diff --git a/.github/ISSUE_TEMPLATE/prepare-release.md b/.github/ISSUE_TEMPLATE/prepare-release.md
index 92b0df4807..67712c41e0 100644
--- a/.github/ISSUE_TEMPLATE/prepare-release.md
+++ b/.github/ISSUE_TEMPLATE/prepare-release.md
@@ -8,17 +8,32 @@ assignees: sergei-maertens
 
 - [ ] Resolve release blockers
   - [ ] ...
-- [ ] Re-generate VCR cassettes for API tests (see instructions on Taiga)
+- [ ] Re-generate VCR cassettes for API tests (see instructions on Taiga). You can find all test
+      cases with `grep OFVCRMixin -r src`
+
   - [ ] Appoinments: Qmatic
   - [ ] Suwinet
-  - [ ] DigiD/eHerkenning (Signicat)
+  - DigiD/eHerkenning (Signicat)
+
+    - [ ] `openforms.authentication.contrib.digid.tests.test_signicat_integration`
+    - [ ] `openforms.authentication.contrib.eherkenning.tests.test_signicat_integration`
+
+  - OIDC based authentication flows
+
+    - [ ] `openforms.authentication.tests.test_oidc`
+    - [ ] `openforms.authentication.contrib.digid_eherkenning_oidc`
+    - [ ] `openforms.authentication.contrib.org_oidc`
+    - [ ] `openforms.authentication.contrib.org_oidc`
+    - [ ] `openforms.tests.test_registrator_prefill`
+
   - [ ] Haal Centraal BRP Personen bevragen
-  - [ ] `src.soap.tests.test_client`
+  - [ ] `soap.tests.test_client`
   - [ ] BRK (Kadaster)
   - [ ] KVK
   - [ ] Ogone
   - [ ] Objects API (registration)
   - [ ] ZGW APIs (registration)
+
 - [ ] Release new SDK version
 - [ ] Correct SDK version pinned in `.sdk-release`
 - [ ] Check translations
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 921b3c68e8..acdcee88e6 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -2,6 +2,39 @@
 Changelog
 =========
 
+2.7.0 "TBD" (2024-07-??)
+========================
+
+This release is in development, meaning it is not finished yet or suitable for
+production use.
+
+Upgrade notes
+-------------
+
+* ⚠️ The feature flag to disable backend validation is now removed, instances relying
+  on it should verify that their existing forms works with the validation enforced.
+
+* We're consolidating the OpenID Connect *Redirect URI* endpoints into a single
+  endpoint: ``/auth/oidc/callback/``. The legacy endpoints are still enabled (by default),
+  but scheduled for removal in Open Forms 3.0.
+
+  You can already opt-in to the new behaviour through three environment variables:
+
+  - ``USE_LEGACY_OIDC_ENDPOINTS=false``: admin login
+  - ``USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS=false``: DigiD/eHerkenning plugins
+  - ``USE_LEGACY_ORG_OIDC_ENDPOINTS=false``: Organization OIDC plugin
+
+  Note that the OpenID applications need to be updated on the identity provider,
+  specifically the allowed "Redirect URIs" setting needs to be updated with the
+  following path replacements:
+
+  - ``/oidc/callback/`` -> ``/auth/oidc/callback/``
+  - ``/digid-oidc/callback/`` -> ``/auth/oidc/callback/``
+  - ``/eherkenning-oidc/callback/`` -> ``/auth/oidc/callback/``
+  - ``/digid-machtigen-oidc/callback/`` -> ``/auth/oidc/callback/``
+  - ``/eherkenning-bewindvoering-oidc/callback/`` -> ``/auth/oidc/callback/``
+  - ``/org-oidc/callback/`` -> ``/auth/oidc/callback/``
+
 2.6.9 (2024-06-14)
 ==================
 
@@ -61,7 +94,6 @@ Note that 2.4.8 was never published to Docker Hub.
 * [#4390] Fixed regression introduced by #4368 that would break template variables in
   hyperlinks inside WYSIWYG content.
 
-
 2.4.8 (2024-06-14)
 ==================
 
@@ -73,17 +105,6 @@ Bugfix release
 * [#4362] Fixed a crash in the form designer when a textfield/textarea allows multiple
   values in forms with translations enabled.
 
-2.7.0-alpha.1 (2024-XX-XX)
-==========================
-
-This is an alpha release, meaning it is not finished yet or suitable for production use.
-
-Upgrade notes
--------------
-
-* ⚠️ The feature flag to disable backend validation is now removed, instances relying
-  on it should verify that their existing forms works with the validation enforced.
-
 2.6.7 (2024-05-22)
 ==================
 
diff --git a/docker-compose.yml b/docker-compose.yml
index 18645efb85..627d1472b0 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -63,7 +63,6 @@ services:
       - DB_HOST=db
       - CACHE_DEFAULT=redis:6379/0
       - CACHE_AXES=redis:6379/0
-      - CACHE_OIDC=redis:6379/0
       - CACHE_PORTALOCKER=redis:6379/0
       - ALLOWED_HOSTS=*
       - CELERY_BROKER_URL=redis://redis:6379/0
@@ -76,6 +75,11 @@ services:
       # settings used by workers and beat containers.
       - TZ=Europe/Amsterdam
       - CSP_REPORT_ONLY=yes
+      # Legacy endpoints are deprecated, new installs should opt-out of using legacy
+      # settings (the default is to use legacy endpoints).
+      - USE_LEGACY_OIDC_ENDPOINTS=no
+      - USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS=no
+      - USE_LEGACY_ORG_OIDC_ENDPOINTS=no
     volumes: &web_volumes
       - media:/app/media
       - private_media:/app/private_media
diff --git a/docker/docker-compose.keycloak.yml b/docker/docker-compose.keycloak.yml
index ef88755e24..c8426bc57e 100644
--- a/docker/docker-compose.keycloak.yml
+++ b/docker/docker-compose.keycloak.yml
@@ -1,14 +1,25 @@
-version: '3.4'
+# Config taken from https://stackoverflow.com/a/77257732
+#
+# This docker-compose is for development and test purposes. Tests are recorded with
+# VCR against this instance.
+#
+#   Log in to http://localhost:8080/admin/master/console/ with `admin`/`admin`
+#   credentials.
+#
+# DO NOT USE THIS IN PRODUCTION.
+#
+
+version: '3.8'
 
 services:
   keycloak:
-    image: jboss/keycloak
+    image: quay.io/keycloak/keycloak:23.0
+    command: start-dev --import-realm
     environment:
-      - KEYCLOAK_USER=demo
-      - KEYCLOAK_PASSWORD=demo
-      - KEYCLOAK_IMPORT=/realm.json
+      - KEYCLOAK_ADMIN=admin
+      - KEYCLOAK_ADMIN_PASSWORD=admin
     volumes:
-      - ./keycloak/fixtures/realm.json:/realm.json
+      - ./keycloak/import:/opt/keycloak/data/import
     ports:
       - 8080:8080
     networks:
diff --git a/docker/keycloak/README.md b/docker/keycloak/README.md
index aab284c2d5..e769d2ae17 100644
--- a/docker/keycloak/README.md
+++ b/docker/keycloak/README.md
@@ -1,10 +1,10 @@
 # Keycloak infrastructure
 
-Open Forms supports OpenID Connect as an authentication protocol. Keycloak is
-an example of an Identity Provider that supports OIDC.
+Open Forms supports OpenID Connect as an authentication protocol. Keycloak is an example of an
+Identity Provider that supports OIDC.
 
-We include a compose stack for development and CI purposes. This is **NOT** suitable
-for production usage.
+We include a compose stack for development and testing/CI purposes. This is **NOT** suitable for
+production usage.
 
 ## docker compose
 
@@ -14,34 +14,63 @@ Start a Keycloak instance in your local environment from the parent directory:
 docker compose -f docker-compose.keycloak.yml up -d
 ```
 
-This brings up Keycloak, the admin interface is accessible at http://localhost:8080/.
-You can log in with `demo:demo`.
+This brings up Keycloak, the admin interface is accessible at http://localhost:8080/. You can now
+log in with the `admin`/`admin` credentials.
 
-In order to allow access to Keycloak via the same hostname via the Open Forms backend
-container and the browser, add the following entry to your `/etc/hosts` file:
+In order to allow access to Keycloak via the same hostname via the Open Forms backend container and
+the browser, add the following entry to your `/etc/hosts` file:
 
 ```
 127.0.0.1 keycloak.open-forms.local
 ```
 
+## Testing
 
-## Load fixtures
+This realm is used in the integration tests. We re-record the network traffic periodically (using
+VCR.py). The primary reason this setup exists, is for automated testing reasons.
 
-Before the DigiD login via OIDC can be tested, a fixture needs to be loaded.
-Assuming the docker containers specified in `docker-compose.yml` in the root directory
-are running, run the following commands:
+### Test data
 
-```bash
-cat docker/keycloak/fixtures/oidc.json | docker-compose exec web src/manage.py loaddata --format=json -
-```
+**Clients**
+
+- Client ID: `test-userinfo-jwt`, secret `ktGlGUELd1FR7dTXc84L7dJzUTjCtw9S`
+
+  Configured to return the user info as a JWT rather than JSON response.
+
+- Client ID: `testid`, secret: `7DB3KUAAizYCcmZufpHRVOcD0TOkNO3I`
+
+**Users**
+
+- `testuser` / `testuser`, has the `bsn`, `kvk`, `name_qualifier`, `legalSubjectID` and
+  `actingSubjectID` attributes (authentication plugins: DigiD, eHerkenning)
+- `digid-machtigen` / `digid-machtigen`, has the `aanvrager.bsn`, `gemachtigde.bsn` and
+  `service_id` attributes (for DigiD machtigen)
+- `eherkenning-bewindvoering` / `eherkenning-bewindvoering`, has the `legalSubjectID`
+  (kvk), `actingSubjectID` (pseudo ID), `representeeBSN`, `service_id`, `service_uuid`,
+  and `name_qualifier`  attributes (for eHerkenning bewindvoering)
+- `admin` / `admin`, intended to create as django user (can be made staff). The email
+  address is `admin@example.com`.
 
-This loads an example form configured to use DigiD via OIDC for authentication and
-it loads a configuration to connect to our Keycloak instance.
+## Exporting the Realm
 
-## Test login flow
+In short - exporting through the admin UI (rightfully) obfuscates client secrets and user
+credentials. However, for reproducible builds/environments, we want to include this data in the
+Realm export.
 
-To test the login flow, navigate to `http://127.0.0.1:8000/digid-oidc/`
-(not `localhost`, because this domain is not on the allowlist in the Keycloak config).
+Ensure the service is up and running through docker-compose.
 
-Click `Inloggen met DigiD` and fill in `testuser` for both username and password
-in the Keycloak login screen. If everything succeeded, you are now redirected back to the form.
+Ensure that UID `1000` can write to `./keycloak/import/`:
+
+```bash
+chmod o+rwx ./keycloak/import/
+```
+
+Then open another terminal and run:
+
+```bash
+docker-compose -f docker-compose.keycloak.yml exec keycloak \
+   /opt/keycloak/bin/kc.sh \
+   export \
+   --file /opt/keycloak/data/import/test-realm.json \
+   --realm test
+```
diff --git a/docker/keycloak/fixtures/oidc.json b/docker/keycloak/fixtures/oidc.json
deleted file mode 100644
index 376392f0c9..0000000000
--- a/docker/keycloak/fixtures/oidc.json
+++ /dev/null
@@ -1,377 +0,0 @@
-[
-    {
-        "model": "digid_eherkenning_oidc_generics.openidconnectpublicconfig",
-        "pk": 1,
-        "fields": {
-            "enabled": true,
-            "identifier_claim_name": "bsn",
-            "oidc_rp_client_id": "testid_public",
-            "oidc_rp_client_secret": "23a12032-e080-4f65-b733-ad2567ec1605",
-            "oidc_rp_sign_algo": "RS256",
-            "oidc_rp_scopes_list": "[\"openid\", \"bsn\"]",
-            "oidc_op_discovery_endpoint": "http://keycloak.open-forms.local:8080/auth/realms/test/",
-            "oidc_op_jwks_endpoint": "http://keycloak.open-forms.local:8080/auth/realms/test/protocol/openid-connect/certs",
-            "oidc_op_authorization_endpoint": "http://keycloak.open-forms.local:8080/auth/realms/test/protocol/openid-connect/auth",
-            "oidc_op_token_endpoint": "http://keycloak.open-forms.local:8080/auth/realms/test/protocol/openid-connect/token",
-            "oidc_op_user_endpoint": "http://keycloak.open-forms.local:8080/auth/realms/test/protocol/openid-connect/userinfo",
-            "oidc_op_logout_endpoint": "http://keycloak.open-forms.local:8080/auth/realms/test/protocol/openid-connect/logout",
-            "oidc_rp_idp_sign_key": "",
-            "oidc_keycloak_idp_hint": ""
-        }
-    },
-    {
-        "model": "digid_eherkenning_oidc_generics.openidconnecteherkenningconfig",
-        "pk": 1,
-        "fields": {
-            "enabled": true,
-            "identifier_claim_name": "kvk",
-            "oidc_rp_client_id": "testid_public",
-            "oidc_rp_client_secret": "23a12032-e080-4f65-b733-ad2567ec1605",
-            "oidc_rp_sign_algo": "RS256",
-            "oidc_rp_scopes_list": "[\"openid\", \"kvk\"]",
-            "oidc_op_discovery_endpoint": "http://keycloak.open-forms.local:8080/auth/realms/test/",
-            "oidc_op_jwks_endpoint": "http://keycloak.open-forms.local:8080/auth/realms/test/protocol/openid-connect/certs",
-            "oidc_op_authorization_endpoint": "http://keycloak.open-forms.local:8080/auth/realms/test/protocol/openid-connect/auth",
-            "oidc_op_token_endpoint": "http://keycloak.open-forms.local:8080/auth/realms/test/protocol/openid-connect/token",
-            "oidc_op_user_endpoint": "http://keycloak.open-forms.local:8080/auth/realms/test/protocol/openid-connect/userinfo",
-            "oidc_op_logout_endpoint": "http://keycloak.open-forms.local:8080/auth/realms/test/protocol/openid-connect/logout",
-            "oidc_rp_idp_sign_key": "",
-            "oidc_keycloak_idp_hint": ""
-        }
-    },
-    {
-        "model": "mozilla_django_oidc_db.openidconnectconfig",
-        "pk": 1,
-        "fields": {
-            "enabled": true,
-            "oidc_rp_client_id": "testid",
-            "oidc_rp_client_secret": "23a12032-e080-4f65-b733-ad2567ec1605",
-            "oidc_rp_sign_algo": "RS256",
-            "oidc_rp_scopes_list": "[\"openid\", \"email\", \"profile\"]",
-            "oidc_op_discovery_endpoint": "http://keycloak.open-forms.local:8080/auth/realms/test/",
-            "oidc_op_jwks_endpoint": "http://keycloak.open-forms.local:8080/auth/realms/test/protocol/openid-connect/certs",
-            "oidc_op_authorization_endpoint": "http://keycloak.open-forms.local:8080/auth/realms/test/protocol/openid-connect/auth",
-            "oidc_op_token_endpoint": "http://keycloak.open-forms.local:8080/auth/realms/test/protocol/openid-connect/token",
-            "oidc_op_user_endpoint": "http://keycloak.open-forms.local:8080/auth/realms/test/protocol/openid-connect/userinfo",
-            "oidc_rp_idp_sign_key": "",
-            "username_claim": "sub",
-            "claim_mapping": {
-                "email": "email",
-                "last_name": "family_name",
-                "first_name": "given_name"
-            },
-            "groups_claim": "roles",
-            "sync_groups": true,
-            "sync_groups_glob_pattern": "*",
-            "make_users_staff": true
-        }
-    },
-    {
-        "model": "forms.form",
-        "pk": 1,
-        "fields": {
-            "uuid": "3ea9541f-f863-445d-ba89-a0d089578c3b",
-            "name": "Digid via OIDC",
-            "internal_name": "",
-            "slug": "digid-oidc",
-            "product": null,
-            "registration_backend": "",
-            "registration_backend_options": {},
-            "payment_backend": "",
-            "payment_backend_options": {},
-            "authentication_backends": "[\"digid_oidc\"]",
-            "submission_confirmation_template": "",
-            "submission_allowed": "yes",
-            "show_progress_indicator": true,
-            "confirmation_email_option": "global_email",
-            "begin_text": "",
-            "previous_text": "",
-            "change_text": "",
-            "confirm_text": "",
-            "explanation_template": "",
-            "active": true,
-            "maintenance_mode": false,
-            "_is_deleted": false,
-            "successful_submissions_removal_limit": null,
-            "successful_submissions_removal_method": "",
-            "incomplete_submissions_removal_limit": null,
-            "incomplete_submissions_removal_method": "",
-            "errored_submissions_removal_limit": null,
-            "errored_submissions_removal_method": "",
-            "all_submissions_removal_limit": null
-        }
-    },
-    {
-        "model": "forms.formdefinition",
-        "pk": 1,
-        "fields": {
-            "uuid": "5f28e130-e5c3-4a3a-abe3-2f51e88b8e2a",
-            "name": "Stap 1",
-            "internal_name": "",
-            "slug": "oidc-step1",
-            "configuration": {
-                "display": "form",
-                "components": [
-                    {
-                        "id": "eki8hix",
-                        "key": "textField",
-                        "mask": false,
-                        "type": "textfield",
-                        "input": true,
-                        "label": "Text Field",
-                        "hidden": false,
-                        "prefix": "",
-                        "suffix": "",
-                        "unique": false,
-                        "widget": {
-                            "type": "input"
-                        },
-                        "dbIndex": false,
-                        "overlay": {
-                            "top": "",
-                            "left": "",
-                            "style": "",
-                            "width": "",
-                            "height": ""
-                        },
-                        "prefill": {
-                            "plugin": "",
-                            "attribute": ""
-                        },
-                        "tooltip": "",
-                        "disabled": false,
-                        "multiple": false,
-                        "redrawOn": "",
-                        "tabindex": "",
-                        "validate": {
-                            "custom": "",
-                            "unique": false,
-                            "pattern": "",
-                            "plugins": [],
-                            "multiple": false,
-                            "required": false,
-                            "maxLength": "",
-                            "minLength": "",
-                            "customPrivate": false,
-                            "strictDateValidation": false
-                        },
-                        "autofocus": false,
-                        "encrypted": false,
-                        "hideLabel": false,
-                        "inputMask": "",
-                        "inputType": "text",
-                        "modalEdit": false,
-                        "protected": false,
-                        "refreshOn": "",
-                        "tableView": true,
-                        "attributes": {},
-                        "deriveCity": false,
-                        "errorLabel": "",
-                        "persistent": true,
-                        "properties": {},
-                        "spellcheck": true,
-                        "validateOn": "change",
-                        "clearOnHide": true,
-                        "conditional": {
-                            "eq": "",
-                            "show": null,
-                            "when": null
-                        },
-                        "customClass": "",
-                        "description": "",
-                        "inputFormat": "plain",
-                        "placeholder": "",
-                        "showInEmail": false,
-                        "defaultValue": null,
-                        "registration": {
-                            "attribute": ""
-                        },
-                        "dataGridLabel": false,
-                        "labelPosition": "top",
-                        "showCharCount": false,
-                        "showWordCount": false,
-                        "calculateValue": "",
-                        "derivePostcode": "",
-                        "calculateServer": false,
-                        "isSensitiveData": false,
-                        "deriveStreetName": false,
-                        "deriveHouseNumber": "",
-                        "allowMultipleMasks": false,
-                        "customDefaultValue": "",
-                        "allowCalculateOverride": false
-                    }
-                ]
-            },
-            "login_required": true,
-            "is_reusable": false
-        }
-    },
-    {
-        "model": "forms.formstep",
-        "pk": 1,
-        "fields": {
-            "order": 0,
-            "uuid": "1c8ef0a8-2353-4e86-828b-5c02d7766d13",
-            "form": 1,
-            "form_definition": 1,
-            "optional": false,
-            "previous_text": "",
-            "save_text": "",
-            "next_text": ""
-        }
-    },
-    {
-        "model": "forms.form",
-        "pk": 2,
-        "fields": {
-            "uuid": "5344e0fe-ab54-49e6-8942-bdafc4ca423d",
-            "name": "eHerkenning via OIDC",
-            "internal_name": "",
-            "slug": "eherkenning-oidc",
-            "product": null,
-            "registration_backend": "",
-            "registration_backend_options": {},
-            "payment_backend": "",
-            "payment_backend_options": {},
-            "authentication_backends": "[\"eherkenning_oidc\"]",
-            "submission_confirmation_template": "",
-            "submission_allowed": "yes",
-            "show_progress_indicator": true,
-            "confirmation_email_option": "global_email",
-            "begin_text": "",
-            "previous_text": "",
-            "change_text": "",
-            "confirm_text": "",
-            "explanation_template": "",
-            "active": true,
-            "maintenance_mode": false,
-            "_is_deleted": false,
-            "successful_submissions_removal_limit": null,
-            "successful_submissions_removal_method": "",
-            "incomplete_submissions_removal_limit": null,
-            "incomplete_submissions_removal_method": "",
-            "errored_submissions_removal_limit": null,
-            "errored_submissions_removal_method": "",
-            "all_submissions_removal_limit": null
-        }
-    },
-    {
-        "model": "forms.formdefinition",
-        "pk": 2,
-        "fields": {
-            "uuid": "adee513d-6ea9-4497-b501-c10db7eebd10",
-            "name": "Stap 1",
-            "internal_name": "",
-            "slug": "eherkenning-oidc-step1",
-            "configuration": {
-                "display": "form",
-                "components": [
-                    {
-                        "id": "sdw2jdf",
-                        "key": "textField",
-                        "mask": false,
-                        "type": "textfield",
-                        "input": true,
-                        "label": "Text Field",
-                        "hidden": false,
-                        "prefix": "",
-                        "suffix": "",
-                        "unique": false,
-                        "widget": {
-                            "type": "input"
-                        },
-                        "dbIndex": false,
-                        "overlay": {
-                            "top": "",
-                            "left": "",
-                            "style": "",
-                            "width": "",
-                            "height": ""
-                        },
-                        "prefill": {
-                            "plugin": "",
-                            "attribute": ""
-                        },
-                        "tooltip": "",
-                        "disabled": false,
-                        "multiple": false,
-                        "redrawOn": "",
-                        "tabindex": "",
-                        "validate": {
-                            "custom": "",
-                            "unique": false,
-                            "pattern": "",
-                            "plugins": [],
-                            "multiple": false,
-                            "required": false,
-                            "maxLength": "",
-                            "minLength": "",
-                            "customPrivate": false,
-                            "strictDateValidation": false
-                        },
-                        "autofocus": false,
-                        "encrypted": false,
-                        "hideLabel": false,
-                        "inputMask": "",
-                        "inputType": "text",
-                        "modalEdit": false,
-                        "protected": false,
-                        "refreshOn": "",
-                        "tableView": true,
-                        "attributes": {},
-                        "deriveCity": false,
-                        "errorLabel": "",
-                        "persistent": true,
-                        "properties": {},
-                        "spellcheck": true,
-                        "validateOn": "change",
-                        "clearOnHide": true,
-                        "conditional": {
-                            "eq": "",
-                            "show": null,
-                            "when": null
-                        },
-                        "customClass": "",
-                        "description": "",
-                        "inputFormat": "plain",
-                        "placeholder": "",
-                        "showInEmail": false,
-                        "defaultValue": null,
-                        "registration": {
-                            "attribute": ""
-                        },
-                        "dataGridLabel": false,
-                        "labelPosition": "top",
-                        "showCharCount": false,
-                        "showWordCount": false,
-                        "calculateValue": "",
