJVX3irWg1LZdqq2WHkxrKzO9JFz1bQh3Ys;
+        Version=1; Path=/realms/test/; SameSite=None; Secure; HttpOnly
+      - KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0MTAzMjUsImlhdCI6MTcxNjM3NDMyNSwianRpIjoiYTA0ZGYzNjctMjU1MS00ZmEwLTkxMGYtYjcxMzFmZmVmM2FlIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiJjNGM5MzA0YS04MDY0LTRmZWUtODEwYi03NzU4MTE3ODY1ZTgiLCJzaWQiOiJjNGM5MzA0YS04MDY0LTRmZWUtODEwYi03NzU4MTE3ODY1ZTgiLCJzdGF0ZV9jaGVja2VyIjoiMG5jNno3WjJiRlh2YkxGanZBaHg3OXNCc1ZRWkdjcUVsbmJjMGhzU2ZzOCJ9.g9ZhgpP0zJVX3irWg1LZdqq2WHkxrKzO9JFz1bQh3Ys;
+        Version=1; Path=/realms/test/; HttpOnly
+      - KEYCLOAK_SESSION=test/aa10cfc7-2c4d-41f6-8fac-7bf405c572c4/c4c9304a-8064-4fee-810b-7758117865e8;
+        Version=1; Expires=Wed, 22-May-2024 20:38:45 GMT; Max-Age=36000; Path=/realms/test/;
+        SameSite=None; Secure
+      - KEYCLOAK_SESSION_LEGACY=test/aa10cfc7-2c4d-41f6-8fac-7bf405c572c4/c4c9304a-8064-4fee-810b-7758117865e8;
+        Version=1; Expires=Wed, 22-May-2024 20:38:45 GMT; Max-Age=36000; Path=/realms/test/
+      - KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '0'
+    status:
+      code: 302
+      message: Found
+- request:
+    body: client_id=testid&client_secret=7DB3KUAAizYCcmZufpHRVOcD0TOkNO3I&grant_type=authorization_code&code=8087d048-c5e9-40a4-97db-c950bf8e5c42.c4c9304a-8064-4fee-810b-7758117865e8.adf4ad83-4550-4619-9231-73bd8d700f45&redirect_uri=http%3A%2F%2Ftestserver%2Fdigid-oidc%2Fcallback%2F
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '273'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      User-Agent:
+      - python-requests/2.31.0
+    method: POST
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/token
+  response:
+    body:
+      string: '{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTYzNzQ2MjUsImlhdCI6MTcxNjM3NDMyNSwiYXV0aF90aW1lIjoxNzE2Mzc0MzI1LCJqdGkiOiI1YmRjMzAzYi1iMGY4LTQ5ZDYtYTU2My1iNDc4YmMxZTM2ZWQiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6ImM0YzkzMDRhLTgwNjQtNGZlZS04MTBiLTc3NTgxMTc4NjVlOCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgYnNuIiwic2lkIjoiYzRjOTMwNGEtODA2NC00ZmVlLTgxMGItNzc1ODExNzg2NWU4Iiwia3ZrIjoiMDEyMzQ1Njc4IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0dXNlciIsImJzbiI6IjAwMDAwMDAwMCJ9.fQnGDF4JxmhjDE0GDlWL-xveMZ42wBnCuYYbS9t3TA0kdKdGvi6CmnbmgATH4UPMPLVLvNpjjs2lXnArCiX93L2VDasUwBMAQjd3yRMmQVq6u6B4wOHcKcXHT0SXf_IuaIktdXEv-lTUYHHLpfH4a5R72P1NgKz5uOSHUBDVba5quU82gPCeEkFri4ES91B-NzS9anUKptt0UeMWgivvGOWC_W5DHXBEH1EgM4-as_S5gMwYk6Eq_BIsvKP2Yf5pDRMeP4DMLgH_bsETySty_iysYDyrdrkfHGXTdeT4TEp1eU-Y8i5I_5Wy4kgXVSEtqgpzgAI9dbOK7ZdorJfYbA","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTYzNzYxMjUsImlhdCI6MTcxNjM3NDMyNSwianRpIjoiM2Y4NTZkNjUtMzE2MC00ZjgyLWFlZGItYzU2M2UwNWY0YmI1IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiUmVmcmVzaCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiJjNGM5MzA0YS04MDY0LTRmZWUtODEwYi03NzU4MTE3ODY1ZTgiLCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIGt2ayBic24iLCJzaWQiOiJjNGM5MzA0YS04MDY0LTRmZWUtODEwYi03NzU4MTE3ODY1ZTgifQ.TVYe6hfVBAPd9ltNItlGWxxS0zayRrTxW2UvssyINsY","token_type":"Bearer","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTYzNzQ2MjUsImlhdCI6MTcxNjM3NDMyNSwiYXV0aF90aW1lIjoxNzE2Mzc0MzI1LCJqdGkiOiJhZTc5YWVmYi1kNmY4LTRkYjQtOTQwZC03MWM4Y2NjMWViZDIiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJ0ZXN0aWQiLCJzdWIiOiJhYTEwY2ZjNy0yYzRkLTQxZjYtOGZhYy03YmY0MDVjNTcyYzQiLCJ0eXAiOiJJRCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiJjNGM5MzA0YS04MDY0LTRmZWUtODEwYi03NzU4MTE3ODY1ZTgiLCJhdF9oYXNoIjoiZHd1TEQ1eTVZVFA5TGJIaGxjSWh3QSIsImFjciI6IjEiLCJzaWQiOiJjNGM5MzA0YS04MDY0LTRmZWUtODEwYi03NzU4MTE3ODY1ZTgiLCJrdmsiOiIwMTIzNDU2NzgiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3R1c2VyIiwiYnNuIjoiMDAwMDAwMDAwIn0.RHoBRVNZ32SJjNMhOJu3KT4ZkX_6R2bGCOkkVbaLjXDfFMDfrtTGD2eoC-ro0fDkZEvbRvyAftpDen-fiSOKjGxA2YGA3HwIzkdo0Aj4XLIhN8023n_dUAwNWwYDGTmSGM42rzuxK0FGjYIwI6gXl5qv9-jiCXNmDWnFE8vd5CHb4uMOzqR8KQL7rygiP4Uq0n47b7H_hYNOcVlNLlN5cEeLCS4WsfdxgCRffui8qVkeVHn4xbGM112BRhTIPa_wQqPQdz4GfpVyd2AK2DQk8DmZ9_XBP0HGgAoEPdQ33JchbKdy5ZjtJrEg_c2U12XQqtoZ8rYaISEgPDDRSUgfLQ","not-before-policy":0,"session_state":"c4c9304a-8064-4fee-810b-7758117865e8","scope":"openid
+        email profile kvk bsn"}'
+    headers:
+      Cache-Control:
+      - no-store
+      Content-Type:
+      - application/json
+      Pragma:
+      - no-cache
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '3475'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Authorization:
+      - Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTYzNzQ2MjUsImlhdCI6MTcxNjM3NDMyNSwiYXV0aF90aW1lIjoxNzE2Mzc0MzI1LCJqdGkiOiI1YmRjMzAzYi1iMGY4LTQ5ZDYtYTU2My1iNDc4YmMxZTM2ZWQiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6ImM0YzkzMDRhLTgwNjQtNGZlZS04MTBiLTc3NTgxMTc4NjVlOCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgYnNuIiwic2lkIjoiYzRjOTMwNGEtODA2NC00ZmVlLTgxMGItNzc1ODExNzg2NWU4Iiwia3ZrIjoiMDEyMzQ1Njc4IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0dXNlciIsImJzbiI6IjAwMDAwMDAwMCJ9.fQnGDF4JxmhjDE0GDlWL-xveMZ42wBnCuYYbS9t3TA0kdKdGvi6CmnbmgATH4UPMPLVLvNpjjs2lXnArCiX93L2VDasUwBMAQjd3yRMmQVq6u6B4wOHcKcXHT0SXf_IuaIktdXEv-lTUYHHLpfH4a5R72P1NgKz5uOSHUBDVba5quU82gPCeEkFri4ES91B-NzS9anUKptt0UeMWgivvGOWC_W5DHXBEH1EgM4-as_S5gMwYk6Eq_BIsvKP2Yf5pDRMeP4DMLgH_bsETySty_iysYDyrdrkfHGXTdeT4TEp1eU-Y8i5I_5Wy4kgXVSEtqgpzgAI9dbOK7ZdorJfYbA
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/userinfo
+  response:
+    body:
+      string: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJzdWIiOiJhYTEwY2ZjNy0yYzRkLTQxZjYtOGZhYy03YmY0MDVjNTcyYzQiLCJrdmsiOiIwMTIzNDU2NzgiLCJhdWQiOiJ0ZXN0aWQiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3R1c2VyIiwiYnNuIjoiMDAwMDAwMDAwIn0.CKub7h5He-7acsX5pli41jZiatfM3eM-f5bl6M9GaSSVJLy-NHH5RDSIvpNu4K3PA5uO1nn2sfiDWvfBgsqPxvssiqcmkenf1RpgaEdn7fS_bRn1ziAkYFq5tVEICluPeYELR8FNt7XGVGPakhezPnUwsdaUOBWf7ELTgbxVdBBy3Nkjg2op456glHO4C84zjABNK5grWfLCDDEwKnw4o1gz-QWAS1TPa7yQaPOJr71zjFT-o3P7EBBkASN_CiELOpno3bBxIeTa631m9BHZ8dECiffp_GQhxMqPS9bTwqTlffc-EkIamZr_90uHs3Dw8gVySYL7YTGoGDeq6w6jEw
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/jwt
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '714'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDCallbackTests/DigiDCallbackTests.test_redirect_to_form_when_login_cancelled_by_anonymous_user.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDCallbackTests/DigiDCallbackTests.test_redirect_to_form_when_login_cancelled_by_anonymous_user.yaml
new file mode 100644
index 0000000000..9dc1b259f6
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDCallbackTests/DigiDCallbackTests.test_redirect_to_form_when_login_cancelled_by_anonymous_user.yaml
@@ -0,0 +1,579 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/883g6/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/883g6/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/883g6/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/883g6/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/883g6/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/883g6/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/883g6/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/883g6/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=badscope&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Fdigid-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: ''
+    headers:
+      Location:
+      - http://testserver/digid-oidc/callback/?error=invalid_scope&error_description=Invalid+scopes%3A+badscope&state=not-a-random-string&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '0'
+    status:
+      code: 302
+      message: Found
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/883g6/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=badscope&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Fdigid-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: ''
+    headers:
+      Location:
+      - http://testserver/digid-oidc/callback/?error=invalid_scope&error_description=Invalid+scopes%3A+badscope&state=not-a-random-string&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '0'
+    status:
+      code: 302
+      message: Found
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDCallbackTests/DigiDCallbackTests.test_redirects_after_successful_auth.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDCallbackTests/DigiDCallbackTests.test_redirects_after_successful_auth.yaml
index 5f77205ff3..f84249c760 100644
--- a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDCallbackTests/DigiDCallbackTests.test_redirects_after_successful_auth.yaml
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDCallbackTests/DigiDCallbackTests.test_redirects_after_successful_auth.yaml
@@ -11,7 +11,7 @@ interactions:
       User-Agent:
       - python-requests/2.31.0
     method: GET
-    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=openid+bsn&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Fdigid-oidc%2Fcallback%2F&state=sNPBec6fcOXifHOXJUS8Isq2HzPQSn7c&nonce=Fp3YwlfcSbmfgIu03qtmXXV9gbvfjcXQ
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
   response:
     body:
       string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
@@ -24,360 +24,15 @@ interactions:
         rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
         rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/lib/pficon/pficon.css\"
         rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/login/keycloak/css/login.css\"
-        rel=\"stylesheet\" />\n        <script type=\"module\">\n            import
-        { checkCookiesAndSetTimer } from \"/resources/883g6/login/keycloak/js/authChecker.js\";\n\n
-        \           checkCookiesAndSetTimer(\n              \"05378cb8-f36f-46c5-b45d-d7e8b18f0cfe\",\n
-        \             \"FRRI8EdOiCA\",\n              \"/realms/test/login-actions/restart?client_id=testid&tab_id=FRRI8EdOiCA&skip_logout=true\"\n
-        \           );\n        </script>\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
-        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
-        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
-        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
-        \       Sign in to your account\n\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
-        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-form\">\n
-        \         <div id=\"kc-form-wrapper\">\n                <form id=\"kc-form-login\"
-        onsubmit=\"login.disabled = true; return true;\" action=\"http://localhost:8080/realms/test/login-actions/authenticate?session_code=vLfSUp0a254DqgGeg3o734OArEFBuG_N3gloNTrZ5cQ&amp;execution=6f3a64ce-e337-4638-b1af-f6a92e763f3a&amp;client_id=testid&amp;tab_id=FRRI8EdOiCA\"
-        method=\"post\">\n                        <div class=\"form-group\">\n                            <label
-        for=\"username\" class=\"pf-c-form__label pf-c-form__label-text\">Username
-        or email</label>\n\n                            <input tabindex=\"1\" id=\"username\"
-        class=\"pf-c-form-control\" name=\"username\" value=\"\"  type=\"text\" autofocus
-        autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
-        \                           />\n\n\n                        </div>\n\n                    <div