-                        "derivePostcode": "",
-                        "calculateServer": false,
-                        "isSensitiveData": false,
-                        "deriveStreetName": false,
-                        "deriveHouseNumber": "",
-                        "allowMultipleMasks": false,
-                        "customDefaultValue": "",
-                        "allowCalculateOverride": false
-                    }
-                ]
-            },
-            "login_required": true,
-            "is_reusable": false
-        }
-    },
-    {
-        "model": "forms.formstep",
-        "pk": 2,
-        "fields": {
-            "order": 0,
-            "uuid": "65ce6093-0a85-48a1-807f-8f5eb3981399",
-            "form": 2,
-            "form_definition": 2,
-            "optional": false,
-            "previous_text": "",
-            "save_text": "",
-            "next_text": ""
-        }
-    }
-]
diff --git a/docker/keycloak/fixtures/realm.json b/docker/keycloak/fixtures/realm.json
deleted file mode 100644
index f5cab7ec01..0000000000
--- a/docker/keycloak/fixtures/realm.json
+++ /dev/null
@@ -1,2680 +0,0 @@
-{
-    "id": "test",
-    "realm": "test",
-    "displayName": "Keycloak",
-    "displayNameHtml": "<div class=\"kc-logo-text\"><span>Keycloak</span></div>",
-    "notBefore": 0,
-    "defaultSignatureAlgorithm": "RS256",
-    "revokeRefreshToken": false,
-    "refreshTokenMaxReuse": 0,
-    "accessTokenLifespan": 60,
-    "accessTokenLifespanForImplicitFlow": 900,
-    "ssoSessionIdleTimeout": 1800,
-    "ssoSessionMaxLifespan": 36000,
-    "ssoSessionIdleTimeoutRememberMe": 0,
-    "ssoSessionMaxLifespanRememberMe": 0,
-    "offlineSessionIdleTimeout": 2592000,
-    "offlineSessionMaxLifespanEnabled": false,
-    "offlineSessionMaxLifespan": 5184000,
-    "clientSessionIdleTimeout": 0,
-    "clientSessionMaxLifespan": 0,
-    "clientOfflineSessionIdleTimeout": 0,
-    "clientOfflineSessionMaxLifespan": 0,
-    "accessCodeLifespan": 60,
-    "accessCodeLifespanUserAction": 300,
-    "accessCodeLifespanLogin": 1800,
-    "actionTokenGeneratedByAdminLifespan": 43200,
-    "actionTokenGeneratedByUserLifespan": 300,
-    "oauth2DeviceCodeLifespan": 600,
-    "oauth2DevicePollingInterval": 600,
-    "enabled": true,
-    "sslRequired": "external",
-    "registrationAllowed": false,
-    "registrationEmailAsUsername": false,
-    "rememberMe": false,
-    "verifyEmail": false,
-    "loginWithEmailAllowed": true,
-    "duplicateEmailsAllowed": false,
-    "resetPasswordAllowed": false,
-    "editUsernameAllowed": false,
-    "bruteForceProtected": false,
-    "permanentLockout": false,
-    "maxFailureWaitSeconds": 900,
-    "minimumQuickLoginWaitSeconds": 60,
-    "waitIncrementSeconds": 60,
-    "quickLoginCheckMilliSeconds": 1000,
-    "maxDeltaTimeSeconds": 43200,
-    "failureFactor": 30,
-    "roles": {
-        "realm": [
-            {
-                "id": "0a58bc72-3b61-446d-9686-680dac2d7837",
-                "name": "bsn_role",
-                "composite": false,
-                "clientRole": false,
-                "containerId": "test",
-                "attributes": {
-                    "bsn": [
-                        "000000000"
-                    ]
-                }
-            },
-            {
-                "id": "136f9153-1b58-4925-a8d9-6cd3b5b14460",
-                "name": "offline_access",
-                "description": "${role_offline-access}",
-                "composite": false,
-                "clientRole": false,
-                "containerId": "test",
-                "attributes": {}
-            },
-            {
-                "id": "dfb35e47-58b6-4080-a666-e3855f80dae0",
-                "name": "uma_authorization",
-                "description": "${role_uma_authorization}",
-                "composite": false,
-                "clientRole": false,
-                "containerId": "test",
-                "attributes": {}
-            },
-            {
-                "id": "0b34dd0e-fba9-48a1-a139-6400f32d1361",
-                "name": "default-roles-master",
-                "description": "${role_default-roles}",
-                "composite": true,
-                "composites": {
-                    "realm": [
-                        "offline_access",
-                        "uma_authorization"
-                    ],
-                    "client": {
-                        "account": [
-                            "manage-account",
-                            "view-profile"
-                        ]
-                    }
-                },
-                "clientRole": false,
-                "containerId": "test",
-                "attributes": {}
-            },
-            {
-                "id": "2815411c-85c2-494c-b0dd-7ba1765c20eb",
-                "name": "admin",
-                "description": "${role_admin}",
-                "composite": true,
-                "composites": {
-                    "realm": [
-                        "create-realm"
-                    ],
-                    "client": {
-                        "master-realm": [
-                            "view-realm",
-                            "manage-authorization",
-                            "query-clients",
-                            "view-clients",
-                            "manage-users",
-                            "impersonation",
-                            "view-authorization",
-                            "manage-events",
-                            "query-realms",
-                            "view-users",
-                            "manage-clients",
-                            "view-identity-providers",
-                            "manage-identity-providers",
-                            "query-groups",
-                            "query-users",
-                            "create-client",
-                            "manage-realm",
-                            "view-events"
-                        ]
-                    }
-                },
-                "clientRole": false,
-                "containerId": "test",
-                "attributes": {}
-            },
-            {
-                "id": "868ad5f4-6f71-48aa-a66b-baa9463e0384",
-                "name": "create-realm",
-                "description": "${role_create-realm}",
-                "composite": false,
-                "clientRole": false,
-                "containerId": "test",
-                "attributes": {}
-            }
-        ],
-        "client": {
-            "realm-management": [
-                {
-                    "id": "2a00dbed-f906-45c7-944b-ac36c122a447",
-                    "name": "query-groups",
-                    "description": "${role_query-groups}",
-                    "composite": false,
-                    "clientRole": true,
-                    "containerId": "245fcb6a-6484-401c-97b1-ed1c9c4e383f",
-                    "attributes": {}
-                },
-                {
-                    "id": "cada1b50-0393-4671-a22f-4f64fdb6750f",
-                    "name": "manage-events",
-                    "description": "${role_manage-events}",
-                    "composite": false,
-                    "clientRole": true,
-                    "containerId": "245fcb6a-6484-401c-97b1-ed1c9c4e383f",
-                    "attributes": {}
-                },
-                {
-                    "id": "c84f8fc0-92ff-45b8-ae20-361153e027e3",
-                    "name": "manage-authorization",
-                    "description": "${role_manage-authorization}",
-                    "composite": false,
-                    "clientRole": true,
-                    "containerId": "245fcb6a-6484-401c-97b1-ed1c9c4e383f",
-                    "attributes": {}
-                },
-                {
-                    "id": "7438cf5c-c406-423e-a87c-282da2643a23",
-                    "name": "view-authorization",
-                    "description": "${role_view-authorization}",
-                    "composite": false,
-                    "clientRole": true,
-                    "containerId": "245fcb6a-6484-401c-97b1-ed1c9c4e383f",
-                    "attributes": {}
-                },
-                {
-                    "id": "a3ba4f3c-5a68-4546-9d0c-d347a01a0f80",
-                    "name": "view-users",
-                    "description": "${role_view-users}",
-                    "composite": true,
-                    "composites": {
-                        "client": {
-                            "realm-management": [
-                                "query-groups",
-                                "query-users"
-                            ]
-                        }
-                    },
-                    "clientRole": true,
-                    "containerId": "245fcb6a-6484-401c-97b1-ed1c9c4e383f",
-                    "attributes": {}
-                },
-                {
-                    "id": "f5af997b-0200-493c-833a-f29922393c36",
-                    "name": "manage-clients",
-                    "description": "${role_manage-clients}",
-                    "composite": false,
-                    "clientRole": true,
-                    "containerId": "245fcb6a-6484-401c-97b1-ed1c9c4e383f",
-                    "attributes": {}
-                },
-                {
-                    "id": "bb1ea04a-1455-436b-a9ce-a52ddf63080b",
-                    "name": "impersonation",
-                    "description": "${role_impersonation}",
-                    "composite": false,
-                    "clientRole": true,
-                    "containerId": "245fcb6a-6484-401c-97b1-ed1c9c4e383f",
-                    "attributes": {}
-                },
-                {
-                    "id": "73ecfaa2-7321-47d0-b0da-b502d63e8a38",
-                    "name": "view-identity-providers",
-                    "description": "${role_view-identity-providers}",
-                    "composite": false,
-                    "clientRole": true,
-                    "containerId": "245fcb6a-6484-401c-97b1-ed1c9c4e383f",
-                    "attributes": {}
-                },
-                {
-                    "id": "371d40bd-5c2d-4883-8f39-fee31929e8ff",
-                    "name": "view-clients",
-                    "description": "${role_view-clients}",
-                    "composite": true,
-                    "composites": {
-                        "client": {
-                            "realm-management": [
-                                "query-clients"
-                            ]
-                        }
-                    },
-                    "clientRole": true,
-                    "containerId": "245fcb6a-6484-401c-97b1-ed1c9c4e383f",
-                    "attributes": {}
-                },
-                {
-                    "id": "9806ccc3-9c5d-4cd4-8703-a3fb2578d33e",
-                    "name": "query-clients",
-                    "description": "${role_query-clients}",
-                    "composite": false,
-                    "clientRole": true,
-                    "containerId": "245fcb6a-6484-401c-97b1-ed1c9c4e383f",
-                    "attributes": {}
-                },
-                {
-                    "id": "4d15db11-54e1-440a-ada0-54eb2cfba916",
-                    "name": "query-realms",
-                    "description": "${role_query-realms}",
-                    "composite": false,
-                    "clientRole": true,
-                    "containerId": "245fcb6a-6484-401c-97b1-ed1c9c4e383f",
-                    "attributes": {}
-                },
-                {
-                    "id": "b0abae85-2f7a-41a1-9e94-6fcc1c0cffc9",
-                    "name": "view-realm",
-                    "description": "${role_view-realm}",
-                    "composite": false,
-                    "clientRole": true,
-                    "containerId": "245fcb6a-6484-401c-97b1-ed1c9c4e383f",
-                    "attributes": {}
-                },
-                {
-                    "id": "981a0138-1eb5-4bb0-9435-707d86e8ea15",
-                    "name": "manage-users",
-                    "description": "${role_manage-users}",
-                    "composite": false,
-                    "clientRole": true,
-                    "containerId": "245fcb6a-6484-401c-97b1-ed1c9c4e383f",
-                    "attributes": {}
-                },
-                {
-                    "id": "f20ca9de-e050-4db4-bc78-a7d594198371",
-                    "name": "manage-realm",
-                    "description": "${role_manage-realm}",
-                    "composite": false,
-                    "clientRole": true,
-                    "containerId": "245fcb6a-6484-401c-97b1-ed1c9c4e383f",
-                    "attributes": {}
-                },
-                {
-                    "id": "6f7ba22f-13b9-488b-bdc6-cf30bd69045c",
-                    "name": "realm-admin",
-                    "description": "${role_realm-admin}",
-                    "composite": true,
-                    "composites": {
-                        "client": {
-                            "realm-management": [
-                                "query-groups",
-                                "manage-events",
-                                "manage-authorization",
-                                "view-authorization",
-                                "view-users",
-                                "manage-clients",
-                                "impersonation",
-                                "view-identity-providers",
-                                "view-clients",
-                                "query-realms",
-                                "query-clients",
-                                "view-realm",
-                                "manage-users",
-                                "manage-realm",
-                                "view-events",
-                                "manage-identity-providers",
-                                "create-client",
-                                "query-users"
-                            ]
-                        }
-                    },
-                    "clientRole": true,
-                    "containerId": "245fcb6a-6484-401c-97b1-ed1c9c4e383f",
-                    "attributes": {}
-                },
-                {
-                    "id": "c82f77bf-ca5d-493b-937c-a1b95cfcc02c",
-                    "name": "view-events",
-                    "description": "${role_view-events}",
-                    "composite": false,
-                    "clientRole": true,
-                    "containerId": "245fcb6a-6484-401c-97b1-ed1c9c4e383f",
-                    "attributes": {}
-                },
-                {
-                    "id": "afe6ce5b-60ed-4cc3-a522-689f3356000d",
-                    "name": "manage-identity-providers",
-                    "description": "${role_manage-identity-providers}",
-                    "composite": false,
-                    "clientRole": true,
-                    "containerId": "245fcb6a-6484-401c-97b1-ed1c9c4e383f",
-                    "attributes": {}
-                },
-                {
-                    "id": "6b9787d5-1172-4c55-901b-24d1d8dc2211",
-                    "name": "create-client",
-                    "description": "${role_create-client}",
-                    "composite": false,
-                    "clientRole": true,
-                    "containerId": "245fcb6a-6484-401c-97b1-ed1c9c4e383f",
-                    "attributes": {}
-                },
-                {
-                    "id": "eadd571c-5634-4dbd-b8d3-9a3f41755c0b",
-                    "name": "query-users",
-                    "description": "${role_query-users}",
-                    "composite": false,
-                    "clientRole": true,
-                    "containerId": "245fcb6a-6484-401c-97b1-ed1c9c4e383f",
-                    "attributes": {}
-                }
-            ],
-            "security-admin-console": [],
-            "testid_public": [],
-            "admin-cli": [],
-            "testid": [],
-            "account-console": [],
-            "broker": [
-                {
-                    "id": "7e86123e-f54c-4479-b61a-dab28c62cbd4",
-                    "name": "read-token",
-                    "description": "${role_read-token}",
-                    "composite": false,
-                    "clientRole": true,
-                    "containerId": "1a9e1f8f-3ab0-4df4-a94b-f7907a241edf",
-                    "attributes": {}
-                }
-            ],
-            "master-realm": [
-                {
-                    "id": "96ee1616-5a21-41f0-a6b3-ab9fca3211db",
-                    "name": "manage-authorization",
-                    "description": "${role_manage-authorization}",
-                    "composite": false,
-                    "clientRole": true,
-                    "containerId": "6eab5916-d431-4c7d-9bc5-9516e338da37",
-                    "attributes": {}
-                },
-                {
-                    "id": "43c2379c-939f-48ad-b911-fa4f81bcd05d",
-                    "name": "view-realm",
-                    "description": "${role_view-realm}",
-                    "composite": false,
-                    "clientRole": true,
-                    "containerId": "6eab5916-d431-4c7d-9bc5-9516e338da37",
-                    "attributes": {}
-                },
-                {
-                    "id": "2f3dc289-3f71-4cd0-abc6-71c130a5ecc4",
-                    "name": "query-clients",
-                    "description": "${role_query-clients}",
-                    "composite": false,
-                    "clientRole": true,
-                    "containerId": "6eab5916-d431-4c7d-9bc5-9516e338da37",
-                    "attributes": {}
-                },
-                {
-                    "id": "d67707ff-cfd2-48c8-8afd-9aa036328a1c",
-                    "name": "view-clients",
-                    "description": "${role_view-clients}",
-                    "composite": true,
-                    "composites": {
-                        "client": {
-                            "master-realm": [
-                                "query-clients"
-                            ]
-                        }
-                    },
-                    "clientRole": true,
-                    "containerId": "6eab5916-d431-4c7d-9bc5-9516e338da37",
-                    "attributes": {}
-                },
-                {
-                    "id": "dfb95d8e-c7f6-4946-a826-aeeb704c00a0",
-                    "name": "impersonation",
-                    "description": "${role_impersonation}",
-                    "composite": false,
-                    "clientRole": true,
-                    "containerId": "6eab5916-d431-4c7d-9bc5-9516e338da37",
-                    "attributes": {}
-                },
-                {
-                    "id": "0b5ce3df-1ada-4367-98c4-cfb49a2fb453",
-                    "name": "manage-users",
-                    "description": "${role_manage-users}",
-                    "composite": false,
-                    "clientRole": true,
-                    "containerId": "6eab5916-d431-4c7d-9bc5-9516e338da37",
-                    "attributes": {}
-                },
-                {
-                    "id": "09426dfa-97e4-4b2f-9ac4-1e4c257c7d40",
-                    "name": "view-authorization",
-                    "description": "${role_view-authorization}",
-                    "composite": false,
-                    "clientRole": true,
-                    "containerId": "6eab5916-d431-4c7d-9bc5-9516e338da37",
-                    "attributes": {}
-                },
-                {
-                    "id": "6a72e26e-18d8-4e7d-b2b9-0bdf4f4cf1b0",
-                    "name": "manage-events",
-                    "description": "${role_manage-events}",
-                    "composite": false,
-                    "clientRole": true,
-                    "containerId": "6eab5916-d431-4c7d-9bc5-9516e338da37",
-                    "attributes": {}
-                },
-                {
-                    "id": "2c0e9ccf-9f72-4c24-b47a-e223d0862725",
-                    "name": "query-realms",
-                    "description": "${role_query-realms}",
-                    "composite": false,
-                    "clientRole": true,
-                    "containerId": "6eab5916-d431-4c7d-9bc5-9516e338da37",
-                    "attributes": {}
-                },
-                {
-                    "id": "f26d3f41-90ed-4c6d-9165-76d7693fda37",
-                    "name": "view-users",
-                    "description": "${role_view-users}",
-                    "composite": true,
-                    "composites": {
-                        "client": {
-                            "master-realm": [
-                                "query-groups",
-                                "query-users"
-                            ]
-                        }
-                    },
-                    "clientRole": true,
-                    "containerId": "6eab5916-d431-4c7d-9bc5-9516e338da37",
-                    "attributes": {}
-                },
-                {
-                    "id": "86af1267-c64d-48c9-809b-240135e3d5a5",
-                    "name": "manage-clients",
-                    "description": "${role_manage-clients}",
-                    "composite": false,
-                    "clientRole": true,
-                    "containerId": "6eab5916-d431-4c7d-9bc5-9516e338da37",
-                    "attributes": {}
-                },
-                {
-                    "id": "e9694609-410b-4d4e-b784-e29a3caf14f5",
-                    "name": "manage-identity-providers",
-                    "description": "${role_manage-identity-providers}",
-                    "composite": false,
-                    "clientRole": true,
-                    "containerId": "6eab5916-d431-4c7d-9bc5-9516e338da37",
-                    "attributes": {}
-                },
-                {
-                    "id": "575d54ae-8947-44a6-9d3f-0e64f60cc6dc",
-                    "name": "view-identity-providers",
-                    "description": "${role_view-identity-providers}",
-                    "composite": false,
-                    "clientRole": true,
-                    "containerId": "6eab5916-d431-4c7d-9bc5-9516e338da37",
-                    "attributes": {}
-                },
-                {
-                    "id": "28a8f941-bb0f-4cfd-bc5e-40a5c3720fd6",
-                    "name": "query-groups",
-                    "description": "${role_query-groups}",
-                    "composite": false,
-                    "clientRole": true,
-                    "containerId": "6eab5916-d431-4c7d-9bc5-9516e338da37",
-                    "attributes": {}
-                },
-                {
-                    "id": "915a433b-6f77-4dc4-9dfe-d9939440db51",
-                    "name": "query-users",
-                    "description": "${role_query-users}",
-                    "composite": false,
-                    "clientRole": true,
-                    "containerId": "6eab5916-d431-4c7d-9bc5-9516e338da37",
-                    "attributes": {}
-                },
-                {
-                    "id": "9eb57526-c7da-4949-97d6-1bf168f5612b",
-                    "name": "create-client",
-                    "description": "${role_create-client}",
-                    "composite": false,
-                    "clientRole": true,
-                    "containerId": "6eab5916-d431-4c7d-9bc5-9516e338da37",
-                    "attributes": {}
-                },
-                {
-                    "id": "7d99c4d1-9f93-44ba-a735-b08c06a43a2c",
-                    "name": "manage-realm",
-                    "description": "${role_manage-realm}",
-                    "composite": false,
-                    "clientRole": true,
-                    "containerId": "6eab5916-d431-4c7d-9bc5-9516e338da37",
-                    "attributes": {}
-                },
-                {
-                    "id": "0a993f3b-96d2-4f41-a139-b03a1758e0eb",
-                    "name": "view-events",
-                    "description": "${role_view-events}",
-                    "composite": false,
-                    "clientRole": true,
-                    "containerId": "6eab5916-d431-4c7d-9bc5-9516e338da37",
-                    "attributes": {}
-                }
-            ],
-            "account": [
-                {
-                    "id": "004da97f-4333-41bd-bc60-7ea8c0a1e9ed",
-                    "name": "manage-account-links",
-                    "description": "${role_manage-account-links}",
-                    "composite": false,
-                    "clientRole": true,
-                    "containerId": "95d9ea1e-5614-405d-ab24-fa705bbd4088",
-                    "attributes": {}
-                },
-                {
-                    "id": "4aad4492-cf74-4a17-86b4-61e5ab7ed61f",
-                    "name": "view-applications",
-                    "description": "${role_view-applications}",
-                    "composite": false,
-                    "clientRole": true,
-                    "containerId": "95d9ea1e-5614-405d-ab24-fa705bbd4088",
-                    "attributes": {}
-                },
-                {
-                    "id": "680ca61c-ab20-49a8-ad6f-335b594b0ae1",
-                    "name": "manage-account",
-                    "description": "${role_manage-account}",
-                    "composite": true,
-                    "composites": {
-                        "client": {
-                            "account": [
-                                "manage-account-links"
-                            ]
-                        }
-                    },
-                    "clientRole": true,
-                    "containerId": "95d9ea1e-5614-405d-ab24-fa705bbd4088",
-                    "attributes": {}
-                },
-                {
-                    "id": "a0f0c00d-b4fc-49e5-9a62-3ca1f1ec6878",
-                    "name": "view-consent",
-                    "description": "${role_view-consent}",
-                    "composite": false,
-                    "clientRole": true,
-                    "containerId": "95d9ea1e-5614-405d-ab24-fa705bbd4088",
-                    "attributes": {}
-                },
-                {
-                    "id": "befbedad-59dd-49f6-b053-c6573e57d08b",
-                    "name": "manage-consent",
-                    "description": "${role_manage-consent}",
-                    "composite": true,
-                    "composites": {
-                        "client": {
-                            "account": [
-                                "view-consent"
-                            ]
-                        }
-                    },
-                    "clientRole": true,
-                    "containerId": "95d9ea1e-5614-405d-ab24-fa705bbd4088",
-                    "attributes": {}
-                },
-                {
-                    "id": "ae77a205-70f6-4d71-b07d-0c3c9d5c941a",
-                    "name": "delete-account",
-                    "description": "${role_delete-account}",
-                    "composite": false,
-                    "clientRole": true,
-                    "containerId": "95d9ea1e-5614-405d-ab24-fa705bbd4088",
-                    "attributes": {}
-                },
-                {
-                    "id": "ac7e6cdd-fe6e-4adc-9d90-59e385e96aab",
-                    "name": "view-profile",
-                    "description": "${role_view-profile}",
-                    "composite": false,
-                    "clientRole": true,
-                    "containerId": "95d9ea1e-5614-405d-ab24-fa705bbd4088",
-                    "attributes": {}
-                }
-            ]
-        }
-    },
-    "groups": [],
-    "defaultRole": {
-        "id": "0b34dd0e-fba9-48a1-a139-6400f32d1361",
-        "name": "default-roles-master",
-        "description": "${role_default-roles}",
-        "composite": true,
-        "clientRole": false,
-        "containerId": "test"
-    },
-    "requiredCredentials": [
-        "password"
-    ],
-    "otpPolicyType": "totp",
-    "otpPolicyAlgorithm": "HmacSHA1",
-    "otpPolicyInitialCounter": 0,
-    "otpPolicyDigits": 6,
-    "otpPolicyLookAheadWindow": 1,
-    "otpPolicyPeriod": 30,
-    "otpSupportedApplications": [
-        "FreeOTP",
-        "Google Authenticator"
-    ],
-    "webAuthnPolicyRpEntityName": "keycloak",
-    "webAuthnPolicySignatureAlgorithms": [
-        "ES256"
-    ],
-    "webAuthnPolicyRpId": "",
-    "webAuthnPolicyAttestationConveyancePreference": "not specified",
-    "webAuthnPolicyAuthenticatorAttachment": "not specified",
-    "webAuthnPolicyRequireResidentKey": "not specified",
-    "webAuthnPolicyUserVerificationRequirement": "not specified",
-    "webAuthnPolicyCreateTimeout": 0,
-    "webAuthnPolicyAvoidSameAuthenticatorRegister": false,
-    "webAuthnPolicyAcceptableAaguids": [],
-    "webAuthnPolicyPasswordlessRpEntityName": "keycloak",
-    "webAuthnPolicyPasswordlessSignatureAlgorithms": [
-        "ES256"
-    ],
-    "webAuthnPolicyPasswordlessRpId": "",
-    "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified",
-    "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified",
-    "webAuthnPolicyPasswordlessRequireResidentKey": "not specified",
-    "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified",
-    "webAuthnPolicyPasswordlessCreateTimeout": 0,
-    "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false,
-    "webAuthnPolicyPasswordlessAcceptableAaguids": [],
-    "users": [
-        {
-            "id": "d35f482f-0717-475e-9cc9-b02f18b24df9",
-            "createdTimestamp": 1624867127533,
-            "username": "service-account-testid",
-            "enabled": true,
-            "totp": false,
-            "emailVerified": false,
-            "serviceAccountClientId": "testid",
-            "disableableCredentialTypes": [],
-            "requiredActions": [],
-            "realmRoles": [
-                "default-roles-master"
-            ],
-            "notBefore": 0,
-            "groups": []
-        },
-        {
-            "id": "3e1b7b99-f368-41b9-8149-ef80d0e8c636",
-            "createdTimestamp": 1624867127533,
-            "username": "service-account-testid_public",
-            "enabled": true,
-            "totp": false,
-            "emailVerified": false,
-            "serviceAccountClientId": "testid_public",
-            "disableableCredentialTypes": [],
-            "requiredActions": [],
-            "notBefore": 0,
-            "groups": []
-        },
-        {
-            "username": "testuser",
-            "enabled": true,
-            "attributes": {
-                "bsn": [
-                    "000000000"
-                ],
-                "kvk": [
-                    "012345678"
-                ]
-            },
-            "credentials": [
-                {
-                    "type": "password",
-                    "value": "testuser"
-                }
-            ],
-            "realmRoles": [],
-            "groups": []
-        }
-    ],
-    "scopeMappings": [
-        {
-            "clientScope": "offline_access",
-            "roles": [
-                "offline_access"
-            ]
-        }
-    ],
-    "clientScopeMappings": {
-        "account": [
-            {
-                "client": "account-console",
-                "roles": [
-                    "manage-account"
-                ]
-            }
-        ]
-    },
-    "clients": [
-        {
-            "id": "95d9ea1e-5614-405d-ab24-fa705bbd4088",
-            "clientId": "account",
-            "name": "${client_account}",
-            "rootUrl": "${authBaseUrl}",
-            "baseUrl": "/realms/master/account/",
-            "surrogateAuthRequired": false,
-            "enabled": true,
-            "alwaysDisplayInConsole": false,
-            "clientAuthenticatorType": "client-secret",
-            "redirectUris": [
-                "/realms/master/account/*"
-            ],
-            "webOrigins": [],
-            "notBefore": 0,
-            "bearerOnly": false,
-            "consentRequired": false,
-            "standardFlowEnabled": true,
-            "implicitFlowEnabled": false,
-            "directAccessGrantsEnabled": false,
-            "serviceAccountsEnabled": false,
-            "publicClient": true,
-            "frontchannelLogout": false,
-            "protocol": "openid-connect",
-            "attributes": {},
-            "authenticationFlowBindingOverrides": {},
-            "fullScopeAllowed": false,
-            "nodeReRegistrationTimeout": 0,
-            "defaultClientScopes": [
-                "web-origins",
-                "roles",
-                "profile",
-                "email"
-            ],
-            "optionalClientScopes": [
-                "address",
-                "phone",
-                "offline_access",
-                "microprofile-jwt"
-            ]
-        },
-        {
-            "id": "e369bc52-f2f5-4589-ae85-6edda9d65a30",
-            "clientId": "account-console",
-            "name": "${client_account-console}",
-            "rootUrl": "${authBaseUrl}",
-            "baseUrl": "/realms/master/account/",
-            "surrogateAuthRequired": false,
-            "enabled": true,
-            "alwaysDisplayInConsole": false,
-            "clientAuthenticatorType": "client-secret",
-            "redirectUris": [
-                "/realms/master/account/*"
-            ],
-            "webOrigins": [],
-            "notBefore": 0,
-            "bearerOnly": false,
-            "consentRequired": false,
-            "standardFlowEnabled": true,
-            "implicitFlowEnabled": false,
-            "directAccessGrantsEnabled": false,
-            "serviceAccountsEnabled": false,
-            "publicClient": true,
-            "frontchannelLogout": false,
-            "protocol": "openid-connect",
-            "attributes": {
-                "pkce.code.challenge.method": "S256"
-            },
-            "authenticationFlowBindingOverrides": {},
-            "fullScopeAllowed": false,
-            "nodeReRegistrationTimeout": 0,
-            "protocolMappers": [
-                {
-                    "id": "800daeff-beec-444f-87d7-4683fab13c6b",
-                    "name": "audience resolve",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-audience-resolve-mapper",
-                    "consentRequired": false,
-                    "config": {}
-                }
-            ],
-            "defaultClientScopes": [
-                "web-origins",
-                "roles",
-                "profile",
-                "email"
-            ],
-            "optionalClientScopes": [
-                "address",
-                "phone",
-                "offline_access",
-                "microprofile-jwt"
-            ]
-        },
-        {
-            "id": "d19332b1-d21f-4386-93d6-786b00946d3a",
-            "clientId": "admin-cli",
-            "name": "${client_admin-cli}",
-            "surrogateAuthRequired": false,
-            "enabled": true,
-            "alwaysDisplayInConsole": false,
-            "clientAuthenticatorType": "client-secret",
-            "redirectUris": [],
-            "webOrigins": [],
-            "notBefore": 0,
-            "bearerOnly": false,
-            "consentRequired": false,
-            "standardFlowEnabled": false,
-            "implicitFlowEnabled": false,
-            "directAccessGrantsEnabled": true,
-            "serviceAccountsEnabled": false,
-            "publicClient": true,
-            "frontchannelLogout": false,
-            "protocol": "openid-connect",
-            "attributes": {},
-            "authenticationFlowBindingOverrides": {},
-            "fullScopeAllowed": false,
-            "nodeReRegistrationTimeout": 0,
-            "defaultClientScopes": [
-                "web-origins",
-                "roles",
-                "profile",
-                "email"
-            ],
-            "optionalClientScopes": [
-                "address",
-                "phone",
-                "offline_access",
-                "microprofile-jwt"
-            ]
-        },
-        {
-            "id": "1a9e1f8f-3ab0-4df4-a94b-f7907a241edf",
-            "clientId": "broker",
-            "name": "${client_broker}",
-            "surrogateAuthRequired": false,
-            "enabled": true,
-            "alwaysDisplayInConsole": false,
-            "clientAuthenticatorType": "client-secret",
-            "redirectUris": [],
-            "webOrigins": [],
-            "notBefore": 0,
-            "bearerOnly": true,
-            "consentRequired": false,
-            "standardFlowEnabled": true,
-            "implicitFlowEnabled": false,
-            "directAccessGrantsEnabled": false,
-            "serviceAccountsEnabled": false,
-            "publicClient": false,
-            "frontchannelLogout": false,
-            "protocol": "openid-connect",
-            "attributes": {},
-            "authenticationFlowBindingOverrides": {},
-            "fullScopeAllowed": false,
-            "nodeReRegistrationTimeout": 0,
-            "defaultClientScopes": [
-                "web-origins",
-                "roles",
-                "profile",
-                "email"
-            ],
-            "optionalClientScopes": [
-                "address",
-                "phone",
-                "offline_access",
-                "microprofile-jwt"
-            ]
-        },
-        {
-            "id": "6eab5916-d431-4c7d-9bc5-9516e338da37",
-            "clientId": "master-realm",
-            "name": "master Realm",
-            "surrogateAuthRequired": false,
-            "enabled": true,
-            "alwaysDisplayInConsole": false,
-            "clientAuthenticatorType": "client-secret",
-            "redirectUris": [],
-            "webOrigins": [],
-            "notBefore": 0,
-            "bearerOnly": true,
-            "consentRequired": false,
-            "standardFlowEnabled": true,
-            "implicitFlowEnabled": false,
-            "directAccessGrantsEnabled": false,
-            "serviceAccountsEnabled": false,
-            "publicClient": false,
-            "frontchannelLogout": false,
-            "protocol": "openid-connect",
-            "attributes": {},
-            "authenticationFlowBindingOverrides": {},
-            "fullScopeAllowed": false,
-            "nodeReRegistrationTimeout": 0,
-            "defaultClientScopes": [
-                "web-origins",
-                "roles",
-                "profile",
-                "email"
-            ],
-            "optionalClientScopes": [
-                "address",
-                "phone",
-                "offline_access",
-                "microprofile-jwt"
-            ]
-        },
-        {
-            "id": "245fcb6a-6484-401c-97b1-ed1c9c4e383f",
-            "clientId": "realm-management",
-            "name": "${client_realm-management}",
-            "surrogateAuthRequired": false,
-            "enabled": true,
-            "alwaysDisplayInConsole": false,
-            "clientAuthenticatorType": "client-secret",
-            "redirectUris": [],
-            "webOrigins": [],
-            "notBefore": 0,
-            "bearerOnly": true,
-            "consentRequired": false,
-            "standardFlowEnabled": true,
-            "implicitFlowEnabled": false,
-            "directAccessGrantsEnabled": false,
-            "serviceAccountsEnabled": false,
-            "publicClient": false,
-            "frontchannelLogout": false,
-            "protocol": "openid-connect",
-            "attributes": {},
-            "authenticationFlowBindingOverrides": {},
-            "fullScopeAllowed": false,
-            "nodeReRegistrationTimeout": 0,
-            "defaultClientScopes": [],
-            "optionalClientScopes": []
-        },
-        {
-            "id": "08fb476c-6150-43b3-a43b-2e5504e88e98",
-            "clientId": "security-admin-console",
-            "name": "${client_security-admin-console}",
-            "rootUrl": "${authAdminUrl}",
-            "baseUrl": "/admin/master/console/",
-            "surrogateAuthRequired": false,
-            "enabled": true,
-            "alwaysDisplayInConsole": false,
-            "clientAuthenticatorType": "client-secret",
-            "redirectUris": [
-                "/admin/master/console/*"
-            ],
-            "webOrigins": [
-                "+"
-            ],
-            "notBefore": 0,
-            "bearerOnly": false,
-            "consentRequired": false,
-            "standardFlowEnabled": true,
-            "implicitFlowEnabled": false,
-            "directAccessGrantsEnabled": false,
-            "serviceAccountsEnabled": false,
-            "publicClient": true,
-            "frontchannelLogout": false,
-            "protocol": "openid-connect",
-            "attributes": {
-                "pkce.code.challenge.method": "S256"
-            },
-            "authenticationFlowBindingOverrides": {},
-            "fullScopeAllowed": false,
-            "nodeReRegistrationTimeout": 0,
-            "protocolMappers": [
-                {
-                    "id": "0cb070a6-c2c3-4828-bd18-8b1e40791325",
-                    "name": "locale",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-usermodel-attribute-mapper",
-                    "consentRequired": false,
-                    "config": {
-                        "userinfo.token.claim": "true",
-                        "user.attribute": "locale",
-                        "id.token.claim": "true",
-                        "access.token.claim": "true",
-                        "claim.name": "locale",
-                        "jsonType.label": "String"
-                    }
-                }
-            ],
-            "defaultClientScopes": [
-                "web-origins",
-                "roles",
-                "profile",
-                "email"
-            ],
-            "optionalClientScopes": [
-                "address",
-                "phone",
-                "offline_access",
-                "microprofile-jwt"
-            ]
-        },
-        {
-            "id": "34345dc9-af96-404f-9d24-9b40adc8cd0a",
-            "clientId": "testid",
-            "rootUrl": "http://127.0.0.1:8000",
-            "adminUrl": "http://127.0.0.1:8000/oidc/connect",
-            "surrogateAuthRequired": false,
-            "enabled": true,
-            "alwaysDisplayInConsole": false,
-            "clientAuthenticatorType": "client-secret",
-            "secret": "23a12032-e080-4f65-b733-ad2567ec1605",
-            "redirectUris": [
-                "http://localhost:8000/*",
-                "http://127.0.0.1:8000/*"
-            ],
-            "webOrigins": [
-                "http://127.0.0.1:8000"
-            ],
-            "notBefore": 0,
-            "bearerOnly": false,
-            "consentRequired": false,
-            "standardFlowEnabled": true,
-            "implicitFlowEnabled": false,
-            "directAccessGrantsEnabled": true,
-            "serviceAccountsEnabled": true,
-            "publicClient": false,
-            "frontchannelLogout": false,
-            "protocol": "openid-connect",
-            "attributes": {
-                "id.token.as.detached.signature": "false",
-                "saml.assertion.signature": "false",
-                "saml.force.post.binding": "false",
-                "saml.multivalued.roles": "false",
-                "saml.encrypt": "false",
-                "oauth2.device.authorization.grant.enabled": "false",
-                "backchannel.logout.revoke.offline.tokens": "false",
-                "saml.server.signature": "false",
-                "saml.server.signature.keyinfo.ext": "false",
-                "use.refresh.tokens": "true",
-                "exclude.session.state.from.auth.response": "false",
-                "oidc.ciba.grant.enabled": "false",
-                "saml.artifact.binding": "false",
-                "backchannel.logout.session.required": "true",
-                "client_credentials.use_refresh_token": "false",
-                "saml_force_name_id_format": "false",
-                "saml.client.signature": "false",
-                "tls.client.certificate.bound.access.tokens": "false",
-                "saml.authnstatement": "false",
-                "display.on.consent.screen": "false",
-                "saml.onetimeuse.condition": "false"
-            },
-            "authenticationFlowBindingOverrides": {},
-            "fullScopeAllowed": true,
-            "nodeReRegistrationTimeout": -1,
-            "protocolMappers": [
-                {
-                    "id": "0ff0a187-8ff8-45ea-8803-bbc2308f806b",
-                    "name": "Client ID",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-usersessionmodel-note-mapper",
-                    "consentRequired": false,
-                    "config": {
-                        "user.session.note": "clientId",
-                        "userinfo.token.claim": "true",
-                        "id.token.claim": "true",
-                        "access.token.claim": "true",
-                        "claim.name": "clientId",
-                        "jsonType.label": "String"
-                    }
-                },
-                {
-                    "id": "7a3d9a9e-88ee-4b52-9d05-46e08ea4cf60",
-                    "name": "Client IP Address",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-usersessionmodel-note-mapper",
-                    "consentRequired": false,
-                    "config": {
-                        "user.session.note": "clientAddress",
-                        "userinfo.token.claim": "true",
-                        "id.token.claim": "true",
-                        "access.token.claim": "true",
-                        "claim.name": "clientAddress",
-                        "jsonType.label": "String"
-                    }
-                },
-                {
-                    "id": "55db54cf-3cd1-4846-91bb-27080ba78981",
-                    "name": "Client Host",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-usersessionmodel-note-mapper",
-                    "consentRequired": false,
-                    "config": {
-                        "user.session.note": "clientHost",
-                        "userinfo.token.claim": "true",
-                        "id.token.claim": "true",
-                        "access.token.claim": "true",
-                        "claim.name": "clientHost",
-                        "jsonType.label": "String"
-                    }
-                }
-            ],
-            "defaultClientScopes": [
-                "web-origins",
-                "roles",
-                "profile",
-                "email"
-            ],
-            "optionalClientScopes": [
-                "address",
-                "phone",
-                "offline_access",
-                "microprofile-jwt"
-            ]
-        },
-        {
-            "id": "f9b0c49c-3e26-47fd-956b-1edf4038fb1f",
-            "clientId": "testid_public",
-            "rootUrl": "http://127.0.0.1:8000",
-            "adminUrl": "http://127.0.0.1:8000/digid-oidc/connect",
-            "surrogateAuthRequired": false,
-            "enabled": true,
-            "alwaysDisplayInConsole": false,
-            "clientAuthenticatorType": "client-secret",
-            "secret": "23a12032-e080-4f65-b733-ad2567ec1605",
-            "redirectUris": [
-                "http://localhost:8000/*",
-                "http://127.0.0.1:8000/*"
-            ],
-            "webOrigins": [
-                "http://127.0.0.1:8000"
-            ],
-            "notBefore": 0,
-            "bearerOnly": false,
-            "consentRequired": false,
-            "standardFlowEnabled": true,
-            "implicitFlowEnabled": false,
-            "directAccessGrantsEnabled": true,
-            "serviceAccountsEnabled": true,
-            "publicClient": false,
-            "frontchannelLogout": false,
-            "protocol": "openid-connect",
-            "attributes": {
-                "id.token.as.detached.signature": "false",
-                "saml.assertion.signature": "false",
-                "saml.force.post.binding": "false",
-                "saml.multivalued.roles": "false",
-                "saml.encrypt": "false",
-                "oauth2.device.authorization.grant.enabled": "false",
-                "backchannel.logout.revoke.offline.tokens": "false",
-                "saml.server.signature": "false",
-                "saml.server.signature.keyinfo.ext": "false",
-                "use.refresh.tokens": "true",
-                "exclude.session.state.from.auth.response": "false",
-                "oidc.ciba.grant.enabled": "false",
-                "saml.artifact.binding": "false",
-                "backchannel.logout.session.required": "true",
-                "client_credentials.use_refresh_token": "false",
-                "saml_force_name_id_format": "false",
-                "saml.client.signature": "false",
-                "tls.client.certificate.bound.access.tokens": "false",
-                "saml.authnstatement": "false",
-                "display.on.consent.screen": "false",
-                "saml.onetimeuse.condition": "false"
-            },
-            "authenticationFlowBindingOverrides": {},
-            "fullScopeAllowed": true,
-            "nodeReRegistrationTimeout": -1,
-            "protocolMappers": [
-                {
-                    "id": "67f46369-2fbd-454c-a973-a85b4994c6c3",
-                    "name": "Client Host",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-usersessionmodel-note-mapper",
-                    "consentRequired": false,
-                    "config": {
-                        "user.session.note": "clientHost",
-                        "userinfo.token.claim": "true",
-                        "id.token.claim": "true",
-                        "access.token.claim": "true",
-                        "claim.name": "clientHost",
-                        "jsonType.label": "String"
-                    }
-                },
-                {
-                    "id": "70b51643-0cd4-4fd8-9263-2d8b16424506",
-                    "name": "Client IP Address",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-usersessionmodel-note-mapper",
-                    "consentRequired": false,
-                    "config": {
-                        "user.session.note": "clientAddress",