-        class=\"form-group\">\n                        <label for=\"password\" class=\"pf-c-form__label
-        pf-c-form__label-text\">Password</label>\n\n                        <div class=\"pf-c-input-group\">\n
-        \                           <input tabindex=\"2\" id=\"password\" class=\"pf-c-form-control\"
-        name=\"password\" type=\"password\" autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
-        \                           />\n                            <button class=\"pf-c-button
-        pf-m-control\" type=\"button\" aria-label=\"Show password\"\n                                    aria-controls=\"password\"
-        \ data-password-toggle\n                                    data-icon-show=\"fa
-        fa-eye\" data-icon-hide=\"fa fa-eye-slash\"\n                                    data-label-show=\"Show
-        password\" data-label-hide=\"Hide password\">\n                                <i
-        class=\"fa fa-eye\" aria-hidden=\"true\"></i>\n                            </button>\n
-        \                       </div>\n\n\n                    </div>\n\n                    <div
-        class=\"form-group login-pf-settings\">\n                        <div id=\"kc-form-options\">\n
-        \                           </div>\n                            <div class=\"\">\n
-        \                           </div>\n\n                      </div>\n\n                      <div
-        id=\"kc-form-buttons\" class=\"form-group\">\n                          <input
-        type=\"hidden\" id=\"id-hidden-input\" name=\"credentialId\" />\n                          <input
-        tabindex=\"4\" class=\"pf-c-button pf-m-primary pf-m-block btn-lg\" name=\"login\"
-        id=\"kc-login\" type=\"submit\" value=\"Sign In\"/>\n                      </div>\n
-        \               </form>\n            </div>\n        </div>\n        <script
-        type=\"module\" src=\"/resources/883g6/login/keycloak/js/passwordVisibility.js\"></script>\n\n\n\n\n\n
-        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
-    headers:
-      Cache-Control:
-      - no-store, must-revalidate, max-age=0
-      Content-Language:
-      - en
-      Content-Security-Policy:
-      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
-      Content-Type:
-      - text/html;charset=utf-8
-      Referrer-Policy:
-      - no-referrer
-      Set-Cookie:
-      - AUTH_SESSION_ID=05378cb8-f36f-46c5-b45d-d7e8b18f0cfe; Version=1; Path=/realms/test/;
-        SameSite=None; Secure; HttpOnly
-      - AUTH_SESSION_ID_LEGACY=05378cb8-f36f-46c5-b45d-d7e8b18f0cfe; Version=1; Path=/realms/test/;
-        HttpOnly
-      - KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9kaWdpZC1vaWRjL2NhbGxiYWNrLyIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIGJzbiIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovL3Rlc3RzZXJ2ZXIvZGlnaWQtb2lkYy9jYWxsYmFjay8iLCJzdGF0ZSI6InNOUEJlYzZmY09YaWZIT1hKVVM4SXNxMkh6UFFTbjdjIiwibm9uY2UiOiJGcDNZd2xmY1NibWZnSXUwM3F0bVhYVjlnYnZmamNYUSJ9fQ.8_8p8fwiHjn8EAtcGLElh7pKm05chW5tp4-OyUGI6kM;
-        Version=1; Path=/realms/test/; HttpOnly
-      Strict-Transport-Security:
-      - max-age=31536000; includeSubDomains
-      X-Content-Type-Options:
-      - nosniff
-      X-Frame-Options:
-      - SAMEORIGIN
-      X-Robots-Tag:
-      - none
-      X-XSS-Protection:
-      - 1; mode=block
-      content-length:
-      - '4466'
-    status:
-      code: 200
-      message: OK
-- request:
-    body: username=testuser&password=testuser&credentialId=&login=Sign+In
-    headers:
-      Accept:
-      - '*/*'
-      Accept-Encoding:
-      - gzip, deflate, br
-      Connection:
-      - keep-alive
-      Content-Length:
-      - '63'
-      Content-Type:
-      - application/x-www-form-urlencoded
-      Cookie:
-      - AUTH_SESSION_ID_LEGACY=05378cb8-f36f-46c5-b45d-d7e8b18f0cfe; KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9kaWdpZC1vaWRjL2NhbGxiYWNrLyIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIGJzbiIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovL3Rlc3RzZXJ2ZXIvZGlnaWQtb2lkYy9jYWxsYmFjay8iLCJzdGF0ZSI6InNOUEJlYzZmY09YaWZIT1hKVVM4SXNxMkh6UFFTbjdjIiwibm9uY2UiOiJGcDNZd2xmY1NibWZnSXUwM3F0bVhYVjlnYnZmamNYUSJ9fQ.8_8p8fwiHjn8EAtcGLElh7pKm05chW5tp4-OyUGI6kM
-      User-Agent:
-      - python-requests/2.31.0
-    method: POST
-    uri: http://localhost:8080/realms/test/login-actions/authenticate?session_code=vLfSUp0a254DqgGeg3o734OArEFBuG_N3gloNTrZ5cQ&execution=6f3a64ce-e337-4638-b1af-f6a92e763f3a&client_id=testid&tab_id=FRRI8EdOiCA
-  response:
-    body:
-      string: ''
-    headers:
-      Cache-Control:
-      - no-store, must-revalidate, max-age=0
-      Content-Security-Policy:
-      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
-      Location:
-      - http://testserver/digid-oidc/callback/?state=sNPBec6fcOXifHOXJUS8Isq2HzPQSn7c&session_state=05378cb8-f36f-46c5-b45d-d7e8b18f0cfe&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest&code=1d209089-03a1-4625-a8bb-66995d3955e3.05378cb8-f36f-46c5-b45d-d7e8b18f0cfe.adf4ad83-4550-4619-9231-73bd8d700f45
-      Referrer-Policy:
-      - no-referrer
-      Set-Cookie:
-      - KEYCLOAK_LOCALE=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
-        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
-      - KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
-        Path=/realms/test/; HttpOnly
-      - KC_AUTH_STATE=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
-        Path=/realms/test/
-      - KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTYzNDcwOTIsImlhdCI6MTcxNjMxMTA5MiwianRpIjoiMzcyN2E2ODAtYTQyYy00NGE3LTgxMzMtOWY4M2UzZmU5ZWE5IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiIwNTM3OGNiOC1mMzZmLTQ2YzUtYjQ1ZC1kN2U4YjE4ZjBjZmUiLCJzaWQiOiIwNTM3OGNiOC1mMzZmLTQ2YzUtYjQ1ZC1kN2U4YjE4ZjBjZmUiLCJzdGF0ZV9jaGVja2VyIjoiU2NUS0E3U0NSUFFDSnF6TFBRLXRpTWxCdDJya2J3eWN1TVVhYVZjbUdlWSJ9.3oKeOjyKfksiU0yS4TPnKONe5opZ1MpBu9gCsxgUnMY;
-        Version=1; Path=/realms/test/; SameSite=None; Secure; HttpOnly
-      - KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTYzNDcwOTIsImlhdCI6MTcxNjMxMTA5MiwianRpIjoiMzcyN2E2ODAtYTQyYy00NGE3LTgxMzMtOWY4M2UzZmU5ZWE5IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiIwNTM3OGNiOC1mMzZmLTQ2YzUtYjQ1ZC1kN2U4YjE4ZjBjZmUiLCJzaWQiOiIwNTM3OGNiOC1mMzZmLTQ2YzUtYjQ1ZC1kN2U4YjE4ZjBjZmUiLCJzdGF0ZV9jaGVja2VyIjoiU2NUS0E3U0NSUFFDSnF6TFBRLXRpTWxCdDJya2J3eWN1TVVhYVZjbUdlWSJ9.3oKeOjyKfksiU0yS4TPnKONe5opZ1MpBu9gCsxgUnMY;
-        Version=1; Path=/realms/test/; HttpOnly
-      - KEYCLOAK_SESSION=test/aa10cfc7-2c4d-41f6-8fac-7bf405c572c4/05378cb8-f36f-46c5-b45d-d7e8b18f0cfe;
-        Version=1; Expires=Wed, 22-May-2024 03:04:52 GMT; Max-Age=36000; Path=/realms/test/;
-        SameSite=None; Secure
-      - KEYCLOAK_SESSION_LEGACY=test/aa10cfc7-2c4d-41f6-8fac-7bf405c572c4/05378cb8-f36f-46c5-b45d-d7e8b18f0cfe;
-        Version=1; Expires=Wed, 22-May-2024 03:04:52 GMT; Max-Age=36000; Path=/realms/test/
-      - KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
-        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
-      Strict-Transport-Security:
-      - max-age=31536000; includeSubDomains
-      X-Content-Type-Options:
-      - nosniff
-      X-Frame-Options:
-      - SAMEORIGIN
-      X-Robots-Tag:
-      - none
-      X-XSS-Protection:
-      - 1; mode=block
-      content-length:
-      - '0'
-    status:
-      code: 302
-      message: Found
-- request:
-    body: client_id=testid&client_secret=7DB3KUAAizYCcmZufpHRVOcD0TOkNO3I&grant_type=authorization_code&code=1d209089-03a1-4625-a8bb-66995d3955e3.05378cb8-f36f-46c5-b45d-d7e8b18f0cfe.adf4ad83-4550-4619-9231-73bd8d700f45&redirect_uri=http%3A%2F%2Ftestserver%2Fdigid-oidc%2Fcallback%2F
-    headers:
-      Accept:
-      - '*/*'
-      Accept-Encoding:
-      - gzip, deflate, br
-      Connection:
-      - keep-alive
-      Content-Length:
-      - '273'
-      Content-Type:
-      - application/x-www-form-urlencoded
-      User-Agent:
-      - python-requests/2.31.0
-    method: POST
-    uri: http://localhost:8080/realms/test/protocol/openid-connect/token
-  response:
-    body:
-      string: '{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTYzMTEzOTIsImlhdCI6MTcxNjMxMTA5MiwiYXV0aF90aW1lIjoxNzE2MzExMDkyLCJqdGkiOiJiMmFlNzhiZS03NmZhLTRlYjYtYjk2Zi01NzBmOGQ3MTBjNjAiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJGcDNZd2xmY1NibWZnSXUwM3F0bVhYVjlnYnZmamNYUSIsInNlc3Npb25fc3RhdGUiOiIwNTM3OGNiOC1mMzZmLTQ2YzUtYjQ1ZC1kN2U4YjE4ZjBjZmUiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly8xMjcuMC4wLjE6ODAwMCJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiZGVmYXVsdC1yb2xlcy10ZXN0Iiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoib3BlbmlkIGVtYWlsIHByb2ZpbGUga3ZrIGJzbiIsInNpZCI6IjA1Mzc4Y2I4LWYzNmYtNDZjNS1iNDVkLWQ3ZThiMThmMGNmZSIsImt2ayI6IjAxMjM0NTY3OCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoidGVzdHVzZXIiLCJic24iOiIwMDAwMDAwMDAifQ.Ch-EwZGKnop6PYKHnEdBkZAClzcv7ZAXOkvr2N3Ag9u5LNfqbVsCCwD66LdkgJn3GV1a59y3EfSS_P4YuGD4SMGvvoi4OO6E6hsTk7AyKGlRLkdBILDQxv7foVSKYBQM3e5wKS6EUnHg3lXe7kUERxuTWFHfUBdTGXcL4MUkGscrvo9R3HG88dEUy4uNsMSknmH5hk4zT_-gzcrdpYl-aN1fY1n87ufoQmIweiFIm1b5TuHAtMUHaqsBGe5hqoqXpJoBH0JsNi86ny_z68zaH_b_7TnHeBh9-p48B1D58vKW-ZK3iIT_YVStQ2-aU0ScFGc5CIUHaR-NavJco6R8gw","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTYzMTI4OTIsImlhdCI6MTcxNjMxMTA5MiwianRpIjoiOTM3YTAxOWMtZGJiNi00M2I1LWIyZjMtZDliZDFlOWJkNGJmIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiUmVmcmVzaCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoiRnAzWXdsZmNTYm1mZ0l1MDNxdG1YWFY5Z2J2ZmpjWFEiLCJzZXNzaW9uX3N0YXRlIjoiMDUzNzhjYjgtZjM2Zi00NmM1LWI0NWQtZDdlOGIxOGYwY2ZlIiwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgYnNuIiwic2lkIjoiMDUzNzhjYjgtZjM2Zi00NmM1LWI0NWQtZDdlOGIxOGYwY2ZlIn0.WpDfBcQOUdAI99GCHs_yIx9vJekkp6cCKZ6Z76XVfx0","token_type":"Bearer","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTYzMTEzOTIsImlhdCI6MTcxNjMxMTA5MiwiYXV0aF90aW1lIjoxNzE2MzExMDkyLCJqdGkiOiJhNzM0NjRlOS03MjExLTRkNTgtYjk0NC0yMDBkMjYzMGIzOWMiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJ0ZXN0aWQiLCJzdWIiOiJhYTEwY2ZjNy0yYzRkLTQxZjYtOGZhYy03YmY0MDVjNTcyYzQiLCJ0eXAiOiJJRCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoiRnAzWXdsZmNTYm1mZ0l1MDNxdG1YWFY5Z2J2ZmpjWFEiLCJzZXNzaW9uX3N0YXRlIjoiMDUzNzhjYjgtZjM2Zi00NmM1LWI0NWQtZDdlOGIxOGYwY2ZlIiwiYXRfaGFzaCI6IlF4NGphWVg5WEVvSndhRTF6Z3Q3UmciLCJhY3IiOiIxIiwic2lkIjoiMDUzNzhjYjgtZjM2Zi00NmM1LWI0NWQtZDdlOGIxOGYwY2ZlIiwia3ZrIjoiMDEyMzQ1Njc4IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0dXNlciIsImJzbiI6IjAwMDAwMDAwMCJ9.KR-2R7PyhVWelIfvJ2adHv_Ghx-V8hfN8MooKgN14wsJzcum_Yz1MwYt9bfrZHNIOHVvgTBSe9NYZllB_xp5VS4OMS0bm6-8enyB2Up1Rl2YDf6duFBp5x2S8TdU7_Ag9-yrtIJg2H6im2bCawnA6S9kIbxnMp2h6D_DT6iWzcCxy4NOTtBJDWtDoenVeY0qMJ2l5bvUB__plGXOzLcaFJtiUhoUuZ2xzexO-cAOX3R8A-7dRB22_O8ZnOw8kpRwBfiEt78XWO8O4neaVayCGG3jdYiysO5dppfPUAMkJr-b_OUzC7aq27XwbE7T6mSJ9gFlIz4dlqgqnYLnnE5-4A","not-before-policy":0,"session_state":"05378cb8-f36f-46c5-b45d-d7e8b18f0cfe","scope":"openid
-        email profile kvk bsn"}'
-    headers:
-      Cache-Control:
-      - no-store
-      Content-Type:
-      - application/json
-      Pragma:
-      - no-cache
-      Referrer-Policy:
-      - no-referrer