-                        "userinfo.token.claim": "true",
-                        "id.token.claim": "true",
-                        "access.token.claim": "true",
-                        "claim.name": "clientAddress",
-                        "jsonType.label": "String"
-                    }
-                },
-                {
-                    "id": "1b3787f7-8849-4d3c-b939-3f81a962cc17",
-                    "name": "Client ID",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-usersessionmodel-note-mapper",
-                    "consentRequired": false,
-                    "config": {
-                        "user.session.note": "clientId",
-                        "userinfo.token.claim": "true",
-                        "id.token.claim": "true",
-                        "access.token.claim": "true",
-                        "claim.name": "clientId",
-                        "jsonType.label": "String"
-                    }
-                }
-            ],
-            "defaultClientScopes": [
-                "web-origins",
-                "roles",
-                "profile",
-                "bsn",
-                "kvk",
-                "email"
-            ],
-            "optionalClientScopes": [
-                "address",
-                "phone",
-                "offline_access",
-                "microprofile-jwt"
-            ]
-        }
-    ],
-    "clientScopes": [
-        {
-            "id": "37417998-812b-4b5f-844d-41fc3687dc99",
-            "name": "email",
-            "description": "OpenID Connect built-in scope: email",
-            "protocol": "openid-connect",
-            "attributes": {
-                "include.in.token.scope": "true",
-                "display.on.consent.screen": "true",
-                "consent.screen.text": "${emailScopeConsentText}"
-            },
-            "protocolMappers": [
-                {
-                    "id": "9db2b90e-d681-43d3-94b8-9be904bbddef",
-                    "name": "email verified",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-usermodel-property-mapper",
-                    "consentRequired": false,
-                    "config": {
-                        "userinfo.token.claim": "true",
-                        "user.attribute": "emailVerified",
-                        "id.token.claim": "true",
-                        "access.token.claim": "true",
-                        "claim.name": "email_verified",
-                        "jsonType.label": "boolean"
-                    }
-                },
-                {
-                    "id": "716c0fe5-aaa2-4b78-899f-06634b7075cd",
-                    "name": "email",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-usermodel-property-mapper",
-                    "consentRequired": false,
-                    "config": {
-                        "userinfo.token.claim": "true",
-                        "user.attribute": "email",
-                        "id.token.claim": "true",
-                        "access.token.claim": "true",
-                        "claim.name": "email",
-                        "jsonType.label": "String"
-                    }
-                }
-            ]
-        },
-        {
-            "id": "0e2b1301-058e-4b8c-b45a-3136d8271ef9",
-            "name": "roles",
-            "description": "OpenID Connect scope for add user roles to the access token",
-            "protocol": "openid-connect",
-            "attributes": {
-                "include.in.token.scope": "false",
-                "display.on.consent.screen": "true",
-                "consent.screen.text": "${rolesScopeConsentText}"
-            },
-            "protocolMappers": [
-                {
-                    "id": "a165541d-1ae6-46ca-ab75-63ce49a7cb91",
-                    "name": "client roles",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-usermodel-client-role-mapper",
-                    "consentRequired": false,
-                    "config": {
-                        "user.attribute": "foo",
-                        "access.token.claim": "true",
-                        "claim.name": "resource_access.${client_id}.roles",
-                        "jsonType.label": "String",
-                        "multivalued": "true"
-                    }
-                },
-                {
-                    "id": "a91f862d-c949-4083-9987-cd77aeee5c5f",
-                    "name": "realm roles",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-usermodel-realm-role-mapper",
-                    "consentRequired": false,
-                    "config": {
-                        "user.attribute": "foo",
-                        "access.token.claim": "true",
-                        "claim.name": "realm_access.roles",
-                        "jsonType.label": "String",
-                        "multivalued": "true"
-                    }
-                },
-                {
-                    "id": "9a6cded0-dd1f-4083-bb19-bdf11eb339af",
-                    "name": "audience resolve",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-audience-resolve-mapper",
-                    "consentRequired": false,
-                    "config": {}
-                }
-            ]
-        },
-        {
-            "id": "3bd6b791-56a1-4529-bfbd-cbd1c7fbb5a0",
-            "name": "profile",
-            "description": "OpenID Connect built-in scope: profile",
-            "protocol": "openid-connect",
-            "attributes": {
-                "include.in.token.scope": "true",
-                "display.on.consent.screen": "true",
-                "consent.screen.text": "${profileScopeConsentText}"
-            },
-            "protocolMappers": [
-                {
-                    "id": "57c9a639-c2aa-4ddd-a7e1-72be379873f4",
-                    "name": "picture",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-usermodel-attribute-mapper",
-                    "consentRequired": false,
-                    "config": {
-                        "userinfo.token.claim": "true",
-                        "user.attribute": "picture",
-                        "id.token.claim": "true",
-                        "access.token.claim": "true",
-                        "claim.name": "picture",
-                        "jsonType.label": "String"
-                    }
-                },
-                {
-                    "id": "e210a123-5fde-49a7-9ea4-ce6eee7a7be5",
-                    "name": "updated at",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-usermodel-attribute-mapper",
-                    "consentRequired": false,
-                    "config": {
-                        "userinfo.token.claim": "true",
-                        "user.attribute": "updatedAt",
-                        "id.token.claim": "true",
-                        "access.token.claim": "true",
-                        "claim.name": "updated_at",
-                        "jsonType.label": "String"
-                    }
-                },
-                {
-                    "id": "01466ea2-8cdd-49bc-ab14-15369d2909a7",
-                    "name": "profile",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-usermodel-attribute-mapper",
-                    "consentRequired": false,
-                    "config": {
-                        "userinfo.token.claim": "true",
-                        "user.attribute": "profile",
-                        "id.token.claim": "true",
-                        "access.token.claim": "true",
-                        "claim.name": "profile",
-                        "jsonType.label": "String"
-                    }
-                },
-                {
-                    "id": "87d08d97-095a-4cfd-a3ed-3db9da9650d3",
-                    "name": "full name",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-full-name-mapper",
-                    "consentRequired": false,
-                    "config": {
-                        "id.token.claim": "true",
-                        "access.token.claim": "true",
-                        "userinfo.token.claim": "true"
-                    }
-                },
-                {
-                    "id": "875850b9-6772-4304-9eed-52f671ee71c7",
-                    "name": "locale",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-usermodel-attribute-mapper",
-                    "consentRequired": false,
-                    "config": {
-                        "userinfo.token.claim": "true",
-                        "user.attribute": "locale",
-                        "id.token.claim": "true",
-                        "access.token.claim": "true",
-                        "claim.name": "locale",
-                        "jsonType.label": "String"
-                    }
-                },
-                {
-                    "id": "aa67db2e-be2e-456b-bea1-8bfa0536a8bb",
-                    "name": "birthdate",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-usermodel-attribute-mapper",
-                    "consentRequired": false,
-                    "config": {
-                        "userinfo.token.claim": "true",
-                        "user.attribute": "birthdate",
-                        "id.token.claim": "true",
-                        "access.token.claim": "true",
-                        "claim.name": "birthdate",
-                        "jsonType.label": "String"
-                    }
-                },
-                {
-                    "id": "fb4e5425-2561-43c8-b724-8c757e0f5dd7",
-                    "name": "given name",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-usermodel-property-mapper",
-                    "consentRequired": false,
-                    "config": {
-                        "userinfo.token.claim": "true",
-                        "user.attribute": "firstName",
-                        "id.token.claim": "true",
-                        "access.token.claim": "true",
-                        "claim.name": "given_name",
-                        "jsonType.label": "String"
-                    }
-                },
-                {
-                    "id": "04ccd4c8-c818-4536-9867-d36c18c8927a",
-                    "name": "middle name",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-usermodel-attribute-mapper",
-                    "consentRequired": false,
-                    "config": {
-                        "userinfo.token.claim": "true",
-                        "user.attribute": "middleName",
-                        "id.token.claim": "true",
-                        "access.token.claim": "true",
-                        "claim.name": "middle_name",
-                        "jsonType.label": "String"
-                    }
-                },
-                {
-                    "id": "ea264046-b77f-4960-ba07-c5111f972e61",
-                    "name": "username",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-usermodel-property-mapper",
-                    "consentRequired": false,
-                    "config": {
-                        "userinfo.token.claim": "true",
-                        "user.attribute": "username",
-                        "id.token.claim": "true",
-                        "access.token.claim": "true",
-                        "claim.name": "preferred_username",
-                        "jsonType.label": "String"
-                    }
-                },
-                {
-                    "id": "1c552d93-9e4f-46d2-ae7c-82c2bc41b00f",
-                    "name": "nickname",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-usermodel-attribute-mapper",
-                    "consentRequired": false,
-                    "config": {
-                        "userinfo.token.claim": "true",
-                        "user.attribute": "nickname",
-                        "id.token.claim": "true",
-                        "access.token.claim": "true",
-                        "claim.name": "nickname",
-                        "jsonType.label": "String"
-                    }
-                },
-                {
-                    "id": "e5373652-4aaf-4231-989f-d49add353a17",
-                    "name": "gender",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-usermodel-attribute-mapper",
-                    "consentRequired": false,
-                    "config": {
-                        "userinfo.token.claim": "true",
-                        "user.attribute": "gender",
-                        "id.token.claim": "true",
-                        "access.token.claim": "true",
-                        "claim.name": "gender",
-                        "jsonType.label": "String"
-                    }
-                },
-                {
-                    "id": "ce98d4b9-09ab-40f6-a798-7381f9c42c13",
-                    "name": "family name",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-usermodel-property-mapper",
-                    "consentRequired": false,
-                    "config": {
-                        "userinfo.token.claim": "true",
-                        "user.attribute": "lastName",
-                        "id.token.claim": "true",
-                        "access.token.claim": "true",
-                        "claim.name": "family_name",
-                        "jsonType.label": "String"
-                    }
-                },
-                {
-                    "id": "b27d0913-efc4-4a8a-b24b-d92370d7d07e",
-                    "name": "zoneinfo",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-usermodel-attribute-mapper",
-                    "consentRequired": false,
-                    "config": {
-                        "userinfo.token.claim": "true",
-                        "user.attribute": "zoneinfo",
-                        "id.token.claim": "true",
-                        "access.token.claim": "true",
-                        "claim.name": "zoneinfo",
-                        "jsonType.label": "String"
-                    }
-                },
-                {
-                    "id": "76451df0-06ef-4e91-993e-9f950b2f0925",
-                    "name": "website",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-usermodel-attribute-mapper",
-                    "consentRequired": false,
-                    "config": {
-                        "userinfo.token.claim": "true",
-                        "user.attribute": "website",
-                        "id.token.claim": "true",
-                        "access.token.claim": "true",
-                        "claim.name": "website",
-                        "jsonType.label": "String"
-                    }
-                }
-            ]
-        },
-        {
-            "id": "2df5fd48-50fd-4433-b997-5786588e3976",
-            "name": "offline_access",
-            "description": "OpenID Connect built-in scope: offline_access",
-            "protocol": "openid-connect",
-            "attributes": {
-                "consent.screen.text": "${offlineAccessScopeConsentText}",
-                "display.on.consent.screen": "true"
-            }
-        },
-        {
-            "id": "bf1f2630-1990-48d7-bbe4-e7e3cd1f3850",
-            "name": "microprofile-jwt",
-            "description": "Microprofile - JWT built-in scope",
-            "protocol": "openid-connect",
-            "attributes": {
-                "include.in.token.scope": "true",
-                "display.on.consent.screen": "false"
-            },
-            "protocolMappers": [
-                {
-                    "id": "bf3a3e65-2616-4b82-a9dd-665b74c038ee",
-                    "name": "upn",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-usermodel-property-mapper",
-                    "consentRequired": false,
-                    "config": {
-                        "userinfo.token.claim": "true",
-                        "user.attribute": "username",
-                        "id.token.claim": "true",
-                        "access.token.claim": "true",
-                        "claim.name": "upn",
-                        "jsonType.label": "String"
-                    }
-                },
-                {
-                    "id": "064c7bf7-4692-4a1d-bd2d-7cd3a6ec9634",
-                    "name": "groups",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-usermodel-realm-role-mapper",
-                    "consentRequired": false,
-                    "config": {
-                        "multivalued": "true",
-                        "userinfo.token.claim": "true",
-                        "user.attribute": "foo",
-                        "id.token.claim": "true",
-                        "access.token.claim": "true",
-                        "claim.name": "groups",
-                        "jsonType.label": "String"
-                    }
-                }
-            ]
-        },
-        {
-            "id": "1d40dfd8-671e-484d-a322-25852822a251",
-            "name": "bsn",
-            "protocol": "openid-connect",
-            "attributes": {
-                "include.in.token.scope": "true",
-                "display.on.consent.screen": "true"
-            },
-            "protocolMappers": [
-                {
-                    "id": "4d62841a-f294-4286-aa2a-dab05a0a0fed",
-                    "name": "bsn",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-usermodel-attribute-mapper",
-                    "consentRequired": false,
-                    "config": {
-                        "user.attribute": "bsn",
-                        "id.token.claim": "true",
-                        "access.token.claim": "true",
-                        "claim.name": "bsn",
-                        "userinfo.token.claim": "true"
-                    }
-                }
-            ]
-        },
-        {
-            "id": "ed28ea90-164d-4ff1-9faf-4ba349f08127",
-            "name": "role_list",
-            "description": "SAML role list",
-            "protocol": "saml",
-            "attributes": {
-                "consent.screen.text": "${samlRoleListScopeConsentText}",
-                "display.on.consent.screen": "true"
-            },
-            "protocolMappers": [
-                {
-                    "id": "fc60ef39-3fc1-4b74-957a-55df0b831a68",
-                    "name": "role list",
-                    "protocol": "saml",
-                    "protocolMapper": "saml-role-list-mapper",
-                    "consentRequired": false,
-                    "config": {
-                        "single": "false",
-                        "attribute.nameformat": "Basic",
-                        "attribute.name": "Role"
-                    }
-                }
-            ]
-        },
-        {
-            "id": "1d40dfd8-611e-484d-a322-25852822a251",
-            "name": "kvk",
-            "protocol": "openid-connect",
-            "attributes": {
-                "include.in.token.scope": "true",
-                "display.on.consent.screen": "true"
-            },
-            "protocolMappers": [
-                {
-                    "id": "4d62141a-f294-4286-aa2a-dab05a0a0fed",
-                    "name": "kvk",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-usermodel-attribute-mapper",
-                    "consentRequired": false,
-                    "config": {
-                        "user.attribute": "kvk",
-                        "id.token.claim": "true",
-                        "access.token.claim": "true",
-                        "claim.name": "kvk",
-                        "userinfo.token.claim": "true"
-                    }
-                }
-            ]
-        },
-        {
-            "id": "ea6085b0-e2d8-4f17-8145-4d5537bc5cd7",
-            "name": "address",
-            "description": "OpenID Connect built-in scope: address",
-            "protocol": "openid-connect",
-            "attributes": {
-                "include.in.token.scope": "true",
-                "display.on.consent.screen": "true",
-                "consent.screen.text": "${addressScopeConsentText}"
-            },
-            "protocolMappers": [
-                {
-                    "id": "845444c7-18c3-42e7-8c74-93e007dd0fe2",
-                    "name": "address",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-address-mapper",
-                    "consentRequired": false,
-                    "config": {
-                        "user.attribute.formatted": "formatted",
-                        "user.attribute.country": "country",
-                        "user.attribute.postal_code": "postal_code",
-                        "userinfo.token.claim": "true",
-                        "user.attribute.street": "street",
-                        "id.token.claim": "true",
-                        "user.attribute.region": "region",
-                        "access.token.claim": "true",
-                        "user.attribute.locality": "locality"
-                    }
-                }
-            ]
-        },
-        {
-            "id": "3bb4a654-e283-4184-bf05-d7b4010f2a1a",
-            "name": "web-origins",
-            "description": "OpenID Connect scope for add allowed web origins to the access token",
-            "protocol": "openid-connect",
-            "attributes": {
-                "include.in.token.scope": "false",
-                "display.on.consent.screen": "false",
-                "consent.screen.text": ""
-            },
-            "protocolMappers": [
-                {
-                    "id": "e0b8a1ee-5a77-49b6-8cf0-21520b1c23ca",
-                    "name": "allowed web origins",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-allowed-origins-mapper",
-                    "consentRequired": false,
-                    "config": {}
-                }
-            ]
-        },
-        {
-            "id": "427929bf-edf0-4f3a-ae71-34276186f623",
-            "name": "phone",
-            "description": "OpenID Connect built-in scope: phone",
-            "protocol": "openid-connect",
-            "attributes": {
-                "include.in.token.scope": "true",
-                "display.on.consent.screen": "true",
-                "consent.screen.text": "${phoneScopeConsentText}"
-            },
-            "protocolMappers": [
-                {
-                    "id": "fdcf1a6a-c113-47b7-9cca-a84e6f14813a",
-                    "name": "phone number verified",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-usermodel-attribute-mapper",
-                    "consentRequired": false,
-                    "config": {
-                        "userinfo.token.claim": "true",
-                        "user.attribute": "phoneNumberVerified",
-                        "id.token.claim": "true",
-                        "access.token.claim": "true",
-                        "claim.name": "phone_number_verified",
-                        "jsonType.label": "boolean"
-                    }
-                },
-                {
-                    "id": "a447cc62-b731-47f9-9d6f-05325b89283b",
-                    "name": "phone number",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-usermodel-attribute-mapper",
-                    "consentRequired": false,
-                    "config": {
-                        "userinfo.token.claim": "true",
-                        "user.attribute": "phoneNumber",
-                        "id.token.claim": "true",
-                        "access.token.claim": "true",
-                        "claim.name": "phone_number",
-                        "jsonType.label": "String"
-                    }
-                }
-            ]
-        }
-    ],
-    "defaultDefaultClientScopes": [
-        "roles",
-        "email",
-        "web-origins",
-        "profile",
-        "role_list"
-    ],
-    "defaultOptionalClientScopes": [
-        "offline_access",
-        "phone",
-        "microprofile-jwt",
-        "address"
-    ],
-    "browserSecurityHeaders": {
-        "contentSecurityPolicyReportOnly": "",
-        "xContentTypeOptions": "nosniff",
-        "xRobotsTag": "none",
-        "xFrameOptions": "SAMEORIGIN",
-        "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
-        "xXSSProtection": "1; mode=block",
-        "strictTransportSecurity": "max-age=31536000; includeSubDomains"
-    },
-    "smtpServer": {},
-    "eventsEnabled": false,
-    "eventsListeners": [
-        "jboss-logging"
-    ],
-    "enabledEventTypes": [],
-    "adminEventsEnabled": false,
-    "adminEventsDetailsEnabled": false,
-    "identityProviders": [],
-    "identityProviderMappers": [],
-    "components": {
-        "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [
-            {
-                "id": "8977dcfb-2206-4216-a274-ce00b88c1553",
-                "name": "Allowed Client Scopes",
-                "providerId": "allowed-client-templates",
-                "subType": "authenticated",
-                "subComponents": {},
-                "config": {
-                    "allow-default-scopes": [
-                        "true"
-                    ]
-                }
-            },
-            {
-                "id": "19b1cffd-debb-4411-bd32-a62c06950b78",
-                "name": "Consent Required",
-                "providerId": "consent-required",
-                "subType": "anonymous",
-                "subComponents": {},
-                "config": {}
-            },
-            {
-                "id": "f7f43ebc-b362-4edf-8561-a2a76da62d0f",
-                "name": "Allowed Protocol Mapper Types",
-                "providerId": "allowed-protocol-mappers",
-                "subType": "authenticated",
-                "subComponents": {},
-                "config": {
-                    "allowed-protocol-mapper-types": [
-                        "oidc-usermodel-property-mapper",
-                        "oidc-sha256-pairwise-sub-mapper",
-                        "saml-user-property-mapper",
-                        "saml-user-attribute-mapper",
-                        "oidc-address-mapper",
-                        "saml-role-list-mapper",
-                        "oidc-usermodel-attribute-mapper",
-                        "oidc-full-name-mapper"
-                    ]
-                }
-            },
-            {
-                "id": "e9385552-310b-43a4-9692-e34fe6e8c119",
-                "name": "Full Scope Disabled",
-                "providerId": "scope",
-                "subType": "anonymous",
-                "subComponents": {},
-                "config": {}
-            },
-            {
-                "id": "bcaf8044-0491-4b43-b3f2-cb2a72750d34",
-                "name": "Allowed Client Scopes",
-                "providerId": "allowed-client-templates",
-                "subType": "anonymous",
-                "subComponents": {},
-                "config": {
-                    "allow-default-scopes": [
-                        "true"
-                    ]
-                }
-            },
-            {
-                "id": "778b4d6b-9b2b-4da3-b790-719dd93e57cf",
-                "name": "Trusted Hosts",
-                "providerId": "trusted-hosts",
-                "subType": "anonymous",
-                "subComponents": {},
-                "config": {
-                    "host-sending-registration-request-must-match": [
-                        "true"
-                    ],
-                    "client-uris-must-match": [
-                        "true"
-                    ]
-                }
-            },
-            {
-                "id": "60b88614-4521-47cb-a944-7586dc9d91ff",
-                "name": "Max Clients Limit",
-                "providerId": "max-clients",
-                "subType": "anonymous",
-                "subComponents": {},
-                "config": {
-                    "max-clients": [
-                        "200"
-                    ]
-                }
-            },
-            {
-                "id": "c1338f65-08a5-492b-a9fc-bbe38f73f5ca",
-                "name": "Allowed Protocol Mapper Types",
-                "providerId": "allowed-protocol-mappers",
-                "subType": "anonymous",
-                "subComponents": {},
-                "config": {
-                    "allowed-protocol-mapper-types": [
-                        "oidc-usermodel-attribute-mapper",
-                        "oidc-sha256-pairwise-sub-mapper",
-                        "saml-role-list-mapper",
-                        "saml-user-property-mapper",
-                        "oidc-address-mapper",
-                        "saml-user-attribute-mapper",
-                        "oidc-usermodel-property-mapper",
-                        "oidc-full-name-mapper"
-                    ]
-                }
-            }
-        ],
-        "org.keycloak.keys.KeyProvider": [
-            {
-                "id": "5e8b1c64-f2f3-4e9a-b35b-9ac294561e63",
-                "name": "rsa-generated",
-                "providerId": "rsa-generated",
-                "subComponents": {},
-                "config": {
-                    "priority": [
-                        "100"
-                    ]
-                }
-            },
-            {
-                "id": "59f6c9f5-917a-4dcb-86b4-65483afe4965",
-                "name": "hmac-generated",
-                "providerId": "hmac-generated",
-                "subComponents": {},
-                "config": {
-                    "priority": [
-                        "100"
-                    ],
-                    "algorithm": [
-                        "HS256"
-                    ]
-                }
-            },
-            {
-                "id": "75866248-ab2f-4477-a1a1-6d201f5b3f6d",
-                "name": "aes-generated",
-                "providerId": "aes-generated",
-                "subComponents": {},
-                "config": {
-                    "priority": [
-                        "100"
-                    ]
-                }
-            }
-        ]
-    },
-    "internationalizationEnabled": false,
-    "supportedLocales": [],
-    "authenticationFlows": [
-        {
-            "id": "c4442b16-2ff2-423f-ad5b-0fa17b425d96",
-            "alias": "Account verification options",
-            "description": "Method with which to verity the existing account",
-            "providerId": "basic-flow",
-            "topLevel": false,
-            "builtIn": true,
-            "authenticationExecutions": [
-                {
-                    "authenticator": "idp-email-verification",
-                    "authenticatorFlow": false,
-                    "requirement": "ALTERNATIVE",
-                    "priority": 10,
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": false
-                },
-                {
-                    "authenticatorFlow": true,
-                    "requirement": "ALTERNATIVE",
-                    "priority": 20,
-                    "flowAlias": "Verify Existing Account by Re-authentication",
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": true
-                }
-            ]
-        },
-        {
-            "id": "5cc93375-b9c6-47e3-9eb7-c248a374dae6",
-            "alias": "Authentication Options",
-            "description": "Authentication options.",
-            "providerId": "basic-flow",
-            "topLevel": false,
-            "builtIn": true,
-            "authenticationExecutions": [
-                {
-                    "authenticator": "basic-auth",
-                    "authenticatorFlow": false,
-                    "requirement": "REQUIRED",
-                    "priority": 10,
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": false
-                },
-                {
-                    "authenticator": "basic-auth-otp",
-                    "authenticatorFlow": false,
-                    "requirement": "DISABLED",
-                    "priority": 20,
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": false
-                },
-                {
-                    "authenticator": "auth-spnego",
-                    "authenticatorFlow": false,
-                    "requirement": "DISABLED",
-                    "priority": 30,
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": false
-                }
-            ]
-        },
-        {
-            "id": "930178d8-3c25-480e-9d99-4370851af843",
-            "alias": "Browser - Conditional OTP",
-            "description": "Flow to determine if the OTP is required for the authentication",
-            "providerId": "basic-flow",
-            "topLevel": false,
-            "builtIn": true,
-            "authenticationExecutions": [
-                {
-                    "authenticator": "conditional-user-configured",
-                    "authenticatorFlow": false,
-                    "requirement": "REQUIRED",
-                    "priority": 10,
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": false
-                },
-                {
-                    "authenticator": "auth-otp-form",
-                    "authenticatorFlow": false,
-                    "requirement": "REQUIRED",
-                    "priority": 20,
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": false
-                }
-            ]
-        },
-        {
-            "id": "650c9131-d97c-45de-9fec-703590c5dea7",
-            "alias": "Direct Grant - Conditional OTP",
-            "description": "Flow to determine if the OTP is required for the authentication",
-            "providerId": "basic-flow",
-            "topLevel": false,
-            "builtIn": true,
-            "authenticationExecutions": [
-                {
-                    "authenticator": "conditional-user-configured",
-                    "authenticatorFlow": false,
-                    "requirement": "REQUIRED",
-                    "priority": 10,
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": false
-                },
-                {
-                    "authenticator": "direct-grant-validate-otp",
-                    "authenticatorFlow": false,
-                    "requirement": "REQUIRED",
-                    "priority": 20,
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": false
-                }
-            ]
-        },
-        {
-            "id": "2c8c1327-b0d9-444d-8232-1fa51dde4f9b",
-            "alias": "First broker login - Conditional OTP",
-            "description": "Flow to determine if the OTP is required for the authentication",
-            "providerId": "basic-flow",
-            "topLevel": false,
-            "builtIn": true,
-            "authenticationExecutions": [
-                {
-                    "authenticator": "conditional-user-configured",
-                    "authenticatorFlow": false,
-                    "requirement": "REQUIRED",
-                    "priority": 10,
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": false
-                },
-                {
-                    "authenticator": "auth-otp-form",
-                    "authenticatorFlow": false,
-                    "requirement": "REQUIRED",
-                    "priority": 20,
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": false
-                }
-            ]
-        },
-        {
-            "id": "4af88e1f-ccb0-4a7b-8ee0-b34e48566059",
-            "alias": "Handle Existing Account",
-            "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider",
-            "providerId": "basic-flow",
-            "topLevel": false,
-            "builtIn": true,
-            "authenticationExecutions": [
-                {
-                    "authenticator": "idp-confirm-link",
-                    "authenticatorFlow": false,
-                    "requirement": "REQUIRED",
-                    "priority": 10,
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": false
-                },
-                {
-                    "authenticatorFlow": true,
-                    "requirement": "REQUIRED",
-                    "priority": 20,
-                    "flowAlias": "Account verification options",
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": true
-                }
-            ]
-        },
-        {
-            "id": "b9bd0bef-cdff-4995-ac13-d900c29f7683",
-            "alias": "Reset - Conditional OTP",
-            "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.",
-            "providerId": "basic-flow",
-            "topLevel": false,
-            "builtIn": true,
-            "authenticationExecutions": [
-                {
-                    "authenticator": "conditional-user-configured",
-                    "authenticatorFlow": false,
-                    "requirement": "REQUIRED",
-                    "priority": 10,
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": false
-                },
-                {
-                    "authenticator": "reset-otp",
-                    "authenticatorFlow": false,
-                    "requirement": "REQUIRED",
-                    "priority": 20,
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": false
-                }
-            ]
-        },
-        {
-            "id": "0817adee-9170-40a9-a690-6906f0ef7dad",
-            "alias": "User creation or linking",
-            "description": "Flow for the existing/non-existing user alternatives",
-            "providerId": "basic-flow",
-            "topLevel": false,
-            "builtIn": true,
-            "authenticationExecutions": [
-                {
-                    "authenticatorConfig": "create unique user config",
-                    "authenticator": "idp-create-user-if-unique",
-                    "authenticatorFlow": false,
-                    "requirement": "ALTERNATIVE",
-                    "priority": 10,
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": false
-                },
-                {
-                    "authenticatorFlow": true,
-                    "requirement": "ALTERNATIVE",
-                    "priority": 20,
-                    "flowAlias": "Handle Existing Account",
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": true
-                }
-            ]
-        },
-        {
-            "id": "6d2e00ce-9a40-4e2b-989e-7bffce97c760",
-            "alias": "Verify Existing Account by Re-authentication",
-            "description": "Reauthentication of existing account",
-            "providerId": "basic-flow",
-            "topLevel": false,
-            "builtIn": true,
-            "authenticationExecutions": [
-                {
-                    "authenticator": "idp-username-password-form",
-                    "authenticatorFlow": false,
-                    "requirement": "REQUIRED",
-                    "priority": 10,
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": false
-                },
-                {
-                    "authenticatorFlow": true,
-                    "requirement": "CONDITIONAL",
-                    "priority": 20,
-                    "flowAlias": "First broker login - Conditional OTP",
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": true
-                }
-            ]
-        },
-        {
-            "id": "dfca197a-4f38-4fa8-bc14-d9f5a4fc4585",
-            "alias": "browser",
-            "description": "browser based authentication",
-            "providerId": "basic-flow",
-            "topLevel": true,
-            "builtIn": true,
-            "authenticationExecutions": [
-                {
-                    "authenticator": "auth-cookie",
-                    "authenticatorFlow": false,
-                    "requirement": "ALTERNATIVE",
-                    "priority": 10,
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": false
-                },
-                {
-                    "authenticator": "auth-spnego",
-                    "authenticatorFlow": false,
-                    "requirement": "DISABLED",
-                    "priority": 20,
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": false
-                },
-                {
-                    "authenticator": "identity-provider-redirector",
-                    "authenticatorFlow": false,
-                    "requirement": "ALTERNATIVE",
-                    "priority": 25,
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": false
-                },
-                {
-                    "authenticatorFlow": true,
-                    "requirement": "ALTERNATIVE",
-                    "priority": 30,
-                    "flowAlias": "forms",
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": true
-                }
-            ]
-        },
-        {
-            "id": "9d216f18-8227-4549-b975-028941902565",
-            "alias": "clients",
-            "description": "Base authentication for clients",
-            "providerId": "client-flow",
-            "topLevel": true,
-            "builtIn": true,
-            "authenticationExecutions": [
-                {
-                    "authenticator": "client-secret",
-                    "authenticatorFlow": false,
-                    "requirement": "ALTERNATIVE",
-                    "priority": 10,
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": false
-                },
-                {
-                    "authenticator": "client-jwt",
-                    "authenticatorFlow": false,
-                    "requirement": "ALTERNATIVE",
-                    "priority": 20,
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": false
-                },
-                {
-                    "authenticator": "client-secret-jwt",
-                    "authenticatorFlow": false,
-                    "requirement": "ALTERNATIVE",
-                    "priority": 30,
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": false
-                },
-                {
-                    "authenticator": "client-x509",
-                    "authenticatorFlow": false,
-                    "requirement": "ALTERNATIVE",
-                    "priority": 40,
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": false
-                }
-            ]
-        },
-        {
-            "id": "59656dfb-75a1-4932-8efc-55110dde6a2a",
-            "alias": "direct grant",
-            "description": "OpenID Connect Resource Owner Grant",
-            "providerId": "basic-flow",
-            "topLevel": true,
-            "builtIn": true,
-            "authenticationExecutions": [
-                {
-                    "authenticator": "direct-grant-validate-username",
-                    "authenticatorFlow": false,
-                    "requirement": "REQUIRED",
-                    "priority": 10,
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": false
-                },
-                {
-                    "authenticator": "direct-grant-validate-password",
-                    "authenticatorFlow": false,
-                    "requirement": "REQUIRED",
-                    "priority": 20,
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": false
-                },
-                {
-                    "authenticatorFlow": true,
-                    "requirement": "CONDITIONAL",
-                    "priority": 30,
-                    "flowAlias": "Direct Grant - Conditional OTP",
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": true
-                }
-            ]
-        },
-        {
-            "id": "f9ee35b4-8d66-47aa-90fd-e1bd32bfbfe9",
-            "alias": "docker auth",
-            "description": "Used by Docker clients to authenticate against the IDP",
-            "providerId": "basic-flow",
-            "topLevel": true,
-            "builtIn": true,
-            "authenticationExecutions": [
-                {
-                    "authenticator": "docker-http-basic-authenticator",
-                    "authenticatorFlow": false,
-                    "requirement": "REQUIRED",
-                    "priority": 10,
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": false
-                }
-            ]
-        },
-        {
-            "id": "678ff104-d570-40ec-8a3d-a9aa8cdb2656",
-            "alias": "first broker login",
-            "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account",
-            "providerId": "basic-flow",
-            "topLevel": true,
-            "builtIn": true,
-            "authenticationExecutions": [
-                {
-                    "authenticatorConfig": "review profile config",
-                    "authenticator": "idp-review-profile",
-                    "authenticatorFlow": false,
-                    "requirement": "REQUIRED",
-                    "priority": 10,
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": false
-                },
-                {
-                    "authenticatorFlow": true,
-                    "requirement": "REQUIRED",
-                    "priority": 20,
-                    "flowAlias": "User creation or linking",
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": true
-                }
-            ]
-        },
-        {
-            "id": "81a95ef6-1840-4690-aa01-3966075fec3e",
-            "alias": "forms",
-            "description": "Username, password, otp and other auth forms.",
-            "providerId": "basic-flow",
-            "topLevel": false,
-            "builtIn": true,
-            "authenticationExecutions": [
-                {
-                    "authenticator": "auth-username-password-form",
-                    "authenticatorFlow": false,
-                    "requirement": "REQUIRED",
-                    "priority": 10,
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": false
-                },
-                {
-                    "authenticatorFlow": true,
-                    "requirement": "CONDITIONAL",
-                    "priority": 20,
-                    "flowAlias": "Browser - Conditional OTP",
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": true
-                }
-            ]
-        },
-        {
-            "id": "21a3f527-5ee0-4e0f-923b-d61e3eddfe31",
-            "alias": "http challenge",
-            "description": "An authentication flow based on challenge-response HTTP Authentication Schemes",
-            "providerId": "basic-flow",
-            "topLevel": true,
-            "builtIn": true,
-            "authenticationExecutions": [
-                {
-                    "authenticator": "no-cookie-redirect",
-                    "authenticatorFlow": false,
-                    "requirement": "REQUIRED",
-                    "priority": 10,
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": false
-                },
-                {
-                    "authenticatorFlow": true,
-                    "requirement": "REQUIRED",
-                    "priority": 20,
-                    "flowAlias": "Authentication Options",
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": true
-                }
-            ]
-        },
-        {
-            "id": "6cedbdfd-318a-4d30-b251-f0a884b167fb",
-            "alias": "registration",
-            "description": "registration flow",
-            "providerId": "basic-flow",
-            "topLevel": true,
-            "builtIn": true,
-            "authenticationExecutions": [
-                {
-                    "authenticator": "registration-page-form",
-                    "authenticatorFlow": true,
-                    "requirement": "REQUIRED",
-                    "priority": 10,
-                    "flowAlias": "registration form",
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": true
-                }
-            ]
-        },
-        {
-            "id": "abdb0e32-9902-4859-ba25-329b26bac777",
-            "alias": "registration form",
-            "description": "registration form",
-            "providerId": "form-flow",
-            "topLevel": false,
-            "builtIn": true,
-            "authenticationExecutions": [
-                {
-                    "authenticator": "registration-user-creation",
-                    "authenticatorFlow": false,
-                    "requirement": "REQUIRED",
-                    "priority": 20,
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": false
-                },
-                {
-                    "authenticator": "registration-profile-action",
-                    "authenticatorFlow": false,
-                    "requirement": "REQUIRED",
-                    "priority": 40,
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": false
-                },
-                {
-                    "authenticator": "registration-password-action",
-                    "authenticatorFlow": false,
-                    "requirement": "REQUIRED",
-                    "priority": 50,
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": false
-                },
-                {
-                    "authenticator": "registration-recaptcha-action",
-                    "authenticatorFlow": false,
-                    "requirement": "DISABLED",
-                    "priority": 60,
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": false
-                }
-            ]
-        },
-        {
-            "id": "3a5f896c-9b3e-4133-aac6-cf5ce5a19c5e",
-            "alias": "reset credentials",
-            "description": "Reset credentials for a user if they forgot their password or something",
-            "providerId": "basic-flow",
-            "topLevel": true,
-            "builtIn": true,
-            "authenticationExecutions": [
-                {
-                    "authenticator": "reset-credentials-choose-user",
-                    "authenticatorFlow": false,
-                    "requirement": "REQUIRED",
-                    "priority": 10,
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": false
-                },
-                {
-                    "authenticator": "reset-credential-email",
-                    "authenticatorFlow": false,
-                    "requirement": "REQUIRED",
-                    "priority": 20,
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": false
-                },
-                {
-                    "authenticator": "reset-password",
-                    "authenticatorFlow": false,
-                    "requirement": "REQUIRED",
-                    "priority": 30,
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": false
-                },
-                {
-                    "authenticatorFlow": true,
-                    "requirement": "CONDITIONAL",
-                    "priority": 40,
-                    "flowAlias": "Reset - Conditional OTP",
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": true
-                }
-            ]
-        },
-        {