-      Strict-Transport-Security:
-      - max-age=31536000; includeSubDomains
-      X-Content-Type-Options:
-      - nosniff
-      X-Frame-Options:
-      - SAMEORIGIN
-      X-XSS-Protection:
-      - 1; mode=block
-      content-length:
-      - '3527'
-    status:
-      code: 200
-      message: OK
-- request:
-    body: null
-    headers:
-      Accept:
-      - '*/*'
-      Accept-Encoding:
-      - gzip, deflate, br
-      Connection:
-      - keep-alive
-      User-Agent:
-      - python-requests/2.31.0
-    method: GET
-    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
-  response:
-    body:
-      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
-    headers:
-      Cache-Control:
-      - no-cache
-      Content-Type:
-      - application/json;charset=UTF-8
-      Referrer-Policy:
-      - no-referrer
-      Strict-Transport-Security:
-      - max-age=31536000; includeSubDomains
-      X-Content-Type-Options:
-      - nosniff
-      X-Frame-Options:
-      - SAMEORIGIN
-      X-XSS-Protection:
-      - 1; mode=block
-      content-length:
-      - '2909'
-    status:
-      code: 200
-      message: OK
-- request:
-    body: null
-    headers:
-      Accept:
-      - '*/*'
-      Accept-Encoding:
-      - gzip, deflate, br
-      Authorization:
-      - Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTYzMTEzOTIsImlhdCI6MTcxNjMxMTA5MiwiYXV0aF90aW1lIjoxNzE2MzExMDkyLCJqdGkiOiJiMmFlNzhiZS03NmZhLTRlYjYtYjk2Zi01NzBmOGQ3MTBjNjAiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJGcDNZd2xmY1NibWZnSXUwM3F0bVhYVjlnYnZmamNYUSIsInNlc3Npb25fc3RhdGUiOiIwNTM3OGNiOC1mMzZmLTQ2YzUtYjQ1ZC1kN2U4YjE4ZjBjZmUiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly8xMjcuMC4wLjE6ODAwMCJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiZGVmYXVsdC1yb2xlcy10ZXN0Iiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoib3BlbmlkIGVtYWlsIHByb2ZpbGUga3ZrIGJzbiIsInNpZCI6IjA1Mzc4Y2I4LWYzNmYtNDZjNS1iNDVkLWQ3ZThiMThmMGNmZSIsImt2ayI6IjAxMjM0NTY3OCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoidGVzdHVzZXIiLCJic24iOiIwMDAwMDAwMDAifQ.Ch-EwZGKnop6PYKHnEdBkZAClzcv7ZAXOkvr2N3Ag9u5LNfqbVsCCwD66LdkgJn3GV1a59y3EfSS_P4YuGD4SMGvvoi4OO6E6hsTk7AyKGlRLkdBILDQxv7foVSKYBQM3e5wKS6EUnHg3lXe7kUERxuTWFHfUBdTGXcL4MUkGscrvo9R3HG88dEUy4uNsMSknmH5hk4zT_-gzcrdpYl-aN1fY1n87ufoQmIweiFIm1b5TuHAtMUHaqsBGe5hqoqXpJoBH0JsNi86ny_z68zaH_b_7TnHeBh9-p48B1D58vKW-ZK3iIT_YVStQ2-aU0ScFGc5CIUHaR-NavJco6R8gw
-      Connection:
-      - keep-alive
-      User-Agent:
-      - python-requests/2.31.0
-    method: GET
-    uri: http://localhost:8080/realms/test/protocol/openid-connect/userinfo
-  response:
-    body:
-      string: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJzdWIiOiJhYTEwY2ZjNy0yYzRkLTQxZjYtOGZhYy03YmY0MDVjNTcyYzQiLCJrdmsiOiIwMTIzNDU2NzgiLCJhdWQiOiJ0ZXN0aWQiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3R1c2VyIiwiYnNuIjoiMDAwMDAwMDAwIn0.CKub7h5He-7acsX5pli41jZiatfM3eM-f5bl6M9GaSSVJLy-NHH5RDSIvpNu4K3PA5uO1nn2sfiDWvfBgsqPxvssiqcmkenf1RpgaEdn7fS_bRn1ziAkYFq5tVEICluPeYELR8FNt7XGVGPakhezPnUwsdaUOBWf7ELTgbxVdBBy3Nkjg2op456glHO4C84zjABNK5grWfLCDDEwKnw4o1gz-QWAS1TPa7yQaPOJr71zjFT-o3P7EBBkASN_CiELOpno3bBxIeTa631m9BHZ8dECiffp_GQhxMqPS9bTwqTlffc-EkIamZr_90uHs3Dw8gVySYL7YTGoGDeq6w6jEw
-    headers:
-      Cache-Control:
-      - no-cache
-      Content-Type:
-      - application/jwt
-      Referrer-Policy:
-      - no-referrer
-      Strict-Transport-Security:
-      - max-age=31536000; includeSubDomains
-      X-Content-Type-Options:
-      - nosniff
-      X-XSS-Protection:
-      - 1; mode=block
-      content-length:
-      - '714'
-    status:
-      code: 200
-      message: OK
-- request:
-    body: null
-    headers:
-      Accept:
-      - '*/*'
-      Accept-Encoding:
-      - gzip, deflate, br
-      Connection:
-      - keep-alive
-      User-Agent:
-      - python-requests/2.31.0
-    method: GET
-    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
-  response:
-    body:
-      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
-    headers:
-      Cache-Control:
-      - no-cache
-      Content-Type:
-      - application/json;charset=UTF-8
-      Referrer-Policy:
-      - no-referrer
-      Strict-Transport-Security:
-      - max-age=31536000; includeSubDomains
-      X-Content-Type-Options:
-      - nosniff
-      X-Frame-Options:
-      - SAMEORIGIN
-      X-XSS-Protection:
-      - 1; mode=block
-      content-length:
-      - '2909'
-    status:
-      code: 200
-      message: OK
-- request:
-    body: null
-    headers:
-      Accept:
-      - '*/*'
-      Accept-Encoding:
-      - gzip, deflate, br
-      Connection:
-      - keep-alive
-      User-Agent:
-      - python-requests/2.31.0
-    method: GET
-    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=openid+bsn&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Fdigid-oidc%2Fcallback%2F&state=hfeHm6X6fjbTjhRjEpmuTW8evTZD1fXR&nonce=hpjzy0vRfqZAFh4CMXiRYK43ztIvexB7
-  response:
-    body:
-      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
-        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
-        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
-        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
-        in to test</title>\n    <link rel=\"icon\" href=\"/resources/883g6/login/keycloak/img/favicon.ico\"
-        />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
-        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
-        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
-        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/lib/pficon/pficon.css\"
-        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/login/keycloak/css/login.css\"
-        rel=\"stylesheet\" />\n        <script type=\"module\">\n            import
-        { checkCookiesAndSetTimer } from \"/resources/883g6/login/keycloak/js/authChecker.js\";\n\n
-        \           checkCookiesAndSetTimer(\n              \"1bd4c552-8cec-484c-9afc-64b088292651\",\n
-        \             \"RQ05TcSsWiI\",\n              \"/realms/test/login-actions/restart?client_id=testid&tab_id=RQ05TcSsWiI&skip_logout=true\"\n
-        \           );\n        </script>\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
         \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
         \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
         \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
-        \       Sign in to your account\n\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
-        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-form\">\n
-        \         <div id=\"kc-form-wrapper\">\n                <form id=\"kc-form-login\"
-        onsubmit=\"login.disabled = true; return true;\" action=\"http://localhost:8080/realms/test/login-actions/authenticate?session_code=trQDlHIDVt6O0JTpadCY9v-ebZ1Uj-dtQQXWYVftpbQ&amp;execution=6f3a64ce-e337-4638-b1af-f6a92e763f3a&amp;client_id=testid&amp;tab_id=RQ05TcSsWiI\"
-        method=\"post\">\n                        <div class=\"form-group\">\n                            <label
-        for=\"username\" class=\"pf-c-form__label pf-c-form__label-text\">Username
-        or email</label>\n\n                            <input tabindex=\"1\" id=\"username\"
-        class=\"pf-c-form-control\" name=\"username\" value=\"\"  type=\"text\" autofocus
-        autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
-        \                           />\n\n\n                        </div>\n\n                    <div
-        class=\"form-group\">\n                        <label for=\"password\" class=\"pf-c-form__label
-        pf-c-form__label-text\">Password</label>\n\n                        <div class=\"pf-c-input-group\">\n
-        \                           <input tabindex=\"2\" id=\"password\" class=\"pf-c-form-control\"
-        name=\"password\" type=\"password\" autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
-        \                           />\n                            <button class=\"pf-c-button
-        pf-m-control\" type=\"button\" aria-label=\"Show password\"\n                                    aria-controls=\"password\"
-        \ data-password-toggle\n                                    data-icon-show=\"fa
-        fa-eye\" data-icon-hide=\"fa fa-eye-slash\"\n                                    data-label-show=\"Show
-        password\" data-label-hide=\"Hide password\">\n                                <i
-        class=\"fa fa-eye\" aria-hidden=\"true\"></i>\n                            </button>\n
-        \                       </div>\n\n\n                    </div>\n\n                    <div
-        class=\"form-group login-pf-settings\">\n                        <div id=\"kc-form-options\">\n
-        \                           </div>\n                            <div class=\"\">\n
-        \                           </div>\n\n                      </div>\n\n                      <div
-        id=\"kc-form-buttons\" class=\"form-group\">\n                          <input
-        type=\"hidden\" id=\"id-hidden-input\" name=\"credentialId\" />\n                          <input
-        tabindex=\"4\" class=\"pf-c-button pf-m-primary pf-m-block btn-lg\" name=\"login\"
-        id=\"kc-login\" type=\"submit\" value=\"Sign In\"/>\n                      </div>\n
-        \               </form>\n            </div>\n        </div>\n        <script
-        type=\"module\" src=\"/resources/883g6/login/keycloak/js/passwordVisibility.js\"></script>\n\n\n\n\n\n
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
         \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
     headers:
-      Cache-Control:
-      - no-store, must-revalidate, max-age=0
       Content-Language:
       - en
       Content-Security-Policy:
@@ -386,77 +41,6 @@ interactions:
       - text/html;charset=utf-8
       Referrer-Policy:
       - no-referrer
-      Set-Cookie:
-      - AUTH_SESSION_ID=1bd4c552-8cec-484c-9afc-64b088292651; Version=1; Path=/realms/test/;
-        SameSite=None; Secure; HttpOnly
-      - AUTH_SESSION_ID_LEGACY=1bd4c552-8cec-484c-9afc-64b088292651; Version=1; Path=/realms/test/;
-        HttpOnly
-      - KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9kaWdpZC1vaWRjL2NhbGxiYWNrLyIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIGJzbiIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovL3Rlc3RzZXJ2ZXIvZGlnaWQtb2lkYy9jYWxsYmFjay8iLCJzdGF0ZSI6ImhmZUhtNlg2ZmpiVGpoUmpFcG11VFc4ZXZUWkQxZlhSIiwibm9uY2UiOiJocGp6eTB2UmZxWkFGaDRDTVhpUllLNDN6dEl2ZXhCNyJ9fQ.Us2bAnbKAqET8WDrzGEvpl2mllq4RygU0Iz-QpOEupE;
-        Version=1; Path=/realms/test/; HttpOnly
-      Strict-Transport-Security:
-      - max-age=31536000; includeSubDomains
-      X-Content-Type-Options:
-      - nosniff
-      X-Frame-Options:
-      - SAMEORIGIN
-      X-Robots-Tag:
-      - none
-      X-XSS-Protection:
-      - 1; mode=block
-      content-length:
-      - '4466'
-    status:
-      code: 200
-      message: OK
-- request:
-    body: username=testuser&password=testuser&credentialId=&login=Sign+In
-    headers:
-      Accept:
-      - '*/*'
-      Accept-Encoding:
-      - gzip, deflate, br
-      Connection:
-      - keep-alive
-      Content-Length:
-      - '63'