-            "id": "7c997de8-300e-4fbd-a68a-94fb0207fad9",
-            "alias": "saml ecp",
-            "description": "SAML ECP Profile Authentication Flow",
-            "providerId": "basic-flow",
-            "topLevel": true,
-            "builtIn": true,
-            "authenticationExecutions": [
-                {
-                    "authenticator": "http-basic-authenticator",
-                    "authenticatorFlow": false,
-                    "requirement": "REQUIRED",
-                    "priority": 10,
-                    "userSetupAllowed": false,
-                    "autheticatorFlow": false
-                }
-            ]
-        }
-    ],
-    "authenticatorConfig": [
-        {
-            "id": "e44a784d-8366-45d5-bb73-8f8fa3163434",
-            "alias": "create unique user config",
-            "config": {
-                "require.password.update.after.registration": "false"
-            }
-        },
-        {
-            "id": "32e37929-8a7d-433f-86fb-7208f5193ed9",
-            "alias": "review profile config",
-            "config": {
-                "update.profile.on.first.login": "missing"
-            }
-        }
-    ],
-    "requiredActions": [
-        {
-            "alias": "CONFIGURE_TOTP",
-            "name": "Configure OTP",
-            "providerId": "CONFIGURE_TOTP",
-            "enabled": true,
-            "defaultAction": false,
-            "priority": 10,
-            "config": {}
-        },
-        {
-            "alias": "terms_and_conditions",
-            "name": "Terms and Conditions",
-            "providerId": "terms_and_conditions",
-            "enabled": false,
-            "defaultAction": false,
-            "priority": 20,
-            "config": {}
-        },
-        {
-            "alias": "UPDATE_PASSWORD",
-            "name": "Update Password",
-            "providerId": "UPDATE_PASSWORD",
-            "enabled": true,
-            "defaultAction": false,
-            "priority": 30,
-            "config": {}
-        },
-        {
-            "alias": "UPDATE_PROFILE",
-            "name": "Update Profile",
-            "providerId": "UPDATE_PROFILE",
-            "enabled": true,
-            "defaultAction": false,
-            "priority": 40,
-            "config": {}
-        },
-        {
-            "alias": "VERIFY_EMAIL",
-            "name": "Verify Email",
-            "providerId": "VERIFY_EMAIL",
-            "enabled": true,
-            "defaultAction": false,
-            "priority": 50,
-            "config": {}
-        },
-        {
-            "alias": "delete_account",
-            "name": "Delete Account",
-            "providerId": "delete_account",
-            "enabled": false,
-            "defaultAction": false,
-            "priority": 60,
-            "config": {}
-        },
-        {
-            "alias": "update_user_locale",
-            "name": "Update User Locale",
-            "providerId": "update_user_locale",
-            "enabled": true,
-            "defaultAction": false,
-            "priority": 1000,
-            "config": {}
-        }
-    ],
-    "browserFlow": "browser",
-    "registrationFlow": "registration",
-    "directGrantFlow": "direct grant",
-    "resetCredentialsFlow": "reset credentials",
-    "clientAuthenticationFlow": "clients",
-    "dockerAuthenticationFlow": "docker auth",
-    "attributes": {
-        "cibaBackchannelTokenDeliveryMode": "poll",
-        "cibaExpiresIn": "120",
-        "cibaAuthRequestedUserHint": "login_hint",
-        "oauth2DeviceCodeLifespan": "600",
-        "clientOfflineSessionMaxLifespan": "0",
-        "oauth2DevicePollingInterval": "600",
-        "clientSessionIdleTimeout": "0",
-        "clientSessionMaxLifespan": "0",
-        "clientOfflineSessionIdleTimeout": "0",
-        "cibaInterval": "5"
-    },
-    "keycloakVersion": "14.0.0",
-    "userManagedAccessAllowed": false,
-    "clientProfiles": {
-        "profiles": []
-    },
-    "clientPolicies": {
-        "policies": []
-    }
-}
diff --git a/docker/keycloak/import/test-realm.json b/docker/keycloak/import/test-realm.json
new file mode 100644
index 0000000000..d7ee99e1ad
--- /dev/null
+++ b/docker/keycloak/import/test-realm.json
@@ -0,0 +1,2284 @@
+{
+  "id" : "f74c917b-fd69-4c6d-9afa-d9f6774e9d7d",
+  "realm" : "test",
+  "notBefore" : 0,
+  "defaultSignatureAlgorithm" : "RS256",
+  "revokeRefreshToken" : false,
+  "refreshTokenMaxReuse" : 0,
+  "accessTokenLifespan" : 300,
+  "accessTokenLifespanForImplicitFlow" : 900,
+  "ssoSessionIdleTimeout" : 1800,
+  "ssoSessionMaxLifespan" : 36000,
+  "ssoSessionIdleTimeoutRememberMe" : 0,
+  "ssoSessionMaxLifespanRememberMe" : 0,
+  "offlineSessionIdleTimeout" : 2592000,
+  "offlineSessionMaxLifespanEnabled" : false,
+  "offlineSessionMaxLifespan" : 5184000,
+  "clientSessionIdleTimeout" : 0,
+  "clientSessionMaxLifespan" : 0,
+  "clientOfflineSessionIdleTimeout" : 0,
+  "clientOfflineSessionMaxLifespan" : 0,
+  "accessCodeLifespan" : 60,
+  "accessCodeLifespanUserAction" : 300,
+  "accessCodeLifespanLogin" : 1800,
+  "actionTokenGeneratedByAdminLifespan" : 43200,
+  "actionTokenGeneratedByUserLifespan" : 300,
+  "oauth2DeviceCodeLifespan" : 600,
+  "oauth2DevicePollingInterval" : 5,
+  "enabled" : true,
+  "sslRequired" : "external",
+  "registrationAllowed" : false,
+  "registrationEmailAsUsername" : false,
+  "rememberMe" : false,
+  "verifyEmail" : false,
+  "loginWithEmailAllowed" : true,
+  "duplicateEmailsAllowed" : false,
+  "resetPasswordAllowed" : false,
+  "editUsernameAllowed" : false,
+  "bruteForceProtected" : false,
+  "permanentLockout" : false,
+  "maxFailureWaitSeconds" : 900,
+  "minimumQuickLoginWaitSeconds" : 60,
+  "waitIncrementSeconds" : 60,
+  "quickLoginCheckMilliSeconds" : 1000,
+  "maxDeltaTimeSeconds" : 43200,
+  "failureFactor" : 30,
+  "roles" : {
+    "realm" : [ {
+      "id" : "28c07910-21e3-460d-98f3-18bdb430ffe1",
+      "name" : "default-roles-test",
+      "description" : "${role_default-roles}",
+      "composite" : true,
+      "composites" : {
+        "realm" : [ "offline_access", "uma_authorization" ],
+        "client" : {
+          "account" : [ "view-profile", "manage-account" ]
+        }
+      },
+      "clientRole" : false,
+      "containerId" : "f74c917b-fd69-4c6d-9afa-d9f6774e9d7d",
+      "attributes" : { }
+    }, {
+      "id" : "a3d84717-84c9-4d08-a90c-01b4d913b919",
+      "name" : "offline_access",
+      "description" : "${role_offline-access}",
+      "composite" : false,
+      "clientRole" : false,
+      "containerId" : "f74c917b-fd69-4c6d-9afa-d9f6774e9d7d",
+      "attributes" : { }
+    }, {
+      "id" : "50173816-9726-4655-8a65-13b0d0c23729",
+      "name" : "uma_authorization",
+      "description" : "${role_uma_authorization}",
+      "composite" : false,
+      "clientRole" : false,
+      "containerId" : "f74c917b-fd69-4c6d-9afa-d9f6774e9d7d",
+      "attributes" : { }
+    } ],
+    "client" : {
+      "realm-management" : [ {
+        "id" : "0c16a480-bbf3-49ad-8843-d4055cc83100",
+        "name" : "query-groups",
+        "description" : "${role_query-groups}",
+        "composite" : false,
+        "clientRole" : true,
+        "containerId" : "b61c6592-3036-4e48-8c90-b0818f63576c",
+        "attributes" : { }
+      }, {
+        "id" : "e2fa2cdd-feb7-42b1-a0f9-c6653e62d578",
+        "name" : "manage-clients",
+        "description" : "${role_manage-clients}",
+        "composite" : false,
+        "clientRole" : true,
+        "containerId" : "b61c6592-3036-4e48-8c90-b0818f63576c",
+        "attributes" : { }
+      }, {
+        "id" : "6d0c5def-b4d0-43b6-87c6-9cf6d6f9f2fb",
+        "name" : "realm-admin",
+        "description" : "${role_realm-admin}",
+        "composite" : true,
+        "composites" : {
+          "client" : {
+            "realm-management" : [ "query-groups", "manage-clients", "view-identity-providers", "query-clients", "view-authorization", "view-clients", "manage-events", "manage-users", "manage-identity-providers", "query-users", "create-client", "impersonation", "query-realms", "manage-authorization", "view-events", "manage-realm", "view-realm", "view-users" ]
+          }
+        },
+        "clientRole" : true,
+        "containerId" : "b61c6592-3036-4e48-8c90-b0818f63576c",
+        "attributes" : { }
+      }, {
+        "id" : "7d602068-73ae-4d83-bd9a-994a8dbf24b6",
+        "name" : "view-identity-providers",
+        "description" : "${role_view-identity-providers}",
+        "composite" : false,
+        "clientRole" : true,
+        "containerId" : "b61c6592-3036-4e48-8c90-b0818f63576c",
+        "attributes" : { }
+      }, {
+        "id" : "670970ae-e6b0-44f8-bd0e-c6945d41cacf",
+        "name" : "query-clients",
+        "description" : "${role_query-clients}",
+        "composite" : false,
+        "clientRole" : true,
+        "containerId" : "b61c6592-3036-4e48-8c90-b0818f63576c",
+        "attributes" : { }
+      }, {
+        "id" : "931ad9f0-c8ad-456a-a69d-d6c08abbe42a",
+        "name" : "view-authorization",
+        "description" : "${role_view-authorization}",
+        "composite" : false,
+        "clientRole" : true,
+        "containerId" : "b61c6592-3036-4e48-8c90-b0818f63576c",
+        "attributes" : { }
+      }, {
+        "id" : "3015f5e3-f9b4-4938-bae2-c2e1415b01c3",
+        "name" : "view-clients",
+        "description" : "${role_view-clients}",
+        "composite" : true,
+        "composites" : {
+          "client" : {
+            "realm-management" : [ "query-clients" ]
+          }
+        },
+        "clientRole" : true,
+        "containerId" : "b61c6592-3036-4e48-8c90-b0818f63576c",
+        "attributes" : { }
+      }, {
+        "id" : "9648682e-3b89-4fa7-83e0-bd673d4d3119",
+        "name" : "manage-events",
+        "description" : "${role_manage-events}",
+        "composite" : false,
+        "clientRole" : true,
+        "containerId" : "b61c6592-3036-4e48-8c90-b0818f63576c",
+        "attributes" : { }
+      }, {
+        "id" : "baa8f313-386c-4ade-832f-0d2a7da6a2bc",
+        "name" : "manage-users",
+        "description" : "${role_manage-users}",
+        "composite" : false,
+        "clientRole" : true,
+        "containerId" : "b61c6592-3036-4e48-8c90-b0818f63576c",
+        "attributes" : { }
+      }, {
+        "id" : "f59ed8c2-772a-4faf-87a8-04e9e1f0a032",
+        "name" : "manage-identity-providers",
+        "description" : "${role_manage-identity-providers}",
+        "composite" : false,
+        "clientRole" : true,
+        "containerId" : "b61c6592-3036-4e48-8c90-b0818f63576c",
+        "attributes" : { }
+      }, {
+        "id" : "3a950e7f-4762-4306-8d42-63fdd90aa212",
+        "name" : "query-users",
+        "description" : "${role_query-users}",
+        "composite" : false,
+        "clientRole" : true,
+        "containerId" : "b61c6592-3036-4e48-8c90-b0818f63576c",
+        "attributes" : { }
+      }, {
+        "id" : "ab1e85d0-4e35-42ac-acc3-4fde650a1b9f",
+        "name" : "create-client",
+        "description" : "${role_create-client}",
+        "composite" : false,
+        "clientRole" : true,
+        "containerId" : "b61c6592-3036-4e48-8c90-b0818f63576c",
+        "attributes" : { }
+      }, {
+        "id" : "f517cd55-5d1e-4baa-bedb-35fbb7135b24",
+        "name" : "impersonation",
+        "description" : "${role_impersonation}",
+        "composite" : false,
+        "clientRole" : true,
+        "containerId" : "b61c6592-3036-4e48-8c90-b0818f63576c",
+        "attributes" : { }
+      }, {
+        "id" : "7c437eed-ebd0-41fe-a5f2-c569724b71e9",
+        "name" : "query-realms",
+        "description" : "${role_query-realms}",
+        "composite" : false,
+        "clientRole" : true,
+        "containerId" : "b61c6592-3036-4e48-8c90-b0818f63576c",
+        "attributes" : { }
+      }, {
+        "id" : "8ec7b657-c507-4548-9a88-0c018350bdb9",
+        "name" : "manage-authorization",
+        "description" : "${role_manage-authorization}",
+        "composite" : false,
+        "clientRole" : true,
+        "containerId" : "b61c6592-3036-4e48-8c90-b0818f63576c",
+        "attributes" : { }
+      }, {
+        "id" : "bfec4ce4-563a-4f9c-a678-f5cda9f554c4",
+        "name" : "view-events",
+        "description" : "${role_view-events}",
+        "composite" : false,
+        "clientRole" : true,
+        "containerId" : "b61c6592-3036-4e48-8c90-b0818f63576c",
+        "attributes" : { }
+      }, {
+        "id" : "08ab5b1c-0d0c-4789-a595-81dcac9d4b5a",
+        "name" : "manage-realm",
+        "description" : "${role_manage-realm}",
+        "composite" : false,
+        "clientRole" : true,
+        "containerId" : "b61c6592-3036-4e48-8c90-b0818f63576c",
+        "attributes" : { }
+      }, {
+        "id" : "fbfe356d-f049-475c-a7f3-35276f12173b",
+        "name" : "view-realm",
+        "description" : "${role_view-realm}",
+        "composite" : false,
+        "clientRole" : true,
+        "containerId" : "b61c6592-3036-4e48-8c90-b0818f63576c",
+        "attributes" : { }
+      }, {
+        "id" : "42c2f2c5-eb42-49e3-93a0-a6c352af85c5",
+        "name" : "view-users",
+        "description" : "${role_view-users}",
+        "composite" : true,
+        "composites" : {
+          "client" : {
+            "realm-management" : [ "query-users", "query-groups" ]
+          }
+        },
+        "clientRole" : true,
+        "containerId" : "b61c6592-3036-4e48-8c90-b0818f63576c",
+        "attributes" : { }
+      } ],
+      "security-admin-console" : [ ],
+      "test-userinfo-jwt" : [ ],
+      "admin-cli" : [ ],
+      "testid" : [ ],
+      "account-console" : [ ],
+      "broker" : [ {
+        "id" : "b740a3c9-82ad-4b74-8a83-46c7d1d69441",
+        "name" : "read-token",
+        "description" : "${role_read-token}",
+        "composite" : false,
+        "clientRole" : true,
+        "containerId" : "0263ec51-8f33-4f73-952b-8cdb1712028c",
+        "attributes" : { }
+      } ],
+      "account" : [ {
+        "id" : "70072e4f-0600-42d1-b490-92de314f63bb",
+        "name" : "view-groups",
+        "description" : "${role_view-groups}",
+        "composite" : false,
+        "clientRole" : true,
+        "containerId" : "89fbc9e2-7a6c-4600-8ee8-f028644297fa",
+        "attributes" : { }
+      }, {
+        "id" : "87ffa29a-0a89-443b-bcf9-d26350bf74f8",
+        "name" : "view-applications",
+        "description" : "${role_view-applications}",
+        "composite" : false,
+        "clientRole" : true,
+        "containerId" : "89fbc9e2-7a6c-4600-8ee8-f028644297fa",
+        "attributes" : { }
+      }, {
+        "id" : "f6d0fe38-c146-4aab-924e-24b2d63ed95f",
+        "name" : "view-profile",
+        "description" : "${role_view-profile}",
+        "composite" : false,
+        "clientRole" : true,
+        "containerId" : "89fbc9e2-7a6c-4600-8ee8-f028644297fa",
+        "attributes" : { }
+      }, {
+        "id" : "0a6283c0-8c43-41e6-b6be-de81d6927b35",
+        "name" : "delete-account",
+        "description" : "${role_delete-account}",
+        "composite" : false,
+        "clientRole" : true,
+        "containerId" : "89fbc9e2-7a6c-4600-8ee8-f028644297fa",
+        "attributes" : { }
+      }, {
+        "id" : "f45f95f0-6a9e-4e98-ae9b-75e9b41023a6",
+        "name" : "view-consent",
+        "description" : "${role_view-consent}",
+        "composite" : false,
+        "clientRole" : true,
+        "containerId" : "89fbc9e2-7a6c-4600-8ee8-f028644297fa",
+        "attributes" : { }
+      }, {
+        "id" : "c21366ff-5003-4a3d-936d-925de4c347ae",
+        "name" : "manage-account-links",
+        "description" : "${role_manage-account-links}",
+        "composite" : false,
+        "clientRole" : true,
+        "containerId" : "89fbc9e2-7a6c-4600-8ee8-f028644297fa",
+        "attributes" : { }
+      }, {
+        "id" : "79e03b78-c3b2-4bcc-a04f-a58bba9a67a7",
+        "name" : "manage-account",
+        "description" : "${role_manage-account}",
+        "composite" : true,
+        "composites" : {
+          "client" : {
+            "account" : [ "manage-account-links" ]
+          }
+        },
+        "clientRole" : true,
+        "containerId" : "89fbc9e2-7a6c-4600-8ee8-f028644297fa",
+        "attributes" : { }
+      }, {
+        "id" : "9fd80770-e9cc-4393-aded-ce9969067b35",
+        "name" : "manage-consent",
+        "description" : "${role_manage-consent}",
+        "composite" : true,
+        "composites" : {
+          "client" : {
+            "account" : [ "view-consent" ]
+          }
+        },
+        "clientRole" : true,
+        "containerId" : "89fbc9e2-7a6c-4600-8ee8-f028644297fa",
+        "attributes" : { }
+      } ]
+    }
+  },
+  "groups" : [ {
+    "id" : "54b1af7e-173d-4319-85e0-d0848a106095",
+    "name" : "Registreerders",
+    "path" : "/Registreerders",
+    "subGroups" : [ ],
+    "attributes" : { },
+    "realmRoles" : [ ],
+    "clientRoles" : { }
+  } ],
+  "defaultRole" : {
+    "id" : "28c07910-21e3-460d-98f3-18bdb430ffe1",
+    "name" : "default-roles-test",
+    "description" : "${role_default-roles}",
+    "composite" : true,
+    "clientRole" : false,
+    "containerId" : "f74c917b-fd69-4c6d-9afa-d9f6774e9d7d"
+  },
+  "requiredCredentials" : [ "password" ],
+  "otpPolicyType" : "totp",
+  "otpPolicyAlgorithm" : "HmacSHA1",
+  "otpPolicyInitialCounter" : 0,
+  "otpPolicyDigits" : 6,
+  "otpPolicyLookAheadWindow" : 1,
+  "otpPolicyPeriod" : 30,
+  "otpPolicyCodeReusable" : false,
+  "otpSupportedApplications" : [ "totpAppFreeOTPName", "totpAppGoogleName", "totpAppMicrosoftAuthenticatorName" ],
+  "localizationTexts" : { },
+  "webAuthnPolicyRpEntityName" : "keycloak",
+  "webAuthnPolicySignatureAlgorithms" : [ "ES256" ],
+  "webAuthnPolicyRpId" : "",
+  "webAuthnPolicyAttestationConveyancePreference" : "not specified",
+  "webAuthnPolicyAuthenticatorAttachment" : "not specified",
+  "webAuthnPolicyRequireResidentKey" : "not specified",
+  "webAuthnPolicyUserVerificationRequirement" : "not specified",
+  "webAuthnPolicyCreateTimeout" : 0,
+  "webAuthnPolicyAvoidSameAuthenticatorRegister" : false,
+  "webAuthnPolicyAcceptableAaguids" : [ ],
+  "webAuthnPolicyExtraOrigins" : [ ],
+  "webAuthnPolicyPasswordlessRpEntityName" : "keycloak",
+  "webAuthnPolicyPasswordlessSignatureAlgorithms" : [ "ES256" ],
+  "webAuthnPolicyPasswordlessRpId" : "",
+  "webAuthnPolicyPasswordlessAttestationConveyancePreference" : "not specified",
+  "webAuthnPolicyPasswordlessAuthenticatorAttachment" : "not specified",
+  "webAuthnPolicyPasswordlessRequireResidentKey" : "not specified",
+  "webAuthnPolicyPasswordlessUserVerificationRequirement" : "not specified",
+  "webAuthnPolicyPasswordlessCreateTimeout" : 0,
+  "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister" : false,
+  "webAuthnPolicyPasswordlessAcceptableAaguids" : [ ],
+  "webAuthnPolicyPasswordlessExtraOrigins" : [ ],
+  "users" : [ {
+    "id" : "6db2db87-de31-4e30-9f25-cefe5da8b154",
+    "createdTimestamp" : 1716466774675,
+    "username" : "admin",
+    "enabled" : true,
+    "totp" : false,
+    "emailVerified" : true,
+    "email" : "admin@example.com",
+    "credentials" : [ {
+      "id" : "3f77857f-70ba-43d2-9333-c996ba0f7f25",
+      "type" : "password",
+      "userLabel" : "My password",
+      "createdDate" : 1716466894356,
+      "secretData" : "{\"value\":\"kxBJkhnwzRk2nb9aLM026KH+53AoV9Jv3vbW0KM/k1E=\",\"salt\":\"mbXY7a8/tk0m9xKflh+ZhA==\",\"additionalParameters\":{}}",
+      "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}"
+    } ],
+    "disableableCredentialTypes" : [ ],
+    "requiredActions" : [ ],
+    "realmRoles" : [ "default-roles-test" ],
+    "notBefore" : 0,
+    "groups" : [ "/Registreerders" ]
+  }, {
+    "id" : "ec5a1f70-3d10-48a8-a18b-2d13c925cd92",
+    "createdTimestamp" : 1716388011747,
+    "username" : "digid-machtigen",
+    "enabled" : true,
+    "totp" : false,
+    "emailVerified" : false,
+    "attributes" : {
+      "gemachtigde.bsn" : [ "999999999" ],
+      "aanvrager.bsn" : [ "000000000" ],
+      "service_id" : [ "b18dd73f-3dca-4b67-a4fb-06cb4ebbe2eb" ]
+    },
+    "credentials" : [ {
+      "id" : "5dde1609-96d7-44e0-be78-ac32b9d55736",
+      "type" : "password",
+      "userLabel" : "My password",
+      "createdDate" : 1716388020934,
+      "secretData" : "{\"value\":\"fCYy0OCCW1dVleqekfMpt7hkrQg+e2AeY3pJ14eLKdU=\",\"salt\":\"+TVXeVVZ4RudZj0nUVZsYA==\",\"additionalParameters\":{}}",
+      "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}"
+    } ],
+    "disableableCredentialTypes" : [ ],
+    "requiredActions" : [ ],
+    "realmRoles" : [ "default-roles-test" ],
+    "notBefore" : 0,
+    "groups" : [ ]
+  }, {
+    "id" : "646e27c6-1b42-4e11-a5c6-d9fae4c3cea6",
+    "createdTimestamp" : 1716392361705,
+    "username" : "eherkenning-bewindvoering",
+    "enabled" : true,
+    "totp" : false,
+    "emailVerified" : false,
+    "attributes" : {
+      "service_uuid" : [ "81216fa4-80a1-4686-a8ac-5c8e5c030c93" ],
+      "representeeBSN" : [ "000000000" ],
+      "legalSubjectID" : [ "12345678" ],
+      "actingSubjectID" : [ "4B75A0EA107B3D36" ],
+      "service_id" : [ "urn:etoegang:DV:00000001002308836000:services:9113" ],
+      "aanvrager.kvk" : [ "12345678" ],
+      "name_qualifier" : [ "urn:etoegang:1.9:EntityConcernedID:KvKnr" ],
+      "gemachtigde.pseudoID" : [ "4B75A0EA107B3D36" ]
+    },
+    "credentials" : [ {
+      "id" : "8d284b91-21db-4bc7-8163-b35fac289108",
+      "type" : "password",
+      "userLabel" : "My password",
+      "createdDate" : 1716393311799,
+      "secretData" : "{\"value\":\"c7ugclHPaUkxdiBzUaUKQscFGSp2ioE3z6Ipvcmwfag=\",\"salt\":\"UHMZypw/YcFH0m0/4YnnjA==\",\"additionalParameters\":{}}",
+      "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}"
+    } ],
+    "disableableCredentialTypes" : [ ],
+    "requiredActions" : [ ],
+    "realmRoles" : [ "default-roles-test" ],
+    "notBefore" : 0,
+    "groups" : [ ]
+  }, {
+    "id" : "a28aac19-6ac5-4ce5-bbe3-b6c24051914a",
+    "createdTimestamp" : 1707141299906,
+    "username" : "service-account-testid",
+    "enabled" : true,
+    "totp" : false,
+    "emailVerified" : false,
+    "serviceAccountClientId" : "testid",
+    "credentials" : [ ],
+    "disableableCredentialTypes" : [ ],
+    "requiredActions" : [ ],
+    "realmRoles" : [ "default-roles-test" ],
+    "notBefore" : 0,
+    "groups" : [ ]
+  }, {
+    "id" : "aa10cfc7-2c4d-41f6-8fac-7bf405c572c4",
+    "createdTimestamp" : 1707141446005,
+    "username" : "testuser",
+    "enabled" : true,
+    "totp" : false,
+    "emailVerified" : false,
+    "attributes" : {
+      "name_qualifier" : [ "urn:etoegang:1.9:EntityConcernedID:KvKnr" ],
+      "kvk" : [ "012345678" ],
+      "bsn" : [ "000000000" ],
+      "legalSubjectID" : [ "12345678" ],
+      "actingSubjectID" : [ "4B75A0EA107B3D36" ]
+    },
+    "credentials" : [ {
+      "id" : "7592b843-a7ab-4372-a133-d4d984ae687c",
+      "type" : "password",
+      "userLabel" : "My password",
+      "createdDate" : 1707141485838,
+      "secretData" : "{\"value\":\"s9LcIc++9CRM7/wgifxyz0jUFYfmn2VuNpLP3NwUcDw=\",\"salt\":\"JReLfJs5YgTCeB+7u0tgfA==\",\"additionalParameters\":{}}",
+      "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}"
+    } ],
+    "disableableCredentialTypes" : [ ],
+    "requiredActions" : [ ],
+    "realmRoles" : [ "default-roles-test" ],
+    "notBefore" : 0,
+    "groups" : [ ]
+  } ],
+  "scopeMappings" : [ {
+    "clientScope" : "offline_access",
+    "roles" : [ "offline_access" ]
+  } ],
+  "clientScopeMappings" : {
+    "account" : [ {
+      "client" : "account-console",
+      "roles" : [ "manage-account", "view-groups" ]
+    } ]
+  },
+  "clients" : [ {
+    "id" : "89fbc9e2-7a6c-4600-8ee8-f028644297fa",
+    "clientId" : "account",
+    "name" : "${client_account}",
+    "rootUrl" : "${authBaseUrl}",
+    "baseUrl" : "/realms/test/account/",
+    "surrogateAuthRequired" : false,
+    "enabled" : true,
+    "alwaysDisplayInConsole" : false,
+    "clientAuthenticatorType" : "client-secret",
+    "redirectUris" : [ "/realms/test/account/*" ],
+    "webOrigins" : [ ],
+    "notBefore" : 0,
+    "bearerOnly" : false,
+    "consentRequired" : false,
+    "standardFlowEnabled" : true,
+    "implicitFlowEnabled" : false,
+    "directAccessGrantsEnabled" : false,
+    "serviceAccountsEnabled" : false,
+    "publicClient" : true,
+    "frontchannelLogout" : false,
+    "protocol" : "openid-connect",
+    "attributes" : {
+      "post.logout.redirect.uris" : "+"
+    },
+    "authenticationFlowBindingOverrides" : { },
+    "fullScopeAllowed" : false,
+    "nodeReRegistrationTimeout" : 0,
+    "defaultClientScopes" : [ "web-origins", "acr", "roles", "profile", "email" ],
+    "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ]
+  }, {
+    "id" : "6030fa07-5521-4c89-ad5f-0055bac6a47f",
+    "clientId" : "account-console",
+    "name" : "${client_account-console}",
+    "rootUrl" : "${authBaseUrl}",
+    "baseUrl" : "/realms/test/account/",
+    "surrogateAuthRequired" : false,
+    "enabled" : true,
+    "alwaysDisplayInConsole" : false,
+    "clientAuthenticatorType" : "client-secret",
+    "redirectUris" : [ "/realms/test/account/*" ],
+    "webOrigins" : [ ],
+    "notBefore" : 0,
+    "bearerOnly" : false,
+    "consentRequired" : false,
+    "standardFlowEnabled" : true,
+    "implicitFlowEnabled" : false,
+    "directAccessGrantsEnabled" : false,
+    "serviceAccountsEnabled" : false,