-      Content-Type:
-      - application/x-www-form-urlencoded
-      Cookie:
-      - AUTH_SESSION_ID_LEGACY=1bd4c552-8cec-484c-9afc-64b088292651; KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9kaWdpZC1vaWRjL2NhbGxiYWNrLyIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIGJzbiIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovL3Rlc3RzZXJ2ZXIvZGlnaWQtb2lkYy9jYWxsYmFjay8iLCJzdGF0ZSI6ImhmZUhtNlg2ZmpiVGpoUmpFcG11VFc4ZXZUWkQxZlhSIiwibm9uY2UiOiJocGp6eTB2UmZxWkFGaDRDTVhpUllLNDN6dEl2ZXhCNyJ9fQ.Us2bAnbKAqET8WDrzGEvpl2mllq4RygU0Iz-QpOEupE
-      User-Agent:
-      - python-requests/2.31.0
-    method: POST
-    uri: http://localhost:8080/realms/test/login-actions/authenticate?session_code=trQDlHIDVt6O0JTpadCY9v-ebZ1Uj-dtQQXWYVftpbQ&execution=6f3a64ce-e337-4638-b1af-f6a92e763f3a&client_id=testid&tab_id=RQ05TcSsWiI
-  response:
-    body:
-      string: ''
-    headers:
-      Cache-Control:
-      - no-store, must-revalidate, max-age=0
-      Content-Security-Policy:
-      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
-      Location:
-      - http://testserver/digid-oidc/callback/?state=hfeHm6X6fjbTjhRjEpmuTW8evTZD1fXR&session_state=1bd4c552-8cec-484c-9afc-64b088292651&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest&code=df9534f4-1741-4c3c-88ae-e5dd3a3bb06e.1bd4c552-8cec-484c-9afc-64b088292651.adf4ad83-4550-4619-9231-73bd8d700f45
-      Referrer-Policy:
-      - no-referrer
-      Set-Cookie:
-      - KEYCLOAK_LOCALE=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
-        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
-      - KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
-        Path=/realms/test/; HttpOnly
-      - KC_AUTH_STATE=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
-        Path=/realms/test/
-      - KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTYzNDcxNzEsImlhdCI6MTcxNjMxMTE3MSwianRpIjoiYzM3N2IxOTMtMDQ5NC00ZjAxLTg4YzgtYzljNGQ2YTYwMTczIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiIxYmQ0YzU1Mi04Y2VjLTQ4NGMtOWFmYy02NGIwODgyOTI2NTEiLCJzaWQiOiIxYmQ0YzU1Mi04Y2VjLTQ4NGMtOWFmYy02NGIwODgyOTI2NTEiLCJzdGF0ZV9jaGVja2VyIjoiMm9VN0dmdmhJVlZmNy13dTRNUmJDbTJ4OF9uTXZOSVliRU1uT3gtZzFicyJ9.ANaKvuutr5kZreGx_o7CI4ineBR5QFfWK5LPZbQRRDo;
-        Version=1; Path=/realms/test/; SameSite=None; Secure; HttpOnly
-      - KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTYzNDcxNzEsImlhdCI6MTcxNjMxMTE3MSwianRpIjoiYzM3N2IxOTMtMDQ5NC00ZjAxLTg4YzgtYzljNGQ2YTYwMTczIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiIxYmQ0YzU1Mi04Y2VjLTQ4NGMtOWFmYy02NGIwODgyOTI2NTEiLCJzaWQiOiIxYmQ0YzU1Mi04Y2VjLTQ4NGMtOWFmYy02NGIwODgyOTI2NTEiLCJzdGF0ZV9jaGVja2VyIjoiMm9VN0dmdmhJVlZmNy13dTRNUmJDbTJ4OF9uTXZOSVliRU1uT3gtZzFicyJ9.ANaKvuutr5kZreGx_o7CI4ineBR5QFfWK5LPZbQRRDo;
-        Version=1; Path=/realms/test/; HttpOnly
-      - KEYCLOAK_SESSION=test/aa10cfc7-2c4d-41f6-8fac-7bf405c572c4/1bd4c552-8cec-484c-9afc-64b088292651;
-        Version=1; Expires=Wed, 22-May-2024 03:06:11 GMT; Max-Age=36000; Path=/realms/test/;
-        SameSite=None; Secure
-      - KEYCLOAK_SESSION_LEGACY=test/aa10cfc7-2c4d-41f6-8fac-7bf405c572c4/1bd4c552-8cec-484c-9afc-64b088292651;
-        Version=1; Expires=Wed, 22-May-2024 03:06:11 GMT; Max-Age=36000; Path=/realms/test/
-      - KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
-        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
       Strict-Transport-Security:
       - max-age=31536000; includeSubDomains
       X-Content-Type-Options:
@@ -468,161 +52,10 @@ interactions:
       X-XSS-Protection:
       - 1; mode=block
       content-length:
-      - '0'
-    status:
-      code: 302
-      message: Found
-- request:
-    body: client_id=testid&client_secret=7DB3KUAAizYCcmZufpHRVOcD0TOkNO3I&grant_type=authorization_code&code=df9534f4-1741-4c3c-88ae-e5dd3a3bb06e.1bd4c552-8cec-484c-9afc-64b088292651.adf4ad83-4550-4619-9231-73bd8d700f45&redirect_uri=http%3A%2F%2Ftestserver%2Fdigid-oidc%2Fcallback%2F
-    headers:
-      Accept:
-      - '*/*'
-      Accept-Encoding:
-      - gzip, deflate, br
-      Connection:
-      - keep-alive
-      Content-Length:
-      - '273'
-      Content-Type:
-      - application/x-www-form-urlencoded
-      User-Agent:
-      - python-requests/2.31.0
-    method: POST
-    uri: http://localhost:8080/realms/test/protocol/openid-connect/token
-  response:
-    body:
-      string: '{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTYzMTE0NzEsImlhdCI6MTcxNjMxMTE3MSwiYXV0aF90aW1lIjoxNzE2MzExMTcxLCJqdGkiOiJiMWNkZjMxYi1mZTQ1LTQzZmMtOTQxOC0zMDc5NzQxNjkzYTciLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJocGp6eTB2UmZxWkFGaDRDTVhpUllLNDN6dEl2ZXhCNyIsInNlc3Npb25fc3RhdGUiOiIxYmQ0YzU1Mi04Y2VjLTQ4NGMtOWFmYy02NGIwODgyOTI2NTEiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly8xMjcuMC4wLjE6ODAwMCJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiZGVmYXVsdC1yb2xlcy10ZXN0Iiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoib3BlbmlkIGVtYWlsIHByb2ZpbGUga3ZrIGJzbiIsInNpZCI6IjFiZDRjNTUyLThjZWMtNDg0Yy05YWZjLTY0YjA4ODI5MjY1MSIsImt2ayI6IjAxMjM0NTY3OCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoidGVzdHVzZXIiLCJic24iOiIwMDAwMDAwMDAifQ.h3pK8wjCzG5HYTFbMIQhi9BeTQq2XHyLXrB34xig8aR8rlSFezxW8hJNdgJrrIfTkPYSeBB3qnTVBsqFRIqSHJ8PCtREfcXLw8Qjw1O-AKy_MXCKOp_JVnTyOS0CRpTNvsF-QE7Hf1OLkEhsXiIhfviDFUceYZ4Xq9DxbVLyTHFcZON5TR_O8opGFA7QSPZWESyUdRfcBmk2VPyHzzmkjWZyYzdUXNGBTNJpbzxCI_uzwhK11ZWRCqAhXVQfFHznfZA9uIzrrNiY3wKFer8ryUrFVfHzwFtCAqzr61toPvqGgz9WKaUbNH6mNIumMOo_ZTGIEqt_d7-ckkVqWsm1xw","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTYzMTI5NzEsImlhdCI6MTcxNjMxMTE3MSwianRpIjoiNGRkNGM3NDctYjNjZS00MjJmLTkwYzctN2ZmMjEzNTM1OTExIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiUmVmcmVzaCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoiaHBqenkwdlJmcVpBRmg0Q01YaVJZSzQzenRJdmV4QjciLCJzZXNzaW9uX3N0YXRlIjoiMWJkNGM1NTItOGNlYy00ODRjLTlhZmMtNjRiMDg4MjkyNjUxIiwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgYnNuIiwic2lkIjoiMWJkNGM1NTItOGNlYy00ODRjLTlhZmMtNjRiMDg4MjkyNjUxIn0.t8BssAmYjTNuDnr5CYCsbi1eRFH0WqgZqY4YkgX3Wqg","token_type":"Bearer","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTYzMTE0NzEsImlhdCI6MTcxNjMxMTE3MSwiYXV0aF90aW1lIjoxNzE2MzExMTcxLCJqdGkiOiIzYzIwMGFjOS1jMjk4LTRkMWMtOTBiNS1jYTY1YzllOGVkYmIiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJ0ZXN0aWQiLCJzdWIiOiJhYTEwY2ZjNy0yYzRkLTQxZjYtOGZhYy03YmY0MDVjNTcyYzQiLCJ0eXAiOiJJRCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoiaHBqenkwdlJmcVpBRmg0Q01YaVJZSzQzenRJdmV4QjciLCJzZXNzaW9uX3N0YXRlIjoiMWJkNGM1NTItOGNlYy00ODRjLTlhZmMtNjRiMDg4MjkyNjUxIiwiYXRfaGFzaCI6InBwN1pNb3ZxSFp1MFoxR0J4VzF4cHciLCJhY3IiOiIxIiwic2lkIjoiMWJkNGM1NTItOGNlYy00ODRjLTlhZmMtNjRiMDg4MjkyNjUxIiwia3ZrIjoiMDEyMzQ1Njc4IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0dXNlciIsImJzbiI6IjAwMDAwMDAwMCJ9.RyG7yX0hd2r0YfTbcCzN5DNJW40lwOrLoU06X13jBEX_NcSZRMSKkuPCcNcoprruMKCMydJAf34hiGmV9IFPZFzkY0Xmv7Rg4Zv5GSQCUp-0IbQAMEE-S3CBn3ARcQdEIQ5rbCl-DLqIU9fCCwpvHNx9TM1s_jkPUJUBMTn8O2ziIg63D63HL_GeS7XxdScHWrJYjLYrfs0LUpvBwJSEFSYnAovEM-SJ7fJejLIu9XVH-MIFItzSAahj3i5lNKk_DGQcNUyR5AeKA_-9xteW8qk9iW957mumhczkHeXb3igwULBNO0vFX980DDZEyquqWS2IGSMtEV1V_Sov7xjGLg","not-before-policy":0,"session_state":"1bd4c552-8cec-484c-9afc-64b088292651","scope":"openid
-        email profile kvk bsn"}'
-    headers:
-      Cache-Control:
-      - no-store
-      Content-Type:
-      - application/json
-      Pragma:
-      - no-cache
-      Referrer-Policy:
-      - no-referrer
-      Strict-Transport-Security:
-      - max-age=31536000; includeSubDomains
-      X-Content-Type-Options:
-      - nosniff
-      X-Frame-Options:
-      - SAMEORIGIN
-      X-XSS-Protection:
-      - 1; mode=block
-      content-length:
-      - '3527'
-    status:
-      code: 200
-      message: OK
-- request:
-    body: null
-    headers:
-      Accept:
-      - '*/*'
-      Accept-Encoding:
-      - gzip, deflate, br
-      Connection:
-      - keep-alive
-      User-Agent:
-      - python-requests/2.31.0
-    method: GET
-    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
-  response:
-    body:
-      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
-    headers:
-      Cache-Control:
-      - no-cache
-      Content-Type:
-      - application/json;charset=UTF-8
-      Referrer-Policy:
-      - no-referrer
-      Strict-Transport-Security:
-      - max-age=31536000; includeSubDomains
-      X-Content-Type-Options:
-      - nosniff
-      X-Frame-Options:
-      - SAMEORIGIN
-      X-XSS-Protection:
-      - 1; mode=block
-      content-length:
-      - '2909'
-    status:
-      code: 200
-      message: OK
-- request:
-    body: null
-    headers:
-      Accept:
-      - '*/*'
-      Accept-Encoding:
-      - gzip, deflate, br
-      Authorization:
-      - Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTYzMTE0NzEsImlhdCI6MTcxNjMxMTE3MSwiYXV0aF90aW1lIjoxNzE2MzExMTcxLCJqdGkiOiJiMWNkZjMxYi1mZTQ1LTQzZmMtOTQxOC0zMDc5NzQxNjkzYTciLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJocGp6eTB2UmZxWkFGaDRDTVhpUllLNDN6dEl2ZXhCNyIsInNlc3Npb25fc3RhdGUiOiIxYmQ0YzU1Mi04Y2VjLTQ4NGMtOWFmYy02NGIwODgyOTI2NTEiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly8xMjcuMC4wLjE6ODAwMCJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiZGVmYXVsdC1yb2xlcy10ZXN0Iiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoib3BlbmlkIGVtYWlsIHByb2ZpbGUga3ZrIGJzbiIsInNpZCI6IjFiZDRjNTUyLThjZWMtNDg0Yy05YWZjLTY0YjA4ODI5MjY1MSIsImt2ayI6IjAxMjM0NTY3OCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoidGVzdHVzZXIiLCJic24iOiIwMDAwMDAwMDAifQ.h3pK8wjCzG5HYTFbMIQhi9BeTQq2XHyLXrB34xig8aR8rlSFezxW8hJNdgJrrIfTkPYSeBB3qnTVBsqFRIqSHJ8PCtREfcXLw8Qjw1O-AKy_MXCKOp_JVnTyOS0CRpTNvsF-QE7Hf1OLkEhsXiIhfviDFUceYZ4Xq9DxbVLyTHFcZON5TR_O8opGFA7QSPZWESyUdRfcBmk2VPyHzzmkjWZyYzdUXNGBTNJpbzxCI_uzwhK11ZWRCqAhXVQfFHznfZA9uIzrrNiY3wKFer8ryUrFVfHzwFtCAqzr61toPvqGgz9WKaUbNH6mNIumMOo_ZTGIEqt_d7-ckkVqWsm1xw
-      Connection:
-      - keep-alive
-      User-Agent:
-      - python-requests/2.31.0
-    method: GET
-    uri: http://localhost:8080/realms/test/protocol/openid-connect/userinfo
-  response:
-    body:
-      string: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJzdWIiOiJhYTEwY2ZjNy0yYzRkLTQxZjYtOGZhYy03YmY0MDVjNTcyYzQiLCJrdmsiOiIwMTIzNDU2NzgiLCJhdWQiOiJ0ZXN0aWQiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3R1c2VyIiwiYnNuIjoiMDAwMDAwMDAwIn0.CKub7h5He-7acsX5pli41jZiatfM3eM-f5bl6M9GaSSVJLy-NHH5RDSIvpNu4K3PA5uO1nn2sfiDWvfBgsqPxvssiqcmkenf1RpgaEdn7fS_bRn1ziAkYFq5tVEICluPeYELR8FNt7XGVGPakhezPnUwsdaUOBWf7ELTgbxVdBBy3Nkjg2op456glHO4C84zjABNK5grWfLCDDEwKnw4o1gz-QWAS1TPa7yQaPOJr71zjFT-o3P7EBBkASN_CiELOpno3bBxIeTa631m9BHZ8dECiffp_GQhxMqPS9bTwqTlffc-EkIamZr_90uHs3Dw8gVySYL7YTGoGDeq6w6jEw
-    headers:
-      Cache-Control:
-      - no-cache
-      Content-Type:
-      - application/jwt
-      Referrer-Policy:
-      - no-referrer
-      Strict-Transport-Security:
-      - max-age=31536000; includeSubDomains
-      X-Content-Type-Options:
-      - nosniff
-      X-XSS-Protection:
-      - 1; mode=block
-      content-length:
-      - '714'
-    status:
-      code: 200
-      message: OK
-- request:
-    body: null
-    headers:
-      Accept:
-      - '*/*'
-      Accept-Encoding:
-      - gzip, deflate, br
-      Connection:
-      - keep-alive
-      User-Agent:
-      - python-requests/2.31.0
-    method: GET
-    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
-  response:
-    body:
-      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
-    headers:
-      Cache-Control:
-      - no-cache
-      Content-Type:
-      - application/json;charset=UTF-8
-      Referrer-Policy:
-      - no-referrer
-      Strict-Transport-Security:
-      - max-age=31536000; includeSubDomains
-      X-Content-Type-Options:
-      - nosniff
-      X-Frame-Options:
-      - SAMEORIGIN
-      X-XSS-Protection:
-      - 1; mode=block
-      content-length:
-      - '2909'
+      - '1573'
     status:
-      code: 200
-      message: OK
+      code: 400
+      message: Bad Request
 - request:
     body: null
     headers:
@@ -635,7 +68,7 @@ interactions:
       User-Agent:
       - python-requests/2.31.0
     method: GET
-    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=openid+bsn&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Fdigid-oidc%2Fcallback%2F&state=mPtav1QVaUJvpZ81HoH2LqqCAOiBO9Qn&nonce=ppE7NX1RKdH0LHkR2Nyy1FEa9PWDiqrH
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=openid+bsn&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Fdigid-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
   response:
     body:
       string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
@@ -650,8 +83,8 @@ interactions:
         rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/login/keycloak/css/login.css\"
         rel=\"stylesheet\" />\n        <script type=\"module\">\n            import
         { checkCookiesAndSetTimer } from \"/resources/883g6/login/keycloak/js/authChecker.js\";\n\n
-        \           checkCookiesAndSetTimer(\n              \"6d44210b-f810-4fb8-ab9c-097993c1304b\",\n
-        \             \"u6-1whsJmb8\",\n              \"/realms/test/login-actions/restart?client_id=testid&tab_id=u6-1whsJmb8&skip_logout=true\"\n
+        \           checkCookiesAndSetTimer(\n              \"a564c80e-2501-4ff7-b8cb-2b2d79a024fb\",\n
+        \             \"nEcWP-SXT5c\",\n              \"/realms/test/login-actions/restart?client_id=testid&tab_id=nEcWP-SXT5c&skip_logout=true\"\n
         \           );\n        </script>\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
         \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
         \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
@@ -659,7 +92,7 @@ interactions:
         \       Sign in to your account\n\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
         \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-form\">\n
         \         <div id=\"kc-form-wrapper\">\n                <form id=\"kc-form-login\"
-        onsubmit=\"login.disabled = true; return true;\" action=\"http://localhost:8080/realms/test/login-actions/authenticate?session_code=ZFv7d2g45vH_4K2SAI_-iRp1H0CTMCQXU7kc1xnZCuY&amp;execution=6f3a64ce-e337-4638-b1af-f6a92e763f3a&amp;client_id=testid&amp;tab_id=u6-1whsJmb8\"
+        onsubmit=\"login.disabled = true; return true;\" action=\"http://localhost:8080/realms/test/login-actions/authenticate?session_code=mN_3aPCvOkAwKsOQREAtJLBK566slHNDqpYRWdrN18c&amp;execution=6f3a64ce-e337-4638-b1af-f6a92e763f3a&amp;client_id=testid&amp;tab_id=nEcWP-SXT5c\"
         method=\"post\">\n                        <div class=\"form-group\">\n                            <label
         for=\"username\" class=\"pf-c-form__label pf-c-form__label-text\">Username
         or email</label>\n\n                            <input tabindex=\"1\" id=\"username\"
@@ -699,11 +132,11 @@ interactions:
       Referrer-Policy:
       - no-referrer
       Set-Cookie:
-      - AUTH_SESSION_ID=6d44210b-f810-4fb8-ab9c-097993c1304b; Version=1; Path=/realms/test/;
+      - AUTH_SESSION_ID=a564c80e-2501-4ff7-b8cb-2b2d79a024fb; Version=1; Path=/realms/test/;
         SameSite=None; Secure; HttpOnly
-      - AUTH_SESSION_ID_LEGACY=6d44210b-f810-4fb8-ab9c-097993c1304b; Version=1; Path=/realms/test/;
+      - AUTH_SESSION_ID_LEGACY=a564c80e-2501-4ff7-b8cb-2b2d79a024fb; Version=1; Path=/realms/test/;
         HttpOnly
-      - KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9kaWdpZC1vaWRjL2NhbGxiYWNrLyIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIGJzbiIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovL3Rlc3RzZXJ2ZXIvZGlnaWQtb2lkYy9jYWxsYmFjay8iLCJzdGF0ZSI6Im1QdGF2MVFWYVVKdnBaODFIb0gyTHFxQ0FPaUJPOVFuIiwibm9uY2UiOiJwcEU3TlgxUktkSDBMSGtSMk55eTFGRWE5UFdEaXFySCJ9fQ.xsCEjs1P5tBAJWQYeJKfQyjb2IkPXAFSG-ns5fkLK30;
+      - KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9kaWdpZC1vaWRjL2NhbGxiYWNrLyIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIGJzbiIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovL3Rlc3RzZXJ2ZXIvZGlnaWQtb2lkYy9jYWxsYmFjay8iLCJzdGF0ZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmciLCJub25jZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmcifX0.HScBoNNJvmVcGQXpymd_ftVGkGUJBQnuwqgk59VJnYI;
         Version=1; Path=/realms/test/; HttpOnly
       Strict-Transport-Security:
       - max-age=31536000; includeSubDomains
@@ -734,11 +167,11 @@ interactions:
       Content-Type:
       - application/x-www-form-urlencoded
       Cookie:
-      - AUTH_SESSION_ID_LEGACY=6d44210b-f810-4fb8-ab9c-097993c1304b; KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9kaWdpZC1vaWRjL2NhbGxiYWNrLyIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIGJzbiIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovL3Rlc3RzZXJ2ZXIvZGlnaWQtb2lkYy9jYWxsYmFjay8iLCJzdGF0ZSI6Im1QdGF2MVFWYVVKdnBaODFIb0gyTHFxQ0FPaUJPOVFuIiwibm9uY2UiOiJwcEU3TlgxUktkSDBMSGtSMk55eTFGRWE5UFdEaXFySCJ9fQ.xsCEjs1P5tBAJWQYeJKfQyjb2IkPXAFSG-ns5fkLK30
+      - AUTH_SESSION_ID_LEGACY=a564c80e-2501-4ff7-b8cb-2b2d79a024fb; KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9kaWdpZC1vaWRjL2NhbGxiYWNrLyIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIGJzbiIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovL3Rlc3RzZXJ2ZXIvZGlnaWQtb2lkYy9jYWxsYmFjay8iLCJzdGF0ZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmciLCJub25jZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmcifX0.HScBoNNJvmVcGQXpymd_ftVGkGUJBQnuwqgk59VJnYI
       User-Agent:
       - python-requests/2.31.0
     method: POST
-    uri: http://localhost:8080/realms/test/login-actions/authenticate?session_code=ZFv7d2g45vH_4K2SAI_-iRp1H0CTMCQXU7kc1xnZCuY&execution=6f3a64ce-e337-4638-b1af-f6a92e763f3a&client_id=testid&tab_id=u6-1whsJmb8
+    uri: http://localhost:8080/realms/test/login-actions/authenticate?session_code=mN_3aPCvOkAwKsOQREAtJLBK566slHNDqpYRWdrN18c&execution=6f3a64ce-e337-4638-b1af-f6a92e763f3a&client_id=testid&tab_id=nEcWP-SXT5c
   response:
     body:
       string: ''
@@ -748,7 +181,7 @@ interactions:
       Content-Security-Policy:
       - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
       Location:
-      - http://testserver/digid-oidc/callback/?state=mPtav1QVaUJvpZ81HoH2LqqCAOiBO9Qn&session_state=6d44210b-f810-4fb8-ab9c-097993c1304b&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest&code=e15c7595-def3-4b41-a909-cd06eda4392a.6d44210b-f810-4fb8-ab9c-097993c1304b.adf4ad83-4550-4619-9231-73bd8d700f45
+      - http://testserver/digid-oidc/callback/?state=not-a-random-string&session_state=a564c80e-2501-4ff7-b8cb-2b2d79a024fb&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest&code=e35c9882-9d4c-4ac0-951a-602fb03bc330.a564c80e-2501-4ff7-b8cb-2b2d79a024fb.adf4ad83-4550-4619-9231-73bd8d700f45
       Referrer-Policy:
       - no-referrer
       Set-Cookie:
@@ -758,15 +191,15 @@ interactions:
         Path=/realms/test/; HttpOnly
       - KC_AUTH_STATE=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
         Path=/realms/test/
-      - KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTYzNDcyNDcsImlhdCI6MTcxNjMxMTI0NywianRpIjoiOThlNzk1ZjYtMTg2YS00MjRlLTk3NTAtMTc2YmQ4MmU1MWFlIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiI2ZDQ0MjEwYi1mODEwLTRmYjgtYWI5Yy0wOTc5OTNjMTMwNGIiLCJzaWQiOiI2ZDQ0MjEwYi1mODEwLTRmYjgtYWI5Yy0wOTc5OTNjMTMwNGIiLCJzdGF0ZV9jaGVja2VyIjoiOS1iN0FHcEJHLUpDeUg3V1lWQVNoTVd1b1ZKZndoZ1lfUmVJVnUyM0Q5dyJ9.2Ca6WXbmyO3ej9zKqSSuoIban5vAl2tnjj8blG3JDBI;
+      - KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0MTAzMjUsImlhdCI6MTcxNjM3NDMyNSwianRpIjoiNTBkZTkwYjItZWQ3MS00N2NiLTg0NjQtYzE4MWQzODQ3NTcyIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiJhNTY0YzgwZS0yNTAxLTRmZjctYjhjYi0yYjJkNzlhMDI0ZmIiLCJzaWQiOiJhNTY0YzgwZS0yNTAxLTRmZjctYjhjYi0yYjJkNzlhMDI0ZmIiLCJzdGF0ZV9jaGVja2VyIjoiUnBOWjFrWnVienZNTWJmdDA4RUdFX0tYNEJfbG9tMWRIaUEwTk9LUHVObyJ9.2psrcA1_69yvk_Symuj-NYCRcQ6yU0nJJqsVQzstcYA;
         Version=1; Path=/realms/test/; SameSite=None; Secure; HttpOnly
-      - KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTYzNDcyNDcsImlhdCI6MTcxNjMxMTI0NywianRpIjoiOThlNzk1ZjYtMTg2YS00MjRlLTk3NTAtMTc2YmQ4MmU1MWFlIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiI2ZDQ0MjEwYi1mODEwLTRmYjgtYWI5Yy0wOTc5OTNjMTMwNGIiLCJzaWQiOiI2ZDQ0MjEwYi1mODEwLTRmYjgtYWI5Yy0wOTc5OTNjMTMwNGIiLCJzdGF0ZV9jaGVja2VyIjoiOS1iN0FHcEJHLUpDeUg3V1lWQVNoTVd1b1ZKZndoZ1lfUmVJVnUyM0Q5dyJ9.2Ca6WXbmyO3ej9zKqSSuoIban5vAl2tnjj8blG3JDBI;
+      - KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0MTAzMjUsImlhdCI6MTcxNjM3NDMyNSwianRpIjoiNTBkZTkwYjItZWQ3MS00N2NiLTg0NjQtYzE4MWQzODQ3NTcyIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiJhNTY0YzgwZS0yNTAxLTRmZjctYjhjYi0yYjJkNzlhMDI0ZmIiLCJzaWQiOiJhNTY0YzgwZS0yNTAxLTRmZjctYjhjYi0yYjJkNzlhMDI0ZmIiLCJzdGF0ZV9jaGVja2VyIjoiUnBOWjFrWnVienZNTWJmdDA4RUdFX0tYNEJfbG9tMWRIaUEwTk9LUHVObyJ9.2psrcA1_69yvk_Symuj-NYCRcQ6yU0nJJqsVQzstcYA;
         Version=1; Path=/realms/test/; HttpOnly
-      - KEYCLOAK_SESSION=test/aa10cfc7-2c4d-41f6-8fac-7bf405c572c4/6d44210b-f810-4fb8-ab9c-097993c1304b;
-        Version=1; Expires=Wed, 22-May-2024 03:07:27 GMT; Max-Age=36000; Path=/realms/test/;
+      - KEYCLOAK_SESSION=test/aa10cfc7-2c4d-41f6-8fac-7bf405c572c4/a564c80e-2501-4ff7-b8cb-2b2d79a024fb;
+        Version=1; Expires=Wed, 22-May-2024 20:38:45 GMT; Max-Age=36000; Path=/realms/test/;
         SameSite=None; Secure
-      - KEYCLOAK_SESSION_LEGACY=test/aa10cfc7-2c4d-41f6-8fac-7bf405c572c4/6d44210b-f810-4fb8-ab9c-097993c1304b;
-        Version=1; Expires=Wed, 22-May-2024 03:07:27 GMT; Max-Age=36000; Path=/realms/test/
+      - KEYCLOAK_SESSION_LEGACY=test/aa10cfc7-2c4d-41f6-8fac-7bf405c572c4/a564c80e-2501-4ff7-b8cb-2b2d79a024fb;
+        Version=1; Expires=Wed, 22-May-2024 20:38:45 GMT; Max-Age=36000; Path=/realms/test/
       - KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
         00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
       Strict-Transport-Security:
@@ -785,7 +218,7 @@ interactions:
       code: 302
       message: Found
 - request:
-    body: client_id=testid&client_secret=7DB3KUAAizYCcmZufpHRVOcD0TOkNO3I&grant_type=authorization_code&code=e15c7595-def3-4b41-a909-cd06eda4392a.6d44210b-f810-4fb8-ab9c-097993c1304b.adf4ad83-4550-4619-9231-73bd8d700f45&redirect_uri=http%3A%2F%2Ftestserver%2Fdigid-oidc%2Fcallback%2F
+    body: client_id=testid&client_secret=7DB3KUAAizYCcmZufpHRVOcD0TOkNO3I&grant_type=authorization_code&code=e35c9882-9d4c-4ac0-951a-602fb03bc330.a564c80e-2501-4ff7-b8cb-2b2d79a024fb.adf4ad83-4550-4619-9231-73bd8d700f45&redirect_uri=http%3A%2F%2Ftestserver%2Fdigid-oidc%2Fcallback%2F