+    "publicClient" : true,
+    "frontchannelLogout" : false,
+    "protocol" : "openid-connect",
+    "attributes" : {
+      "post.logout.redirect.uris" : "+",
+      "pkce.code.challenge.method" : "S256"
+    },
+    "authenticationFlowBindingOverrides" : { },
+    "fullScopeAllowed" : false,
+    "nodeReRegistrationTimeout" : 0,
+    "protocolMappers" : [ {
+      "id" : "675a1d8e-030c-4be6-bc22-bbcff46771b4",
+      "name" : "audience resolve",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-audience-resolve-mapper",
+      "consentRequired" : false,
+      "config" : { }
+    } ],
+    "defaultClientScopes" : [ "web-origins", "acr", "roles", "profile", "email" ],
+    "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ]
+  }, {
+    "id" : "0ba5f086-39ea-4545-a237-639bcfbb6d20",
+    "clientId" : "admin-cli",
+    "name" : "${client_admin-cli}",
+    "surrogateAuthRequired" : false,
+    "enabled" : true,
+    "alwaysDisplayInConsole" : false,
+    "clientAuthenticatorType" : "client-secret",
+    "redirectUris" : [ ],
+    "webOrigins" : [ ],
+    "notBefore" : 0,
+    "bearerOnly" : false,
+    "consentRequired" : false,
+    "standardFlowEnabled" : false,
+    "implicitFlowEnabled" : false,
+    "directAccessGrantsEnabled" : true,
+    "serviceAccountsEnabled" : false,
+    "publicClient" : true,
+    "frontchannelLogout" : false,
+    "protocol" : "openid-connect",
+    "attributes" : {
+      "post.logout.redirect.uris" : "+"
+    },
+    "authenticationFlowBindingOverrides" : { },
+    "fullScopeAllowed" : false,
+    "nodeReRegistrationTimeout" : 0,
+    "defaultClientScopes" : [ "web-origins", "acr", "roles", "profile", "email" ],
+    "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ]
+  }, {
+    "id" : "0263ec51-8f33-4f73-952b-8cdb1712028c",
+    "clientId" : "broker",
+    "name" : "${client_broker}",
+    "surrogateAuthRequired" : false,
+    "enabled" : true,
+    "alwaysDisplayInConsole" : false,
+    "clientAuthenticatorType" : "client-secret",
+    "redirectUris" : [ ],
+    "webOrigins" : [ ],
+    "notBefore" : 0,
+    "bearerOnly" : true,
+    "consentRequired" : false,
+    "standardFlowEnabled" : true,
+    "implicitFlowEnabled" : false,
+    "directAccessGrantsEnabled" : false,
+    "serviceAccountsEnabled" : false,
+    "publicClient" : false,
+    "frontchannelLogout" : false,
+    "protocol" : "openid-connect",
+    "attributes" : {
+      "post.logout.redirect.uris" : "+"
+    },
+    "authenticationFlowBindingOverrides" : { },
+    "fullScopeAllowed" : false,
+    "nodeReRegistrationTimeout" : 0,
+    "defaultClientScopes" : [ "web-origins", "acr", "roles", "profile", "email" ],
+    "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ]
+  }, {
+    "id" : "b61c6592-3036-4e48-8c90-b0818f63576c",
+    "clientId" : "realm-management",
+    "name" : "${client_realm-management}",
+    "surrogateAuthRequired" : false,
+    "enabled" : true,
+    "alwaysDisplayInConsole" : false,
+    "clientAuthenticatorType" : "client-secret",
+    "redirectUris" : [ ],
+    "webOrigins" : [ ],
+    "notBefore" : 0,
+    "bearerOnly" : true,
+    "consentRequired" : false,
+    "standardFlowEnabled" : true,
+    "implicitFlowEnabled" : false,
+    "directAccessGrantsEnabled" : false,
+    "serviceAccountsEnabled" : false,
+    "publicClient" : false,
+    "frontchannelLogout" : false,
+    "protocol" : "openid-connect",
+    "attributes" : {
+      "post.logout.redirect.uris" : "+"
+    },
+    "authenticationFlowBindingOverrides" : { },
+    "fullScopeAllowed" : false,
+    "nodeReRegistrationTimeout" : 0,
+    "defaultClientScopes" : [ "web-origins", "acr", "roles", "profile", "email" ],
+    "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ]
+  }, {
+    "id" : "d20d5fd5-e7aa-4641-8c83-c6a2fa0acfe2",
+    "clientId" : "security-admin-console",
+    "name" : "${client_security-admin-console}",
+    "rootUrl" : "${authAdminUrl}",
+    "baseUrl" : "/admin/test/console/",
+    "surrogateAuthRequired" : false,
+    "enabled" : true,
+    "alwaysDisplayInConsole" : false,
+    "clientAuthenticatorType" : "client-secret",
+    "redirectUris" : [ "/admin/test/console/*" ],
+    "webOrigins" : [ "+" ],
+    "notBefore" : 0,
+    "bearerOnly" : false,
+    "consentRequired" : false,
+    "standardFlowEnabled" : true,
+    "implicitFlowEnabled" : false,
+    "directAccessGrantsEnabled" : false,
+    "serviceAccountsEnabled" : false,
+    "publicClient" : true,
+    "frontchannelLogout" : false,
+    "protocol" : "openid-connect",
+    "attributes" : {
+      "post.logout.redirect.uris" : "+",
+      "pkce.code.challenge.method" : "S256"
+    },
+    "authenticationFlowBindingOverrides" : { },
+    "fullScopeAllowed" : false,
+    "nodeReRegistrationTimeout" : 0,
+    "protocolMappers" : [ {
+      "id" : "2c68a174-10c2-464e-bbc4-d8d414053fd6",
+      "name" : "locale",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usermodel-attribute-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "user.attribute" : "locale",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "locale",
+        "jsonType.label" : "String"
+      }
+    } ],
+    "defaultClientScopes" : [ "web-origins", "acr", "roles", "profile", "email" ],
+    "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ]
+  }, {
+    "id" : "42a22604-c3d9-48a7-9186-e8ef84e05223",
+    "clientId" : "test-userinfo-jwt",
+    "name" : "",
+    "description" : "",
+    "rootUrl" : "",
+    "adminUrl" : "",
+    "baseUrl" : "",
+    "surrogateAuthRequired" : false,
+    "enabled" : true,
+    "alwaysDisplayInConsole" : false,
+    "clientAuthenticatorType" : "client-secret",
+    "secret" : "ktGlGUELd1FR7dTXc84L7dJzUTjCtw9S",
+    "redirectUris" : [ "http://testserver/*", "http://127.0.0.1:8000/*", "http://localhost:8000/*" ],
+    "webOrigins" : [ "http://127.0.0.1:8000" ],
+    "notBefore" : 0,
+    "bearerOnly" : false,
+    "consentRequired" : false,
+    "standardFlowEnabled" : true,
+    "implicitFlowEnabled" : false,
+    "directAccessGrantsEnabled" : true,
+    "serviceAccountsEnabled" : false,
+    "publicClient" : false,
+    "frontchannelLogout" : true,
+    "protocol" : "openid-connect",
+    "attributes" : {
+      "client.secret.creation.time" : "1707218309",
+      "user.info.response.signature.alg" : "RS256",
+      "post.logout.redirect.uris" : "+",
+      "oauth2.device.authorization.grant.enabled" : "false",
+      "backchannel.logout.revoke.offline.tokens" : "false",
+      "use.refresh.tokens" : "true",
+      "oidc.ciba.grant.enabled" : "false",
+      "backchannel.logout.session.required" : "true",
+      "client_credentials.use_refresh_token" : "false",
+      "tls.client.certificate.bound.access.tokens" : "false",
+      "require.pushed.authorization.requests" : "false",
+      "acr.loa.map" : "{}",
+      "display.on.consent.screen" : "false",
+      "token.response.type.bearer.lower-case" : "false"
+    },
+    "authenticationFlowBindingOverrides" : { },
+    "fullScopeAllowed" : true,
+    "nodeReRegistrationTimeout" : -1,
+    "defaultClientScopes" : [ "web-origins", "kvk", "acr", "roles", "profile", "bsn", "email" ],
+    "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ]
+  }, {
+    "id" : "adf4ad83-4550-4619-9231-73bd8d700f45",
+    "clientId" : "testid",
+    "name" : "",
+    "description" : "",
+    "rootUrl" : "",
+    "adminUrl" : "",
+    "baseUrl" : "",
+    "surrogateAuthRequired" : false,
+    "enabled" : true,
+    "alwaysDisplayInConsole" : false,
+    "clientAuthenticatorType" : "client-secret",
+    "secret" : "7DB3KUAAizYCcmZufpHRVOcD0TOkNO3I",
+    "redirectUris" : [ "http://testserver/*", "http://127.0.0.1:8000/*", "http://example.com/*", "http://localhost:8000/*" ],
+    "webOrigins" : [ "http://127.0.0.1:8000" ],
+    "notBefore" : 0,
+    "bearerOnly" : false,
+    "consentRequired" : false,
+    "standardFlowEnabled" : true,
+    "implicitFlowEnabled" : false,
+    "directAccessGrantsEnabled" : true,
+    "serviceAccountsEnabled" : true,
+    "publicClient" : false,
+    "frontchannelLogout" : true,
+    "protocol" : "openid-connect",
+    "attributes" : {
+      "client.secret.creation.time" : "1707141299",
+      "user.info.response.signature.alg" : "RS256",
+      "post.logout.redirect.uris" : "+",
+      "oauth2.device.authorization.grant.enabled" : "false",
+      "backchannel.logout.revoke.offline.tokens" : "false",
+      "use.refresh.tokens" : "true",
+      "oidc.ciba.grant.enabled" : "false",
+      "backchannel.logout.session.required" : "true",
+      "client_credentials.use_refresh_token" : "false",
+      "tls.client.certificate.bound.access.tokens" : "false",
+      "require.pushed.authorization.requests" : "false",
+      "acr.loa.map" : "{}",
+      "display.on.consent.screen" : "false",
+      "token.response.type.bearer.lower-case" : "false"
+    },
+    "authenticationFlowBindingOverrides" : { },
+    "fullScopeAllowed" : true,
+    "nodeReRegistrationTimeout" : -1,
+    "protocolMappers" : [ {
+      "id" : "e62c9c9b-3a85-41a3-8529-42483cc285f1",
+      "name" : "Client ID",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usersessionmodel-note-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "user.session.note" : "client_id",
+        "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "client_id",
+        "jsonType.label" : "String"
+      }
+    }, {
+      "id" : "c283ef6b-0be7-4ce0-a5dc-622b6ca88dc9",
+      "name" : "Client IP Address",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usersessionmodel-note-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "user.session.note" : "clientAddress",
+        "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "clientAddress",
+        "jsonType.label" : "String"
+      }
+    }, {
+      "id" : "68d1ac80-7066-45c3-af1b-48fd1bb52f25",
+      "name" : "Client Host",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usersessionmodel-note-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "user.session.note" : "clientHost",
+        "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "clientHost",
+        "jsonType.label" : "String"
+      }
+    } ],
+    "defaultClientScopes" : [ "web-origins", "kvk", "acr", "roles", "profile", "groups", "bsn", "email" ],
+    "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ]
+  } ],
+  "clientScopes" : [ {
+    "id" : "cbee953a-f6cc-47d0-9417-bde0ade67c28",
+    "name" : "roles",
+    "description" : "OpenID Connect scope for add user roles to the access token",
+    "protocol" : "openid-connect",
+    "attributes" : {
+      "include.in.token.scope" : "false",
+      "display.on.consent.screen" : "true",
+      "consent.screen.text" : "${rolesScopeConsentText}"
+    },
+    "protocolMappers" : [ {
+      "id" : "895028b7-75e6-4d1e-ab98-74e8fd83688c",
+      "name" : "realm roles",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usermodel-realm-role-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "introspection.token.claim" : "true",
+        "multivalued" : "true",
+        "user.attribute" : "foo",
+        "access.token.claim" : "true",
+        "claim.name" : "realm_access.roles",
+        "jsonType.label" : "String"
+      }
+    }, {
+      "id" : "7a9b8a8d-b221-4748-941a-5b465036b01e",
+      "name" : "client roles",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usermodel-client-role-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "introspection.token.claim" : "true",
+        "multivalued" : "true",
+        "user.attribute" : "foo",
+        "access.token.claim" : "true",
+        "claim.name" : "resource_access.${client_id}.roles",
+        "jsonType.label" : "String"
+      }
+    }, {
+      "id" : "0066ba3c-8feb-40ae-a8c4-f82e556b7001",
+      "name" : "audience resolve",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-audience-resolve-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "introspection.token.claim" : "true",
+        "access.token.claim" : "true"
+      }
+    } ]
+  }, {
+    "id" : "626b8bbf-e0f7-4b59-93c7-80e875d48f75",
+    "name" : "phone",
+    "description" : "OpenID Connect built-in scope: phone",
+    "protocol" : "openid-connect",
+    "attributes" : {
+      "include.in.token.scope" : "true",
+      "display.on.consent.screen" : "true",
+      "consent.screen.text" : "${phoneScopeConsentText}"
+    },
+    "protocolMappers" : [ {
+      "id" : "f153d49f-b2eb-4631-b5d4-d994b1a5c1b1",
+      "name" : "phone number",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usermodel-attribute-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "user.attribute" : "phoneNumber",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "phone_number",
+        "jsonType.label" : "String"
+      }
+    }, {
+      "id" : "d225930c-582f-456e-b286-b95d8c4dd916",
+      "name" : "phone number verified",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usermodel-attribute-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "user.attribute" : "phoneNumberVerified",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "phone_number_verified",
+        "jsonType.label" : "boolean"
+      }
+    } ]
+  }, {
+    "id" : "593033e2-5011-46b1-be8f-df036dee32b2",
+    "name" : "profile",
+    "description" : "OpenID Connect built-in scope: profile",
+    "protocol" : "openid-connect",
+    "attributes" : {
+      "include.in.token.scope" : "true",
+      "display.on.consent.screen" : "true",
+      "consent.screen.text" : "${profileScopeConsentText}"
+    },
+    "protocolMappers" : [ {
+      "id" : "ab90bd48-a6c3-4b47-bab6-1d993c010404",
+      "name" : "gender",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usermodel-attribute-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "user.attribute" : "gender",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "gender",
+        "jsonType.label" : "String"
+      }
+    }, {
+      "id" : "33f67e40-80d4-4e10-951c-0c08d1051969",
+      "name" : "username",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usermodel-attribute-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "user.attribute" : "username",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "preferred_username",
+        "jsonType.label" : "String"
+      }
+    }, {
+      "id" : "56f353fd-546e-48e4-8344-73332df31d3a",
+      "name" : "picture",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usermodel-attribute-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "user.attribute" : "picture",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "picture",
+        "jsonType.label" : "String"
+      }
+    }, {
+      "id" : "f78c250d-df76-4e1e-904f-c8d2d60aeb04",
+      "name" : "family name",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usermodel-attribute-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "user.attribute" : "lastName",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "family_name",
+        "jsonType.label" : "String"
+      }
+    }, {
+      "id" : "ab97273d-18bd-426f-a3f7-61e45309500d",
+      "name" : "full name",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-full-name-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "id.token.claim" : "true",
+        "introspection.token.claim" : "true",
+        "access.token.claim" : "true",
+        "userinfo.token.claim" : "true"
+      }
+    }, {
+      "id" : "82effad5-1147-4b1d-bcc7-bda7e9c61760",
+      "name" : "middle name",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usermodel-attribute-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "user.attribute" : "middleName",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "middle_name",
+        "jsonType.label" : "String"
+      }
+    }, {
+      "id" : "40d6f0ed-f41e-4a3c-acce-5f536fe91fcd",
+      "name" : "profile",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usermodel-attribute-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "user.attribute" : "profile",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "profile",
+        "jsonType.label" : "String"
+      }
+    }, {
+      "id" : "c4d1ee91-ce3c-4f75-ba38-3a9c8def5b04",
+      "name" : "groups",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usermodel-realm-role-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "introspection.token.claim" : "true",
+        "multivalued" : "true",
+        "user.attribute" : "foo",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "groups",
+        "jsonType.label" : "String"
+      }
+    }, {
+      "id" : "07c6a4b7-4a27-4d1b-872d-4a726169c641",
+      "name" : "website",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usermodel-attribute-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "user.attribute" : "website",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "website",
+        "jsonType.label" : "String"
+      }
+    }, {
+      "id" : "df1e7c2d-e8e8-4176-8da9-628985e9cb51",
+      "name" : "nickname",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usermodel-attribute-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "user.attribute" : "nickname",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "nickname",
+        "jsonType.label" : "String"
+      }
+    }, {
+      "id" : "20e3fa91-8afc-4735-977c-5de3d486a50d",
+      "name" : "updated at",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usermodel-attribute-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "user.attribute" : "updatedAt",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "updated_at",
+        "jsonType.label" : "long"
+      }
+    }, {
+      "id" : "3e525255-568d-40df-9c46-a4f25823ff7e",
+      "name" : "locale",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usermodel-attribute-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "user.attribute" : "locale",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "locale",
+        "jsonType.label" : "String"
+      }
+    }, {
+      "id" : "b7cc3936-ca28-4aa5-9eed-7811ed2d6215",
+      "name" : "given name",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usermodel-attribute-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "user.attribute" : "firstName",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "given_name",
+        "jsonType.label" : "String"
+      }
+    }, {
+      "id" : "4ef08463-2a21-44bf-8e5e-6f4783aacf95",
+      "name" : "birthdate",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usermodel-attribute-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "user.attribute" : "birthdate",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "birthdate",
+        "jsonType.label" : "String"
+      }
+    }, {
+      "id" : "15a35ab1-e602-445d-81bb-5a5a997a83dc",
+      "name" : "zoneinfo",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usermodel-attribute-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "user.attribute" : "zoneinfo",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "zoneinfo",
+        "jsonType.label" : "String"
+      }
+    } ]
+  }, {
+    "id" : "cdf790bc-c9d4-450c-9088-ef0435d0c7fb",
+    "name" : "acr",
+    "description" : "OpenID Connect scope for add acr (authentication context class reference) to the token",
+    "protocol" : "openid-connect",
+    "attributes" : {
+      "include.in.token.scope" : "false",
+      "display.on.consent.screen" : "false"
+    },
+    "protocolMappers" : [ {
+      "id" : "3d18951b-0124-4daf-aad5-c8f6bebbb54b",
+      "name" : "acr loa level",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-acr-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "id.token.claim" : "true",
+        "introspection.token.claim" : "true",
+        "access.token.claim" : "true",
+        "userinfo.token.claim" : "true"
+      }
+    } ]
+  }, {
+    "id" : "9071e077-8fe3-4ea4-a2a8-51d8c8929329",
+    "name" : "bsn",
+    "description" : "",
+    "protocol" : "openid-connect",
+    "attributes" : {
+      "include.in.token.scope" : "true",
+      "display.on.consent.screen" : "true",
+      "gui.order" : "",
+      "consent.screen.text" : ""
+    },
+    "protocolMappers" : [ {
+      "id" : "65bb02a6-160e-4cd0-9cc8-41123b1f8207",
+      "name" : "aanvrager.bsn",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usermodel-attribute-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "aggregate.attrs" : "false",
+        "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "multivalued" : "false",
+        "user.attribute" : "aanvrager.bsn",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "aanvrager\\.bsn",
+        "jsonType.label" : "String"
+      }
+    }, {
+      "id" : "e9a645fb-f731-43a0-bcca-c0a40070727a",
+      "name" : "bsn",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usermodel-attribute-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "user.attribute" : "bsn",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "bsn",
+        "jsonType.label" : "String"
+      }
+    }, {
+      "id" : "a4c9d555-0beb-44da-9356-b417f37fd7a8",
+      "name" : "aanvrager.kvk",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usermodel-attribute-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "user.attribute" : "aanvrager.kvk",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "aanvrager\\.kvk",
+        "jsonType.label" : "String"
+      }
+    }, {
+      "id" : "edd8c9d6-d4f0-43a5-b7ff-747d12007856",
+      "name" : "service_uuid",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usermodel-attribute-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "user.attribute" : "service_uuid",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "service_uuid",
+        "jsonType.label" : "String"
+      }
+    }, {
+      "id" : "c6e49a67-cdbe-436b-ad47-c6dc3a8bf5be",
+      "name" : "representeeBSN",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usermodel-attribute-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "user.attribute" : "representeeBSN",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "representeeBSN",
+        "jsonType.label" : "String"
+      }
+    }, {
+      "id" : "2bc83ef0-a719-48e4-8142-6bfdcbe77ab2",
+      "name" : "gemachtigde.bsn",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usermodel-attribute-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "aggregate.attrs" : "false",
+        "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "multivalued" : "false",
+        "user.attribute" : "gemachtigde.bsn",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "gemachtigde\\.bsn",
+        "jsonType.label" : "String"
+      }
+    }, {
+      "id" : "5cca44aa-84b0-45f3-9381-7239cf37d04e",
+      "name" : "gemachtigde.pseudoID",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usermodel-attribute-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "user.attribute" : "gemachtigde.pseudoID",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "gemachtigde\\.pseudoID",
+        "jsonType.label" : "String"
+      }
+    }, {
+      "id" : "a815d8d5-48c5-4dad-bb2f-1fba89582fcf",
+      "name" : "actingSubjectID",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usermodel-attribute-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "user.attribute" : "actingSubjectID",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "actingSubjectID",
+        "jsonType.label" : "String"
+      }
+    }, {
+      "id" : "cb90396c-deea-4d38-bf2b-117a3ce2b194",
+      "name" : "service_id",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usermodel-attribute-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "user.attribute" : "service_id",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "service_id",
+        "jsonType.label" : "String"
+      }
+    }, {
+      "id" : "e12f9cee-121e-4b29-be63-0eda4cc0e8ba",
+      "name" : "legalSubjectID",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usermodel-attribute-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "user.attribute" : "legalSubjectID",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "legalSubjectID",
+        "jsonType.label" : "String"
+      }
+    }, {
+      "id" : "ebef48ea-cf2d-4865-9a3b-0589fd00f486",
+      "name" : "name_qualifier",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usermodel-attribute-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "user.attribute" : "name_qualifier",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "name_qualifier",
+        "jsonType.label" : "String"
+      }
+    } ]
+  }, {
+    "id" : "f32301bc-3922-491a-89c3-9764356d9d17",
+    "name" : "email",
+    "description" : "OpenID Connect built-in scope: email",
+    "protocol" : "openid-connect",
+    "attributes" : {
+      "include.in.token.scope" : "true",
+      "display.on.consent.screen" : "true",
+      "consent.screen.text" : "${emailScopeConsentText}"
+    },
+    "protocolMappers" : [ {
+      "id" : "7d845a9b-b76e-4b9f-890b-ef313f9c2e5d",
+      "name" : "email verified",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usermodel-property-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "user.attribute" : "emailVerified",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "email_verified",
+        "jsonType.label" : "boolean"
+      }
+    }, {
+      "id" : "e939e96f-9eec-4cc3-9a8e-137760c65b7a",
+      "name" : "email",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usermodel-attribute-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "user.attribute" : "email",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "email",