     headers:
       Accept:
       - '*/*'
@@ -803,7 +236,7 @@ interactions:
     uri: http://localhost:8080/realms/test/protocol/openid-connect/token
   response:
     body:
-      string: '{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTYzMTE1NDcsImlhdCI6MTcxNjMxMTI0NywiYXV0aF90aW1lIjoxNzE2MzExMjQ3LCJqdGkiOiI5ZWNiZGUxOC1hOTFjLTQyYjktYWY4My0zNDA4MTE5NmU4ZjEiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJwcEU3TlgxUktkSDBMSGtSMk55eTFGRWE5UFdEaXFySCIsInNlc3Npb25fc3RhdGUiOiI2ZDQ0MjEwYi1mODEwLTRmYjgtYWI5Yy0wOTc5OTNjMTMwNGIiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly8xMjcuMC4wLjE6ODAwMCJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiZGVmYXVsdC1yb2xlcy10ZXN0Iiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoib3BlbmlkIGVtYWlsIHByb2ZpbGUga3ZrIGJzbiIsInNpZCI6IjZkNDQyMTBiLWY4MTAtNGZiOC1hYjljLTA5Nzk5M2MxMzA0YiIsImt2ayI6IjAxMjM0NTY3OCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoidGVzdHVzZXIiLCJic24iOiIwMDAwMDAwMDAifQ.xeQDXROb_lOoXmPYPwn8-QGYxYWRk0c_XGDoISQTIpQVqSLQyt4xWILqtB_CbWorkxk_b-iA-IV_NMdaWbn48QameyPWITTsDw41mc7WYbqPtKLaj4poMq9KRnd79NHm8uUdbm9gOuUQL4yGC9xyOfn6Qh9xcGufkxh7WR02xSVCFqrR-M_cG_tzs8stuZpi8hC9tMtdqwp6BxpUumTLaY0k-19EorSKFNWuAMWxse6NvhZzqPLlIABZejL7QdZ9rmzI1p2aHjqtbCcE9CRpoOOrmY7VKixKMhTzE-K6S4z_ItxUD_ONszSPnRoc7ZTvFOvTqgqDDbGr38yhAKd0nA","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTYzMTMwNDcsImlhdCI6MTcxNjMxMTI0NywianRpIjoiMTIwNTI0ZjMtZGIzNi00MTIxLTlhYTQtNTI0YjM3ZjMzZjI5IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiUmVmcmVzaCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoicHBFN05YMVJLZEgwTEhrUjJOeXkxRkVhOVBXRGlxckgiLCJzZXNzaW9uX3N0YXRlIjoiNmQ0NDIxMGItZjgxMC00ZmI4LWFiOWMtMDk3OTkzYzEzMDRiIiwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgYnNuIiwic2lkIjoiNmQ0NDIxMGItZjgxMC00ZmI4LWFiOWMtMDk3OTkzYzEzMDRiIn0.hdqADWrMDJRTfa8ToVYAcsR-5vBFQEwUXlNtVNfylKU","token_type":"Bearer","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTYzMTE1NDcsImlhdCI6MTcxNjMxMTI0NywiYXV0aF90aW1lIjoxNzE2MzExMjQ3LCJqdGkiOiJjZmFmNWQ3ZS1kMGI4LTQxZWItOGM1My00MzM5MTAzMzJmODkiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJ0ZXN0aWQiLCJzdWIiOiJhYTEwY2ZjNy0yYzRkLTQxZjYtOGZhYy03YmY0MDVjNTcyYzQiLCJ0eXAiOiJJRCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoicHBFN05YMVJLZEgwTEhrUjJOeXkxRkVhOVBXRGlxckgiLCJzZXNzaW9uX3N0YXRlIjoiNmQ0NDIxMGItZjgxMC00ZmI4LWFiOWMtMDk3OTkzYzEzMDRiIiwiYXRfaGFzaCI6IlptWGVLRTYydEJLRVV6WWVYT3Z4QXciLCJhY3IiOiIxIiwic2lkIjoiNmQ0NDIxMGItZjgxMC00ZmI4LWFiOWMtMDk3OTkzYzEzMDRiIiwia3ZrIjoiMDEyMzQ1Njc4IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0dXNlciIsImJzbiI6IjAwMDAwMDAwMCJ9.kBg0XBEiYZESnxu2XO3l9VTRye-MgoJqlpajNLr1lgfENJX_eZ2gtMk0LWIdgFR2_pBANjRzusdkVunneBI5l-jw3B1X4gGNSh-haD6XGT78VNg6I4w4rgta3-UDp68i8Xo_pYD1r52De425DzvxX6TPV0yt-hV4WRWe93XUUHZYw3JOagnNzzexI3szpIIIhRj_NTYf54qyLsqLi3YzTqsF4Ssb8NGe-vGHM6GD3MZ6mZVWGpPf2cf43a18UW2TeMU57xaiiFjQsRTuTZPWRVTfTQMA-tLrIyQr3_wPCugz4CXi35S9VTqFq9BotbBqNPdYVKAbt3UJzoHyGuTXGw","not-before-policy":0,"session_state":"6d44210b-f810-4fb8-ab9c-097993c1304b","scope":"openid
+      string: '{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTYzNzQ2MjUsImlhdCI6MTcxNjM3NDMyNSwiYXV0aF90aW1lIjoxNzE2Mzc0MzI1LCJqdGkiOiI3NTEwYmMwZi01MzNlLTQwYjItYWJhMS0yODkyNGIwOTY2ZGUiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6ImE1NjRjODBlLTI1MDEtNGZmNy1iOGNiLTJiMmQ3OWEwMjRmYiIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgYnNuIiwic2lkIjoiYTU2NGM4MGUtMjUwMS00ZmY3LWI4Y2ItMmIyZDc5YTAyNGZiIiwia3ZrIjoiMDEyMzQ1Njc4IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0dXNlciIsImJzbiI6IjAwMDAwMDAwMCJ9.YJzfrVykTKPQtXfPq9mrqPwLp-1kj85DXYUDvggGE9JLPJtVWxy3UkeAsEuPD5e4NOLNO5k9C5SoLajP9loB9M17Dj33gXmN0bkRHfOj4fxh5upND4SbOwDBOPYljNR7ae8r3BjibLxSgxZcCZX2b8-25WWNOzuoaaWkDTHegcTGzGGklGYtJn6cfYWTaJq9den4Gt2dvtmGlUwpWBkJ72pGaSJ-lBiwihU2Fuf9-rscrRi_-XXiYXmjVjfUwNmO9p3B7l2AoubbiaosXLThbuhVfjwXJcz5Cutr3bRd1PFil4GnKQj6_HtewzNMDeO1RbtIpTIy7z1P8jhvdlNo5w","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTYzNzYxMjUsImlhdCI6MTcxNjM3NDMyNSwianRpIjoiOGE4YWI5ZmYtMmM5Ni00MzMxLWFmOWUtZTkzNjlhYmNkZDUxIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiUmVmcmVzaCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiJhNTY0YzgwZS0yNTAxLTRmZjctYjhjYi0yYjJkNzlhMDI0ZmIiLCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIGt2ayBic24iLCJzaWQiOiJhNTY0YzgwZS0yNTAxLTRmZjctYjhjYi0yYjJkNzlhMDI0ZmIifQ.4fS86AYFoHiGCO6exZ3PpgTWZcW_G1EEl7L3HIii5NY","token_type":"Bearer","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTYzNzQ2MjUsImlhdCI6MTcxNjM3NDMyNSwiYXV0aF90aW1lIjoxNzE2Mzc0MzI1LCJqdGkiOiI4MWIxN2I5My0yOTM2LTQ1ZTktYjJmNy0zYjgyMzU5YTg3NjQiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJ0ZXN0aWQiLCJzdWIiOiJhYTEwY2ZjNy0yYzRkLTQxZjYtOGZhYy03YmY0MDVjNTcyYzQiLCJ0eXAiOiJJRCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiJhNTY0YzgwZS0yNTAxLTRmZjctYjhjYi0yYjJkNzlhMDI0ZmIiLCJhdF9oYXNoIjoiM3RSdnJFSEsyWThCemFqNWpnY0pOZyIsImFjciI6IjEiLCJzaWQiOiJhNTY0YzgwZS0yNTAxLTRmZjctYjhjYi0yYjJkNzlhMDI0ZmIiLCJrdmsiOiIwMTIzNDU2NzgiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3R1c2VyIiwiYnNuIjoiMDAwMDAwMDAwIn0.iS8jgFSg3Z0jTksaaXlwSjeX6tmoCyOVTq6OAzUEFrmxboGmK0XbnsXpIwba0OxFXK28kb0yrf7I7fkHyj48LBRd9QolVlz7Ipc50xw2plwoRl982Zo5XXxC8utl9QZM7RLVlRGev-HhF7ZfTEcXyJ5-1u3G1jt0qrxZUQNwxpObL4SXJxThr4mAMdjlkJtfPdPGDTN9SF4kkNCRjuUyuJrR8_tf2sZoU6s3S9U-eR7G-z5gDYmDIDWiuHfsWtSvvzL5h5ELdy3YyE5oiI8N2MJBio0di22M88c9WhFPCXxHn8829RBypoA2GhVFupQoLEFeA88qVU6NYWEz3fXb4w","not-before-policy":0,"session_state":"a564c80e-2501-4ff7-b8cb-2b2d79a024fb","scope":"openid
         email profile kvk bsn"}'
     headers:
       Cache-Control:
@@ -823,7 +256,7 @@ interactions:
       X-XSS-Protection:
       - 1; mode=block
       content-length:
-      - '3527'
+      - '3475'
     status:
       code: 200
       message: OK
@@ -871,7 +304,7 @@ interactions:
       Accept-Encoding:
       - gzip, deflate, br
       Authorization:
-      - Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTYzMTE1NDcsImlhdCI6MTcxNjMxMTI0NywiYXV0aF90aW1lIjoxNzE2MzExMjQ3LCJqdGkiOiI5ZWNiZGUxOC1hOTFjLTQyYjktYWY4My0zNDA4MTE5NmU4ZjEiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJwcEU3TlgxUktkSDBMSGtSMk55eTFGRWE5UFdEaXFySCIsInNlc3Npb25fc3RhdGUiOiI2ZDQ0MjEwYi1mODEwLTRmYjgtYWI5Yy0wOTc5OTNjMTMwNGIiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly8xMjcuMC4wLjE6ODAwMCJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiZGVmYXVsdC1yb2xlcy10ZXN0Iiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoib3BlbmlkIGVtYWlsIHByb2ZpbGUga3ZrIGJzbiIsInNpZCI6IjZkNDQyMTBiLWY4MTAtNGZiOC1hYjljLTA5Nzk5M2MxMzA0YiIsImt2ayI6IjAxMjM0NTY3OCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoidGVzdHVzZXIiLCJic24iOiIwMDAwMDAwMDAifQ.xeQDXROb_lOoXmPYPwn8-QGYxYWRk0c_XGDoISQTIpQVqSLQyt4xWILqtB_CbWorkxk_b-iA-IV_NMdaWbn48QameyPWITTsDw41mc7WYbqPtKLaj4poMq9KRnd79NHm8uUdbm9gOuUQL4yGC9xyOfn6Qh9xcGufkxh7WR02xSVCFqrR-M_cG_tzs8stuZpi8hC9tMtdqwp6BxpUumTLaY0k-19EorSKFNWuAMWxse6NvhZzqPLlIABZejL7QdZ9rmzI1p2aHjqtbCcE9CRpoOOrmY7VKixKMhTzE-K6S4z_ItxUD_ONszSPnRoc7ZTvFOvTqgqDDbGr38yhAKd0nA
+      - Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTYzNzQ2MjUsImlhdCI6MTcxNjM3NDMyNSwiYXV0aF90aW1lIjoxNzE2Mzc0MzI1LCJqdGkiOiI3NTEwYmMwZi01MzNlLTQwYjItYWJhMS0yODkyNGIwOTY2ZGUiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6ImE1NjRjODBlLTI1MDEtNGZmNy1iOGNiLTJiMmQ3OWEwMjRmYiIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgYnNuIiwic2lkIjoiYTU2NGM4MGUtMjUwMS00ZmY3LWI4Y2ItMmIyZDc5YTAyNGZiIiwia3ZrIjoiMDEyMzQ1Njc4IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0dXNlciIsImJzbiI6IjAwMDAwMDAwMCJ9.YJzfrVykTKPQtXfPq9mrqPwLp-1kj85DXYUDvggGE9JLPJtVWxy3UkeAsEuPD5e4NOLNO5k9C5SoLajP9loB9M17Dj33gXmN0bkRHfOj4fxh5upND4SbOwDBOPYljNR7ae8r3BjibLxSgxZcCZX2b8-25WWNOzuoaaWkDTHegcTGzGGklGYtJn6cfYWTaJq9den4Gt2dvtmGlUwpWBkJ72pGaSJ-lBiwihU2Fuf9-rscrRi_-XXiYXmjVjfUwNmO9p3B7l2AoubbiaosXLThbuhVfjwXJcz5Cutr3bRd1PFil4GnKQj6_HtewzNMDeO1RbtIpTIy7z1P8jhvdlNo5w
       Connection:
       - keep-alive
       User-Agent:
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDInitTests/DigiDInitTests.test_idp_availability_check.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDInitTests/DigiDInitTests.test_idp_availability_check.yaml
new file mode 100644
index 0000000000..e786ba2dc4
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDInitTests/DigiDInitTests.test_idp_availability_check.yaml
@@ -0,0 +1,26 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/i-dont-exist
+  response:
+    body:
+      string: '{"error":"Unable to find matching target resource method"}'
+    headers:
+      Content-Type:
+      - application/json
+      content-length:
+      - '58'
+    status:
+      code: 404
+      message: Not Found
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDInitTests/DigiDInitTests.test_keycloak_idp_hint_is_respected.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDInitTests/DigiDInitTests.test_keycloak_idp_hint_is_respected.yaml
new file mode 100644
index 0000000000..f334b20db5
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDInitTests/DigiDInitTests.test_keycloak_idp_hint_is_respected.yaml
@@ -0,0 +1,59 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/883g6/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDInitTests/DigiDInitTests.test_start_flow_redirects_to_oidc_provider.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDInitTests/DigiDInitTests.test_start_flow_redirects_to_oidc_provider.yaml
new file mode 100644
index 0000000000..f334b20db5
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDInitTests/DigiDInitTests.test_start_flow_redirects_to_oidc_provider.yaml
@@ -0,0 +1,59 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/883g6/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/883g6/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/digid/test_auth_procedure.py b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/digid/test_auth_procedure.py
deleted file mode 100644
index 6406a15ce7..0000000000
--- a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/digid/test_auth_procedure.py
+++ /dev/null
@@ -1,293 +0,0 @@
-from unittest.mock import patch
-
-from django.test import TestCase, override_settings, tag
-from django.urls import reverse
-
-import requests_mock
-from furl import furl
-from rest_framework import status
-
-from digid_eherkenning_oidc_generics.models import OpenIDConnectPublicConfig
-from openforms.accounts.tests.factories import StaffUserFactory
-from openforms.authentication.tests.utils import get_start_form_url, get_start_url
-from openforms.authentication.views import BACKEND_OUTAGE_RESPONSE_PARAMETER
-from openforms.forms.tests.factories import FormFactory
-
-default_config = OpenIDConnectPublicConfig(
-    enabled=True,
-    oidc_rp_client_id="testclient",
-    oidc_rp_client_secret="secret",
-    oidc_rp_sign_algo="RS256",
-    oidc_rp_scopes_list=["openid", "bsn"],
-    oidc_op_jwks_endpoint="http://provider.com/auth/realms/master/protocol/openid-connect/certs",
-    oidc_op_authorization_endpoint="http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-    oidc_op_token_endpoint="http://provider.com/auth/realms/master/protocol/openid-connect/token",
-    oidc_op_user_endpoint="http://provider.com/auth/realms/master/protocol/openid-connect/userinfo",
-)
-
-
-@override_settings(CORS_ALLOW_ALL_ORIGINS=True, IS_HTTPS=True)
-class DigiDOIDCTests(TestCase):
-    @classmethod
-    def setUpTestData(cls):
-        super().setUpTestData()
-        cls.form = FormFactory.create(
-            generate_minimal_setup=True,
-            authentication_backends=["digid_oidc"],
-        )
-
-    def setUp(self):
-        super().setUp()
-
-        config_patcher = patch(
-            "digid_eherkenning_oidc_generics.models.OpenIDConnectPublicConfig.get_solo",
-            return_value=default_config,
-        )
-        self.mock_config = config_patcher.start()
-        self.addCleanup(config_patcher.stop)
-
-        self.requests_mocker = requests_mock.Mocker()
-        self.addCleanup(self.requests_mocker.stop)
-        self.requests_mocker.start()
-
-    @patch(
-        "digid_eherkenning_oidc_generics.new_backends.DigiDEHerkenningOIDCBackend.verify_token",
-        return_value={"bsn": "123456789"},
-    )
-    def test_redirect_to_digid_oidc(self, mock_verify_token):
-        # TODO: switch to VCR instead of request mocks...
-        self.requests_mocker.get(
-            "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-            status_code=200,
-        )
-        self.requests_mocker.post(
-            "http://provider.com/auth/realms/master/protocol/openid-connect/token",
-            json={
-                "id_token": "-dummy-id-token-",
-                "access_token": "-dummy-access-token-",
-            },
-        )
-        self.requests_mocker.get(
-            "http://provider.com/auth/realms/master/protocol/openid-connect/userinfo",
-            json={"bsn": "123456789"},
-        )
-        form_url = get_start_form_url(self.form)
-        start_url = get_start_url(self.form, plugin_id="digid_oidc")
-        callback_url, oidc_login_next = "", ""
-
-        response = self.client.get(start_url)
-
-        with self.subTest("Sends user to IdP"):
-            self.assertEqual(status.HTTP_302_FOUND, response.status_code)
-
-            redirect_target = furl(response.url)  # type: ignore
-            query_params = redirect_target.query.params
-
-            self.assertEqual(redirect_target.host, "provider.com")
-            self.assertEqual(
-                redirect_target.path,
-                "/auth/realms/master/protocol/openid-connect/auth",
-            )
-            self.assertEqual(query_params["scope"], "openid bsn")
-            self.assertEqual(query_params["client_id"], "testclient")
-            self.assertEqual(
-                (redirect_uri := query_params["redirect_uri"]),
-                f"http://testserver{reverse('digid_oidc:callback')}",
-            )
-
-            assert isinstance(redirect_uri, str)
-            callback_url = (
-                furl(redirect_uri)
-                .set(
-                    {
-                        "state": query_params["state"],  # CSRF protection
-                        "code": "-dummy-",
-                    }
-                )
-                .url
-            )
-
-        with self.subTest("Return state setup"):
-            oidc_login_next = furl(self.client.session["oidc_login_next"])
-            query_params = oidc_login_next.query.params
-
-            self.assertEqual(
-                oidc_login_next.path,
-                reverse(
-                    "authentication:return",
-                    kwargs={"slug": self.form.slug, "plugin_id": "digid_oidc"},
-                ),
-            )
-            self.assertEqual(query_params["next"], form_url)
-
-        with self.subTest("Callback view/backend"):
-            # possibly something else failed earlier, no point in validating the return
-            # flow.
-            if callback_url and oidc_login_next:
-                response = self.client.get(callback_url)
-
-                mock_verify_token.assert_called_once()
-                self.assertRedirects(
-                    response, str(oidc_login_next), fetch_redirect_response=False
-                )
-
-    def test_redirect_to_digid_oidc_internal_server_error(self):
-        self.requests_mocker.get(
-            "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-            status_code=500,
-        )
-        start_url = get_start_url(self.form, plugin_id="digid_oidc")
-
-        response = self.client.get(start_url)
-
-        self.assertEqual(status.HTTP_302_FOUND, response.status_code)
-        assert self.requests_mocker.last_request is not None
-        self.assertEqual(
-            self.requests_mocker.last_request.url,
-            "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-        )
-        parsed = furl(response.url)  # type: ignore
-
-        self.assertEqual(parsed.host, "testserver")
-        self.assertEqual(parsed.path, f"/{self.form.slug}/")
-        query_params = parsed.query.params
-        self.assertEqual(query_params[BACKEND_OUTAGE_RESPONSE_PARAMETER], "digid_oidc")
-
-    def test_redirect_to_digid_oidc_callback_error(self):
-        # set up session/state
-        self.requests_mocker.get(
-            "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-            status_code=200,
-        )
-        start_url = get_start_url(self.form, plugin_id="digid_oidc")
-        response = self.client.get(start_url)
-        assert response.status_code == 302
-        assert response.url.startswith("http://provider.com")  # type: ignore
-
-        with patch(
-            "openforms.authentication.contrib.digid_eherkenning_oidc.backends"
-            ".OIDCAuthenticationDigiDBackend.verify_claims",
-            return_value=False,
-        ):
-            response = self.client.get(reverse("digid_oidc:callback"))
-
-        self.assertEqual(response.status_code, status.HTTP_302_FOUND)
-
-        parsed = furl(response.url)
-        query_params = parsed.query.params
-
-        self.assertEqual(parsed.path, f"/{self.form.slug}/")
-        self.assertEqual(query_params["_start"], "1")
-        self.assertEqual(query_params[BACKEND_OUTAGE_RESPONSE_PARAMETER], "digid_oidc")
-
-    @override_settings(CORS_ALLOW_ALL_ORIGINS=False, CORS_ALLOWED_ORIGINS=[])
-    def test_redirect_to_disallowed_domain(self):
-        start_url = get_start_url(
-            self.form, plugin_id="digid_oidc", host="http://example.com"
-        )
-
-        response = self.client.get(start_url)
-
-        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
-
-    @override_settings(
-        CORS_ALLOW_ALL_ORIGINS=False, CORS_ALLOWED_ORIGINS=["http://example.com"]
-    )
-    def test_redirect_to_allowed_domain(self):
-        self.requests_mocker.get(
-            "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-            status_code=200,
-        )
-        form_url = get_start_form_url(self.form, host="http://example.com")
-        start_url = get_start_url(
-            self.form, plugin_id="digid_oidc", host="http://example.com"
-        )
-
-        response = self.client.get(start_url)
-
-        with self.subTest("Sends user to IdP"):
-            self.assertEqual(status.HTTP_302_FOUND, response.status_code)
-            self.assertTrue(response.url.startswith("http://provider.com/"))  # type: ignore
-
-        with self.subTest("Return state setup"):
-            oidc_login_next = furl(self.client.session["oidc_login_next"])
-            expected_next = reverse(
-                "authentication:return",
-                kwargs={"slug": self.form.slug, "plugin_id": "digid_oidc"},
-            )
-            self.assertEqual(oidc_login_next.path, expected_next)
-            query_params = oidc_login_next.query.params
-            self.assertEqual(query_params["next"], form_url)
-
-    def test_redirect_with_keycloak_identity_provider_hint(self, *m):
-        self.mock_config.return_value.oidc_keycloak_idp_hint = "oidc-digid"
-        self.requests_mocker.get(
-            "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-            status_code=200,
-        )
-        start_url = get_start_url(self.form, plugin_id="digid_oidc")
-
-        response = self.client.get(start_url)
-
-        self.assertEqual(status.HTTP_302_FOUND, response.status_code)
-        parsed = furl(response.url)  # type: ignore
-        query_params = parsed.query.params
-        self.assertEqual(query_params["kc_idp_hint"], "oidc-digid")
-
-    @tag("gh-3656", "gh-3692")
-    # This is an example of a specific provider. It may differ when a different provider is used.
-    # According to https://openid.net/specs/openid-connect-core-1_0.html#AuthError and
-    # https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1.2.1 , this is the error we expect from OIDC
-    def test_redirect_to_form_when_login_cancelled_by_anonymous_user(self):
-        # set up session/state
-        self.requests_mocker.get(
-            "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-            status_code=200,
-        )
-        start_url = get_start_url(self.form, plugin_id="digid_oidc")
-        response = self.client.get(start_url)
-        assert response.status_code == 302
-        assert response.url.startswith("http://provider.com")  # type: ignore
-
-        response = self.client.get(
-            reverse("digid_oidc:callback"),
-            {
-                "error": "access_denied",
-                "error_description": "The user cancelled",
-            },
-        )
-
-        self.assertEqual(response.status_code, status.HTTP_302_FOUND)
-
-        parsed = furl(response.url)  # type: ignore
-        query_params = parsed.query.params
-
-        self.assertEqual(query_params["_digid-message"], "login-cancelled")
-        self.assertIsNone(query_params.get(BACKEND_OUTAGE_RESPONSE_PARAMETER))
-
-    @tag("gh-3656", "gh-3692")
-    def test_redirect_to_form_when_login_cancelled_by_authenticated_user(self):
-        # set up session/state
-        self.requests_mocker.get(
-            "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-            status_code=200,
-        )
-        user = StaffUserFactory.create()
-        start_url = get_start_url(self.form, plugin_id="digid_oidc")
-        self.client.force_login(user=user)
-        response = self.client.get(start_url)
-        assert response.status_code == 302
-        assert response.url.startswith("http://provider.com")  # type: ignore
-
-        response = self.client.get(
-            reverse("digid_oidc:callback"),
-            {"error": "access_denied", "error_description": "The user cancelled"},
-        )
-
-        self.assertEqual(response.status_code, status.HTTP_302_FOUND)
-
-        parsed = furl(response.url)
-        query_params = parsed.query.params
-
-        self.assertEqual(query_params["_digid-message"], "login-cancelled")
-        self.assertIsNone(query_params.get(BACKEND_OUTAGE_RESPONSE_PARAMETER))
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/test_auth_flow.py b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/test_auth_flow.py
index d2a1b02981..8497c539f6 100644
--- a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/test_auth_flow.py
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/test_auth_flow.py
@@ -15,16 +15,19 @@
 from pathlib import Path
 from unittest.mock import patch
 