+        "jsonType.label" : "String"
+      }
+    } ]
+  }, {
+    "id" : "68c885a8-6cc4-4e18-8213-d69e80f9deef",
+    "name" : "address",
+    "description" : "OpenID Connect built-in scope: address",
+    "protocol" : "openid-connect",
+    "attributes" : {
+      "include.in.token.scope" : "true",
+      "display.on.consent.screen" : "true",
+      "consent.screen.text" : "${addressScopeConsentText}"
+    },
+    "protocolMappers" : [ {
+      "id" : "f328d8ca-8da7-4d0c-a8d4-35a8e0912649",
+      "name" : "address",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-address-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "user.attribute.formatted" : "formatted",
+        "user.attribute.country" : "country",
+        "introspection.token.claim" : "true",
+        "user.attribute.postal_code" : "postal_code",
+        "userinfo.token.claim" : "true",
+        "user.attribute.street" : "street",
+        "id.token.claim" : "true",
+        "user.attribute.region" : "region",
+        "access.token.claim" : "true",
+        "user.attribute.locality" : "locality"
+      }
+    } ]
+  }, {
+    "id" : "2a595631-0f05-4e03-9bf7-d0a86743f246",
+    "name" : "role_list",
+    "description" : "SAML role list",
+    "protocol" : "saml",
+    "attributes" : {
+      "consent.screen.text" : "${samlRoleListScopeConsentText}",
+      "display.on.consent.screen" : "true"
+    },
+    "protocolMappers" : [ {
+      "id" : "7e2ae83b-388d-4f10-ab1f-37b84ebde9d6",
+      "name" : "role list",
+      "protocol" : "saml",
+      "protocolMapper" : "saml-role-list-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "single" : "false",
+        "attribute.nameformat" : "Basic",
+        "attribute.name" : "Role"
+      }
+    } ]
+  }, {
+    "id" : "036a72a9-c46f-40e8-8324-c30ba3ea671c",
+    "name" : "kvk",
+    "description" : "",
+    "protocol" : "openid-connect",
+    "attributes" : {
+      "include.in.token.scope" : "true",
+      "display.on.consent.screen" : "true",
+      "gui.order" : "",
+      "consent.screen.text" : ""
+    },
+    "protocolMappers" : [ {
+      "id" : "8cbdcd7a-239f-4f8c-ae19-6896a04bb680",
+      "name" : "kvk",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usermodel-attribute-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "user.attribute" : "kvk",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "kvk",
+        "jsonType.label" : "String"
+      }
+    } ]
+  }, {
+    "id" : "b906f0fd-71de-43e6-959d-201c9a0d8cef",
+    "name" : "web-origins",
+    "description" : "OpenID Connect scope for add allowed web origins to the access token",
+    "protocol" : "openid-connect",
+    "attributes" : {
+      "include.in.token.scope" : "false",
+      "display.on.consent.screen" : "false",
+      "consent.screen.text" : ""
+    },
+    "protocolMappers" : [ {
+      "id" : "11c0d4eb-482e-4b8a-946d-63b268bf7fc9",
+      "name" : "allowed web origins",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-allowed-origins-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "introspection.token.claim" : "true",
+        "access.token.claim" : "true"
+      }
+    } ]
+  }, {
+    "id" : "89a1f6aa-a02f-48b6-b6ed-13d7521427d5",
+    "name" : "groups",
+    "description" : "Keycloak user groups",
+    "protocol" : "openid-connect",
+    "attributes" : {
+      "include.in.token.scope" : "true",
+      "display.on.consent.screen" : "false",
+      "gui.order" : "",
+      "consent.screen.text" : ""
+    },
+    "protocolMappers" : [ {
+      "id" : "4436cbb5-1460-447e-b0a8-ebe80ef7e873",
+      "name" : "groups",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-group-membership-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "full.path" : "false",
+        "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "groups"
+      }
+    } ]
+  }, {
+    "id" : "0a26b3ef-c0eb-418c-85ca-6030c13e4182",
+    "name" : "microprofile-jwt",
+    "description" : "Microprofile - JWT built-in scope",
+    "protocol" : "openid-connect",
+    "attributes" : {
+      "include.in.token.scope" : "true",
+      "display.on.consent.screen" : "false"
+    },
+    "protocolMappers" : [ {
+      "id" : "13f9f62d-8be7-40bb-9507-f4fd9dd4168f",
+      "name" : "groups",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usermodel-realm-role-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "introspection.token.claim" : "true",
+        "multivalued" : "true",
+        "userinfo.token.claim" : "true",
+        "user.attribute" : "foo",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "groups",
+        "jsonType.label" : "String"
+      }
+    }, {
+      "id" : "51caccb7-1d50-4347-94d4-41ae1af2cea6",
+      "name" : "upn",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usermodel-attribute-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "introspection.token.claim" : "true",
+        "userinfo.token.claim" : "true",
+        "user.attribute" : "username",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "upn",
+        "jsonType.label" : "String"
+      }
+    } ]
+  }, {
+    "id" : "a1de3cd0-4499-4b82-86da-45c2f1c2eb5e",
+    "name" : "offline_access",
+    "description" : "OpenID Connect built-in scope: offline_access",
+    "protocol" : "openid-connect",
+    "attributes" : {
+      "consent.screen.text" : "${offlineAccessScopeConsentText}",
+      "display.on.consent.screen" : "true"
+    }
+  } ],
+  "defaultDefaultClientScopes" : [ "role_list", "profile", "email", "roles", "web-origins", "acr" ],
+  "defaultOptionalClientScopes" : [ "offline_access", "address", "phone", "microprofile-jwt" ],
+  "browserSecurityHeaders" : {
+    "contentSecurityPolicyReportOnly" : "",
+    "xContentTypeOptions" : "nosniff",
+    "referrerPolicy" : "no-referrer",
+    "xRobotsTag" : "none",
+    "xFrameOptions" : "SAMEORIGIN",
+    "contentSecurityPolicy" : "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
+    "xXSSProtection" : "1; mode=block",
+    "strictTransportSecurity" : "max-age=31536000; includeSubDomains"
+  },
+  "smtpServer" : { },
+  "eventsEnabled" : false,
+  "eventsListeners" : [ "jboss-logging" ],
+  "enabledEventTypes" : [ ],
+  "adminEventsEnabled" : false,
+  "adminEventsDetailsEnabled" : false,
+  "identityProviders" : [ ],
+  "identityProviderMappers" : [ ],
+  "components" : {
+    "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy" : [ {
+      "id" : "c47d8d87-0dda-4a91-a778-1ff4953d0c72",
+      "name" : "Max Clients Limit",
+      "providerId" : "max-clients",
+      "subType" : "anonymous",
+      "subComponents" : { },
+      "config" : {
+        "max-clients" : [ "200" ]
+      }
+    }, {
+      "id" : "2e42c404-90e4-4d4f-aae9-5de838dcf012",
+      "name" : "Trusted Hosts",
+      "providerId" : "trusted-hosts",
+      "subType" : "anonymous",
+      "subComponents" : { },
+      "config" : {
+        "host-sending-registration-request-must-match" : [ "true" ],
+        "client-uris-must-match" : [ "true" ]
+      }
+    }, {
+      "id" : "9545949f-87fd-4416-8f3b-a2be3203b43b",
+      "name" : "Full Scope Disabled",
+      "providerId" : "scope",
+      "subType" : "anonymous",
+      "subComponents" : { },
+      "config" : { }
+    }, {
+      "id" : "d7ed32b7-9bc0-4c22-af63-95e605fa571c",
+      "name" : "Allowed Protocol Mapper Types",
+      "providerId" : "allowed-protocol-mappers",
+      "subType" : "anonymous",
+      "subComponents" : { },
+      "config" : {
+        "allowed-protocol-mapper-types" : [ "saml-user-property-mapper", "oidc-address-mapper", "saml-role-list-mapper", "oidc-usermodel-attribute-mapper", "oidc-usermodel-property-mapper", "saml-user-attribute-mapper", "oidc-full-name-mapper", "oidc-sha256-pairwise-sub-mapper" ]
+      }
+    }, {
+      "id" : "c6b13ddf-1676-4e33-85d7-c778891156b3",
+      "name" : "Consent Required",
+      "providerId" : "consent-required",
+      "subType" : "anonymous",
+      "subComponents" : { },
+      "config" : { }
+    }, {
+      "id" : "28c52629-450d-4e79-a7ba-c4a28d1f9e7c",
+      "name" : "Allowed Client Scopes",
+      "providerId" : "allowed-client-templates",
+      "subType" : "authenticated",
+      "subComponents" : { },
+      "config" : {
+        "allow-default-scopes" : [ "true" ]
+      }
+    }, {
+      "id" : "1e4a85fd-6412-470d-9edf-562a8b8021b2",
+      "name" : "Allowed Protocol Mapper Types",
+      "providerId" : "allowed-protocol-mappers",
+      "subType" : "authenticated",
+      "subComponents" : { },
+      "config" : {
+        "allowed-protocol-mapper-types" : [ "saml-user-attribute-mapper", "oidc-usermodel-attribute-mapper", "saml-user-property-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-usermodel-property-mapper", "oidc-full-name-mapper", "saml-role-list-mapper", "oidc-address-mapper" ]
+      }
+    }, {
+      "id" : "9557d357-cc12-443e-bba6-a89e89b22c2e",
+      "name" : "Allowed Client Scopes",
+      "providerId" : "allowed-client-templates",
+      "subType" : "anonymous",
+      "subComponents" : { },
+      "config" : {
+        "allow-default-scopes" : [ "true" ]
+      }
+    } ],
+    "org.keycloak.keys.KeyProvider" : [ {
+      "id" : "8b83b45b-d80d-49c7-ae04-c3f4618c7514",
+      "name" : "aes-generated",
+      "providerId" : "aes-generated",
+      "subComponents" : { },
+      "config" : {
+        "kid" : [ "d993f461-f278-47ef-8c93-70488711ebfd" ],
+        "secret" : [ "o3i6s9I3iiVzLyDPxclUkg" ],
+        "priority" : [ "100" ]
+      }
+    }, {
+      "id" : "4a08d0a0-4d74-4b42-b18a-e06e27fc062b",
+      "name" : "hmac-generated",
+      "providerId" : "hmac-generated",
+      "subComponents" : { },
+      "config" : {
+        "kid" : [ "e715e051-6cdb-48cc-b4f4-f0722c81f9d3" ],
+        "secret" : [ "sR5n-Ep98RcqFydPbvUYTqdnwIB7742D09yUYMiB-OTsqTzoH5op0_KkVqNy9EYg-ibOR3QkvtcauTyjhaK7uw" ],
+        "priority" : [ "100" ],
+        "algorithm" : [ "HS256" ]
+      }
+    }, {
+      "id" : "4d6e8de3-aecf-4209-9922-a890eafa9691",
+      "name" : "rsa-generated",
+      "providerId" : "rsa-generated",
+      "subComponents" : { },
+      "config" : {
+        "privateKey" : [ "MIIEpAIBAAKCAQEA2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF++2lIS7vNV/PbsVVznPAAMqVrNG+8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5//ttJdxPfIBT5+2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB+ORKDTUIQwGZM5mSCy+cY3cHvvZfZVgaUUy5NvujPRXTMje4n/hG0KfEV+40G9qC2/Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ/zbrF4B9dmS6Zli5rBvbox9Hh45wIDAQABAoIBAGshgp7zVbFgWdq6eGr9z0P1qHnnAtR3RvXs91pQHGaHLlkqaJw2yrqwWCu1bA7e23eQG2D9Q/aLSV+FQZUjyHVyhc4oIjRC3qWfQuIiXxQLEe72LQq/xx4ULYgmqZy9QSFzdyK6RHIDffww+CHXyG/yxP5SyP/tLAbb17f/TjBYLMoVcdDmn/wl4UWZMR7ZqFeGOGJWmFpHmeB3HBPU2TyzsTLF9ECgCw298qIKwH0kD3rvGZ+fXPRCX8bLqDkVNL/jDLT5Z/ITGmIUWaBAT/MFoMeuKvOG8NC82edNb7RukoHoXxVgVywbd9Cdlrzu5S0TAgg8qhTlAAx7PuLqyNECgYEA9zqS5smIu1iDwczqYbGxXab3wEVhfAZ/rHa2zB0/tMyZBWJjWlw3jrcNouWnRlxWXoUrcVe/NavKkRBMjlhITZ+nPA7kOQaZIpujulN6euKVgf57zcfhxc4SUeyxYwnOGQFErorP8UnuDYC8rK8tloPVyp3B+sXyZpHOjTtH0RcCgYEA39850L18FfqSN1oDRe01BCJNF0/OM++CFka+OyPkTI7GpmeeEobhY2VsTJuPGMw07uB9OWHOrfsxNbd3R5QO4Rd0svlfBpz8XtUCgWaHV3pNm+zprAf3Fq06Gk3KfO9QMO116fd7RS/RmsFhGIqFGRZ+IP0Tl02mA+ri7wQ3WLECgYAp8Ofm+x2VGskPYaIJfMmoJ6E0HxEQp1GVgnY0XmnmVCdJgI12UNqj/W30ypz8FMIaOuFJ0yb/BevRfEBgjZ2GfaUzTRtuiS4Fbv3xqCPJIRNYAEIkgNpOYk09VLgrIwixuUNbkPUB7BbUd5iKexVyyV7FhsnXrykWOXoe/4WJdQKBgQC03JDG1O50izSpRy0xxwt3xYZmePDsAGkmOgzhloOQXiCau0d3TES2mm++DEa1D/ULr407WIsy/6an8QqKZ1EGBH8hQFnG6/jvXENj60MYJxSgDexSMTUrutMgAQy/lk9A1/bVCD0sjg9WaThaLT6OIB/R4uN67x5aN98SnmNgYQKBgQClIzFFq6Ks2sqxn4PguvL1B4vnqetR4WJc9RvoKp+WAHcJD372B3N4i25n0kv7xyWgYUp25qj1SJL11NTsbiPdFzc4IYBEOwf7/y4l+ZRg2PSF96wZmuQdK3mwzUj9OiYkPUeYd6mtNVbgsCZLrr3Tvgd6NZMSeigFMfESiIpo6w==" ],
+        "keyUse" : [ "SIG" ],
+        "certificate" : [ "MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag==" ],
+        "priority" : [ "100" ]
+      }
+    }, {
+      "id" : "d50865f3-256c-4fe2-b426-f8fe01b21381",
+      "name" : "rsa-enc-generated",
+      "providerId" : "rsa-enc-generated",
+      "subComponents" : { },
+      "config" : {
+        "privateKey" : [ "MIIEpAIBAAKCAQEApNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6/ny1CYfoaxTV2iDpRUw8/f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2/nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C/ZAUzkXC+l3oQ+BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61/Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc/Lv33EwykscLznKWZY2Mbs3Iz/rFNv3sVX/vHpH4DHWlKu7QIDAQABAoIBAAn84YwiHaBm4/Jj/S9Q3z9iwYhcCNrEBXvHJhLPfbZdyrYwzq54FTEIqT6Lgeu+wR8i8k7ZrzzL6M5bUvOvV8a80tNg1lIRimzITzYLXg5TdGnX7lhRe2W4hEI7wR7DLBDzShurcZ5UbMWO234CkKIdddPdoy41FpfHAoly5P4S48ZYqoEcx3V2g3S7XJ4pz2JE9bCF6c9PAiYWimIW6yJgopqjslMrkFxbyWhQir7tuulGSsLaHvX2wuHlKJ0GqNUQiVAd1xapmTleJstJ0OHFnfxn+2gHqiBc08c1IjNDpDmH/54nA8MQhMR8qMRIBO1OMzu7do5HKiSf25FfRacCgYEA6HUpKuo2k/2SjxSnYaHAozGiXdmCFf6mNuT0sCQdDu5ZxMmS2QLTLeH0BbFIXf98EXfFeqwBcA00PXpfc5Fo7fudxnMl/lVyqN+gGO/Sfo7sM+Ds/iXDvucE+vGpgcLEpMvvnFphs0ScPyE0mbbAbYVukKz5YrUgeL+d+I+Z938CgYEAtY4PKsvgRy1sD5WCZqoCRpoY2H3/MuLxDQUu8EAlU4ALyxBkEmaMAcXx+fIDT0X8ldCEoLcyy7800UdgxRbdKflT/lRTEW4CC/1slYpg1jPkkhYaCpsQG9G92dcAUaJWtCbLG0/9I3KFUOAhozKkvmz4gIyARw9bW28BY5Ym75MCgYEApHkRMb4Z88f8hKQWcivigxVBTqnxMuLEdB63SlGjBcd7WJNPBaDMDrDK2aRAEdIM1McrwMonEkMlbUJCeyCtX4UicyFSBowq3nWrbzlwc/9n/KTuyjuqLk6C5ZNLXfaS8A8jcDs62X54FurFruTxbgx02ISqxz5kxUq+2Pmx9L0CgYEArQtu92qFJTJs+dmWBcZrDuIXZlmJYPYfrTpQh9uL+C9mjjDcQRGOxq3lukbq0qcxXZX2o7yZZMulSweOe6wUNsqXPSUgW8+PkeAFm+7d56xkYr1AKvWq/+kE3FnpyuVBYMpM8oZmD2A7I1/Nj+BYV8xDezrvlUtU1yxRlZrrF5MCgYBUMysubXkyp2nqor+x8VExN0BIlDG+0I4XwcGrI47Sb8bNaVd39XuF4GSnLGxxJ7phSOzmlNGq20ssL6h9b8czq6l5l04q0g6w0IQiWvXiFT5fQ5B2NL3jiC1feqBhXppP6Ew60a0eK7LA+/QqQLvZHkbKW72L//8B/kFACcx69Q==" ],
+        "keyUse" : [ "ENC" ],
+        "certificate" : [ "MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA==" ],
+        "priority" : [ "100" ],
+        "algorithm" : [ "RSA-OAEP" ]
+      }
+    } ]
+  },
+  "internationalizationEnabled" : false,
+  "supportedLocales" : [ ],
+  "authenticationFlows" : [ {
+    "id" : "eade39e3-8a2f-4e07-a459-24085849cc7b",
+    "alias" : "Account verification options",
+    "description" : "Method with which to verity the existing account",
+    "providerId" : "basic-flow",
+    "topLevel" : false,
+    "builtIn" : true,
+    "authenticationExecutions" : [ {
+      "authenticator" : "idp-email-verification",
+      "authenticatorFlow" : false,
+      "requirement" : "ALTERNATIVE",
+      "priority" : 10,
+      "autheticatorFlow" : false,
+      "userSetupAllowed" : false
+    }, {
+      "authenticatorFlow" : true,
+      "requirement" : "ALTERNATIVE",
+      "priority" : 20,
+      "autheticatorFlow" : true,
+      "flowAlias" : "Verify Existing Account by Re-authentication",
+      "userSetupAllowed" : false
+    } ]
+  }, {
+    "id" : "4ba9c174-71c9-4c41-9c4f-c0c0961c2e60",
+    "alias" : "Browser - Conditional OTP",
+    "description" : "Flow to determine if the OTP is required for the authentication",
+    "providerId" : "basic-flow",
+    "topLevel" : false,
+    "builtIn" : true,
+    "authenticationExecutions" : [ {
+      "authenticator" : "conditional-user-configured",
+      "authenticatorFlow" : false,
+      "requirement" : "REQUIRED",
+      "priority" : 10,
+      "autheticatorFlow" : false,
+      "userSetupAllowed" : false
+    }, {
+      "authenticator" : "auth-otp-form",
+      "authenticatorFlow" : false,
+      "requirement" : "REQUIRED",
+      "priority" : 20,
+      "autheticatorFlow" : false,
+      "userSetupAllowed" : false
+    } ]
+  }, {
+    "id" : "3c863e05-422e-4048-b5df-8db9f407265c",
+    "alias" : "Direct Grant - Conditional OTP",
+    "description" : "Flow to determine if the OTP is required for the authentication",
+    "providerId" : "basic-flow",
+    "topLevel" : false,
+    "builtIn" : true,
+    "authenticationExecutions" : [ {
+      "authenticator" : "conditional-user-configured",
+      "authenticatorFlow" : false,
+      "requirement" : "REQUIRED",
+      "priority" : 10,
+      "autheticatorFlow" : false,
+      "userSetupAllowed" : false
+    }, {
+      "authenticator" : "direct-grant-validate-otp",
+      "authenticatorFlow" : false,
+      "requirement" : "REQUIRED",
+      "priority" : 20,
+      "autheticatorFlow" : false,
+      "userSetupAllowed" : false
+    } ]
+  }, {
+    "id" : "195520f1-5683-4d15-8512-722882436cb6",
+    "alias" : "First broker login - Conditional OTP",
+    "description" : "Flow to determine if the OTP is required for the authentication",
+    "providerId" : "basic-flow",
+    "topLevel" : false,
+    "builtIn" : true,
+    "authenticationExecutions" : [ {
+      "authenticator" : "conditional-user-configured",
+      "authenticatorFlow" : false,
+      "requirement" : "REQUIRED",
+      "priority" : 10,
+      "autheticatorFlow" : false,
+      "userSetupAllowed" : false
+    }, {
+      "authenticator" : "auth-otp-form",
+      "authenticatorFlow" : false,
+      "requirement" : "REQUIRED",
+      "priority" : 20,
+      "autheticatorFlow" : false,
+      "userSetupAllowed" : false
+    } ]
+  }, {
+    "id" : "ffb0fb4e-a5b3-47d2-a695-b458f0ae98e6",
+    "alias" : "Handle Existing Account",
+    "description" : "Handle what to do if there is existing account with same email/username like authenticated identity provider",
+    "providerId" : "basic-flow",
+    "topLevel" : false,
+    "builtIn" : true,
+    "authenticationExecutions" : [ {
+      "authenticator" : "idp-confirm-link",
+      "authenticatorFlow" : false,
+      "requirement" : "REQUIRED",
+      "priority" : 10,
+      "autheticatorFlow" : false,
+      "userSetupAllowed" : false
+    }, {
+      "authenticatorFlow" : true,
+      "requirement" : "REQUIRED",
+      "priority" : 20,
+      "autheticatorFlow" : true,
+      "flowAlias" : "Account verification options",
+      "userSetupAllowed" : false
+    } ]
+  }, {
+    "id" : "13083de7-5ca7-4090-a325-fac79ad8974a",
+    "alias" : "Reset - Conditional OTP",
+    "description" : "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.",
+    "providerId" : "basic-flow",
+    "topLevel" : false,
+    "builtIn" : true,
+    "authenticationExecutions" : [ {
+      "authenticator" : "conditional-user-configured",
+      "authenticatorFlow" : false,
+      "requirement" : "REQUIRED",
+      "priority" : 10,
+      "autheticatorFlow" : false,
+      "userSetupAllowed" : false
+    }, {
+      "authenticator" : "reset-otp",
+      "authenticatorFlow" : false,
+      "requirement" : "REQUIRED",
+      "priority" : 20,
+      "autheticatorFlow" : false,
+      "userSetupAllowed" : false
+    } ]
+  }, {
+    "id" : "2c726272-8443-4bb3-aede-e853348de93d",
+    "alias" : "User creation or linking",
+    "description" : "Flow for the existing/non-existing user alternatives",
+    "providerId" : "basic-flow",
+    "topLevel" : false,
+    "builtIn" : true,
+    "authenticationExecutions" : [ {
+      "authenticatorConfig" : "create unique user config",
+      "authenticator" : "idp-create-user-if-unique",
+      "authenticatorFlow" : false,
+      "requirement" : "ALTERNATIVE",
+      "priority" : 10,
+      "autheticatorFlow" : false,
+      "userSetupAllowed" : false
+    }, {
+      "authenticatorFlow" : true,
+      "requirement" : "ALTERNATIVE",
+      "priority" : 20,
+      "autheticatorFlow" : true,
+      "flowAlias" : "Handle Existing Account",
+      "userSetupAllowed" : false
+    } ]
+  }, {
+    "id" : "8c368b22-beaf-460f-852c-ed22a9f634e0",
+    "alias" : "Verify Existing Account by Re-authentication",
+    "description" : "Reauthentication of existing account",
+    "providerId" : "basic-flow",
+    "topLevel" : false,
+    "builtIn" : true,
+    "authenticationExecutions" : [ {
+      "authenticator" : "idp-username-password-form",
+      "authenticatorFlow" : false,
+      "requirement" : "REQUIRED",
+      "priority" : 10,
+      "autheticatorFlow" : false,
+      "userSetupAllowed" : false
+    }, {
+      "authenticatorFlow" : true,
+      "requirement" : "CONDITIONAL",
+      "priority" : 20,
+      "autheticatorFlow" : true,
+      "flowAlias" : "First broker login - Conditional OTP",
+      "userSetupAllowed" : false
+    } ]
+  }, {
+    "id" : "a513e259-143c-4ca5-8453-7b40b3adaca2",
+    "alias" : "browser",
+    "description" : "browser based authentication",
+    "providerId" : "basic-flow",
+    "topLevel" : true,
+    "builtIn" : true,
+    "authenticationExecutions" : [ {
+      "authenticator" : "auth-cookie",
+      "authenticatorFlow" : false,
+      "requirement" : "ALTERNATIVE",
+      "priority" : 10,
+      "autheticatorFlow" : false,
+      "userSetupAllowed" : false
+    }, {
+      "authenticator" : "auth-spnego",
+      "authenticatorFlow" : false,
+      "requirement" : "DISABLED",
+      "priority" : 20,
+      "autheticatorFlow" : false,
+      "userSetupAllowed" : false
+    }, {
+      "authenticator" : "identity-provider-redirector",
+      "authenticatorFlow" : false,
+      "requirement" : "ALTERNATIVE",
+      "priority" : 25,
+      "autheticatorFlow" : false,
+      "userSetupAllowed" : false
+    }, {
+      "authenticatorFlow" : true,
+      "requirement" : "ALTERNATIVE",
+      "priority" : 30,
+      "autheticatorFlow" : true,
+      "flowAlias" : "forms",
+      "userSetupAllowed" : false
+    } ]
+  }, {
+    "id" : "567fabf9-3a81-4994-82f2-32265b469f0a",
+    "alias" : "clients",
+    "description" : "Base authentication for clients",
+    "providerId" : "client-flow",
+    "topLevel" : true,
+    "builtIn" : true,
+    "authenticationExecutions" : [ {
+      "authenticator" : "client-secret",
+      "authenticatorFlow" : false,
+      "requirement" : "ALTERNATIVE",
+      "priority" : 10,
+      "autheticatorFlow" : false,
+      "userSetupAllowed" : false
+    }, {
+      "authenticator" : "client-jwt",
+      "authenticatorFlow" : false,
+      "requirement" : "ALTERNATIVE",
+      "priority" : 20,
+      "autheticatorFlow" : false,
+      "userSetupAllowed" : false
+    }, {
+      "authenticator" : "client-secret-jwt",
+      "authenticatorFlow" : false,
+      "requirement" : "ALTERNATIVE",
+      "priority" : 30,
+      "autheticatorFlow" : false,
+      "userSetupAllowed" : false
+    }, {
+      "authenticator" : "client-x509",
+      "authenticatorFlow" : false,
+      "requirement" : "ALTERNATIVE",
+      "priority" : 40,
+      "autheticatorFlow" : false,
+      "userSetupAllowed" : false
+    } ]
+  }, {
+    "id" : "9138d835-7470-40b8-bd87-9dea7dddf38b",
+    "alias" : "direct grant",
+    "description" : "OpenID Connect Resource Owner Grant",
+    "providerId" : "basic-flow",
+    "topLevel" : true,
+    "builtIn" : true,
+    "authenticationExecutions" : [ {
+      "authenticator" : "direct-grant-validate-username",
+      "authenticatorFlow" : false,
+      "requirement" : "REQUIRED",
+      "priority" : 10,
+      "autheticatorFlow" : false,
+      "userSetupAllowed" : false
+    }, {
+      "authenticator" : "direct-grant-validate-password",
+      "authenticatorFlow" : false,
+      "requirement" : "REQUIRED",
+      "priority" : 20,
+      "autheticatorFlow" : false,
+      "userSetupAllowed" : false
+    }, {
+      "authenticatorFlow" : true,
+      "requirement" : "CONDITIONAL",
+      "priority" : 30,
+      "autheticatorFlow" : true,
+      "flowAlias" : "Direct Grant - Conditional OTP",
+      "userSetupAllowed" : false
+    } ]
+  }, {
+    "id" : "27ebb1ca-e8b7-44ac-b012-8d580a323249",
+    "alias" : "docker auth",
+    "description" : "Used by Docker clients to authenticate against the IDP",
+    "providerId" : "basic-flow",
+    "topLevel" : true,
+    "builtIn" : true,
+    "authenticationExecutions" : [ {
+      "authenticator" : "docker-http-basic-authenticator",
+      "authenticatorFlow" : false,
+      "requirement" : "REQUIRED",
+      "priority" : 10,
+      "autheticatorFlow" : false,
+      "userSetupAllowed" : false
+    } ]
+  }, {
+    "id" : "1dfada24-8a57-4790-8e9b-537d5325f304",
+    "alias" : "first broker login",
+    "description" : "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account",
+    "providerId" : "basic-flow",
+    "topLevel" : true,
+    "builtIn" : true,
+    "authenticationExecutions" : [ {
+      "authenticatorConfig" : "review profile config",
+      "authenticator" : "idp-review-profile",
+      "authenticatorFlow" : false,
+      "requirement" : "REQUIRED",
+      "priority" : 10,
+      "autheticatorFlow" : false,
+      "userSetupAllowed" : false
+    }, {
+      "authenticatorFlow" : true,
+      "requirement" : "REQUIRED",
+      "priority" : 20,
+      "autheticatorFlow" : true,
+      "flowAlias" : "User creation or linking",
+      "userSetupAllowed" : false
+    } ]
+  }, {
+    "id" : "abdd8910-0519-418d-9bf6-d74350116737",
+    "alias" : "forms",
+    "description" : "Username, password, otp and other auth forms.",
+    "providerId" : "basic-flow",
+    "topLevel" : false,
+    "builtIn" : true,
+    "authenticationExecutions" : [ {
+      "authenticator" : "auth-username-password-form",
+      "authenticatorFlow" : false,
+      "requirement" : "REQUIRED",
+      "priority" : 10,
+      "autheticatorFlow" : false,
+      "userSetupAllowed" : false
+    }, {
+      "authenticatorFlow" : true,
+      "requirement" : "CONDITIONAL",
+      "priority" : 20,
+      "autheticatorFlow" : true,
+      "flowAlias" : "Browser - Conditional OTP",
+      "userSetupAllowed" : false
+    } ]
+  }, {
+    "id" : "1d657342-0a34-43b2-