-from django.test import TestCase, override_settings
+from django.test import override_settings, tag
 from django.urls import reverse_lazy
 
+import requests
 from django_webtest import WebTest
 from furl import furl
 
 from digid_eherkenning_oidc_generics.models import (
     OpenIDConnectPublicConfig as DigiDConfig,
 )
+from openforms.accounts.tests.factories import StaffUserFactory
 from openforms.authentication.tests.utils import URLsHelper
+from openforms.authentication.views import BACKEND_OUTAGE_RESPONSE_PARAMETER
 from openforms.forms.tests.factories import FormFactory
 from openforms.utils.tests.vcr import OFVCRMixin
 
@@ -36,27 +39,43 @@
 
 
 @contextmanager
-def mock_digid_config():
-    config = DigiDConfig(
-        enabled=True,
-        oidc_rp_client_id="testid",
-        oidc_rp_client_secret="7DB3KUAAizYCcmZufpHRVOcD0TOkNO3I",
-        oidc_rp_sign_algo="RS256",
-        oidc_rp_scopes_list=["openid", "bsn"],
-        oidc_op_jwks_endpoint=f"{KEYCLOAK_BASE_URL}/certs",
-        oidc_op_authorization_endpoint=f"{KEYCLOAK_BASE_URL}/auth",
-        oidc_op_token_endpoint=f"{KEYCLOAK_BASE_URL}/token",
-        oidc_op_user_endpoint=f"{KEYCLOAK_BASE_URL}/userinfo",
-    )
-    with patch(
-        "digid_eherkenning_oidc_generics.models.OpenIDConnectPublicConfig.get_solo",
-        return_value=config,
+def mock_digid_config(**overrides):
+    """
+    Bundle all the required mocks.
+
+    This context manager deliberately prevents the mocked things from being injected in
+    the test method signature.
+    """
+    defaults = {
+        "enabled": True,
+        "oidc_rp_client_id": "testid",
+        "oidc_rp_client_secret": "7DB3KUAAizYCcmZufpHRVOcD0TOkNO3I",
+        "oidc_rp_sign_algo": "RS256",
+        "oidc_rp_scopes_list": ["openid", "bsn"],
+        "oidc_op_jwks_endpoint": f"{KEYCLOAK_BASE_URL}/certs",
+        "oidc_op_authorization_endpoint": f"{KEYCLOAK_BASE_URL}/auth",
+        "oidc_op_token_endpoint": f"{KEYCLOAK_BASE_URL}/token",
+        "oidc_op_user_endpoint": f"{KEYCLOAK_BASE_URL}/userinfo",
+    }
+    field_values = {**defaults, **overrides}
+    with (
+        # bypass django-solo queries + cache hits
+        patch(
+            "digid_eherkenning_oidc_generics.models.OpenIDConnectPublicConfig.get_solo",
+            return_value=DigiDConfig(**field_values),
+        ),
+        # mock the state & nonce random value generation so we get predictable URLs to
+        # match with VCR
+        patch(
+            "mozilla_django_oidc.views.get_random_string",
+            return_value="not-a-random-string",
+        ),
     ):
         yield
 
 
 @override_settings(CORS_ALLOW_ALL_ORIGINS=True, IS_HTTPS=True)
-class DigiDInitTests(OFVCRMixin, TestCase):
+class DigiDInitTests(OFVCRMixin, WebTest):
     """
     Test the outbound part of OIDC-based DigiD authentication.
     """
@@ -66,16 +85,13 @@ class DigiDInitTests(OFVCRMixin, TestCase):
 
     @mock_digid_config()
     def test_start_flow_redirects_to_oidc_provider(self):
-        form = FormFactory.create(
-            generate_minimal_setup=True,
-            authentication_backends=["digid_oidc"],
-        )
+        form = FormFactory.create(authentication_backends=["digid_oidc"])
         start_url = URLsHelper(form=form).get_auth_start(plugin_id="digid_oidc")
 
-        response = self.client.get(start_url)
+        response = self.app.get(start_url)
 
         self.assertEqual(response.status_code, 302)
-        redirect_target = furl(response.url)  # type: ignore
+        redirect_target = furl(response["Location"])
         query_params = redirect_target.query.params
         self.assertEqual(redirect_target.host, "localhost")
         self.assertEqual(redirect_target.port, 8080)
@@ -87,6 +103,35 @@ def test_start_flow_redirects_to_oidc_provider(self):
         self.assertEqual(query_params["client_id"], "testid")
         self.assertEqual(query_params["redirect_uri"], self.CALLBACK_URL)
 
+    @mock_digid_config(
+        oidc_op_authorization_endpoint="http://localhost:8080/i-dont-exist"
+    )
+    def test_idp_availability_check(self):
+        form = FormFactory.create(authentication_backends=["digid_oidc"])
+        url_helper = URLsHelper(form=form)
+        start_url = url_helper.get_auth_start(plugin_id="digid_oidc")
+
+        response = self.app.get(start_url)
+
+        self.assertEqual(response.status_code, 302)
+        redirect_url = furl(response["Location"])
+        self.assertEqual(redirect_url.host, "testserver")
+        self.assertEqual(redirect_url.path, url_helper.form_path)
+        query_params = redirect_url.query.params
+        self.assertEqual(query_params[BACKEND_OUTAGE_RESPONSE_PARAMETER], "digid_oidc")
+
+    @mock_digid_config(oidc_keycloak_idp_hint="oidc-digid")
+    def test_keycloak_idp_hint_is_respected(self):
+        form = FormFactory.create(authentication_backends=["digid_oidc"])
+        url_helper = URLsHelper(form=form)
+        start_url = url_helper.get_auth_start(plugin_id="digid_oidc")
+
+        response = self.app.get(start_url)
+
+        self.assertEqual(response.status_code, 302)
+        redirect_url = furl(response["Location"])
+        self.assertEqual(redirect_url.args["kc_idp_hint"], "oidc-digid")
+
 
 @override_settings(CORS_ALLOW_ALL_ORIGINS=True, IS_HTTPS=True)
 class DigiDCallbackTests(OFVCRMixin, WebTest):
@@ -98,10 +143,7 @@ class DigiDCallbackTests(OFVCRMixin, WebTest):
 
     @mock_digid_config()
     def test_redirects_after_successful_auth(self):
-        form = FormFactory.create(
-            generate_minimal_setup=True,
-            authentication_backends=["digid_oidc"],
-        )
+        form = FormFactory.create(authentication_backends=["digid_oidc"])
         url_helper = URLsHelper(form=form)
         start_url = url_helper.get_auth_start(plugin_id="digid_oidc")
         start_response = self.app.get(start_url)
@@ -113,3 +155,84 @@ def test_redirects_after_successful_auth(self):
         callback_response = self.app.get(redirect_uri, auto_follow=True)
 
         self.assertEqual(callback_response.request.url, url_helper.frontend_start)
+
+    @mock_digid_config(identifier_claim_name="absent-claim")
+    def test_failing_claim_verification(self):
+        form = FormFactory.create(authentication_backends=["digid_oidc"])
+        url_helper = URLsHelper(form=form)
+        start_url = url_helper.get_auth_start(plugin_id="digid_oidc")
+        start_response = self.app.get(start_url)
+        # simulate login to Keycloak
+        redirect_uri = keycloak_login(start_response["Location"])
+
+        # complete the login flow on our end
+        callback_response = self.app.get(redirect_uri, auto_follow=True)
+
+        # XXX: shouldn't this be "digid" so that the correct error message is rendered?
+        # Query: ?_digid-message=error
+        expected_url = furl(url_helper.frontend_start).add(
+            {BACKEND_OUTAGE_RESPONSE_PARAMETER: "digid_oidc"}
+        )
+        self.assertEqual(callback_response.request.url, str(expected_url))
+
+    @tag("gh-3656", "gh-3692")
+    @mock_digid_config(oidc_rp_scopes_list=["badscope"])
+    def test_digid_error_reported_for_cancelled_login_anon_django_user(self):
+        form = FormFactory.create(authentication_backends=["digid_oidc"])
+        url_helper = URLsHelper(form=form)
+        start_url = url_helper.get_auth_start(plugin_id="digid_oidc")
+        # initialize state, but don't actually log in - we have an invalid config and
+        # keycloak redirects back to our callback URL with error parameters.
+        start_response = self.app.get(start_url)
+        auth_response = requests.get(start_response["Location"], allow_redirects=False)
+        # check out assumptions/expectations before proceeding
+        callback_url = furl(auth_response.headers["Location"])
+        assert callback_url.netloc == "testserver"
+        assert "state" in callback_url.args
+        # modify the error parameters - there doesn't seem to be an obvious way to trigger
+        # this via keycloak itself.
+        # Note: this is an example of a specific provider. It may differ when a
+        # different provider is used. According to
+        # https://openid.net/specs/openid-connect-core-1_0.html#AuthError and
+        # https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1.2.1 , this is the
+        # error we expect from OIDC.
+        callback_url.args.update(
+            {"error": "access_denied", "error_description": "The user cancelled"}
+        )
+
+        callback_response = self.app.get(str(callback_url), auto_follow=True)
+
+        self.assertEqual(callback_response.status_code, 200)
+        expected_url = furl(url_helper.frontend_start).add(
+            {"_digid-message": "login-cancelled"}
+        )
+        assert BACKEND_OUTAGE_RESPONSE_PARAMETER not in expected_url.args
+        self.assertEqual(callback_response.request.url, str(expected_url))
+
+    @tag("gh-3656", "gh-3692")
+    @mock_digid_config(oidc_rp_scopes_list=["badscope"])
+    def test_digid_error_reported_for_cancelled_login_with_staff_django_user(self):
+        self.app.set_user(StaffUserFactory.create())
+        form = FormFactory.create(authentication_backends=["digid_oidc"])
+        url_helper = URLsHelper(form=form)
+        start_url = url_helper.get_auth_start(plugin_id="digid_oidc")
+        # initialize state, but don't actually log in - we have an invalid config and
+        # keycloak redirects back to our callback URL with error parameters.
+        start_response = self.app.get(start_url)
+        auth_response = requests.get(start_response["Location"], allow_redirects=False)
+        # check out assumptions/expectations before proceeding
+        callback_url = furl(auth_response.headers["Location"])
+        assert callback_url.netloc == "testserver"
+        assert "state" in callback_url.args
+        callback_url.args.update(
+            {"error": "access_denied", "error_description": "The user cancelled"}
+        )
+
+        callback_response = self.app.get(str(callback_url), auto_follow=True)
+
+        self.assertEqual(callback_response.status_code, 200)
+        expected_url = furl(url_helper.frontend_start).add(
+            {"_digid-message": "login-cancelled"}
+        )
+        assert BACKEND_OUTAGE_RESPONSE_PARAMETER not in expected_url.args
+        self.assertEqual(callback_response.request.url, str(expected_url))
diff --git a/src/openforms/authentication/tests/utils.py b/src/openforms/authentication/tests/utils.py
index 59475008f8..7d880ed3b3 100644
--- a/src/openforms/authentication/tests/utils.py
+++ b/src/openforms/authentication/tests/utils.py
@@ -14,13 +14,16 @@ def __init__(self, form: Form, host: str = "http://testserver"):
         self.form = form
         self.host = host
 
+    @property
+    def form_path(self) -> str:
+        return reverse("core:form-detail", kwargs={"slug": self.form.slug})
+
     @property
     def frontend_start(self) -> str:
         """
         Compute the frontend URL that will trigger a submissions start.
         """
-        form_path = reverse("core:form-detail", kwargs={"slug": self.form.slug})
-        form_url = furl(f"{self.host}{form_path}").set({"_start": "1"})
+        form_url = furl(f"{self.host}{self.form_path}").set({"_start": "1"})
         return str(form_url)
 
     def get_auth_start(self, plugin_id: str) -> str: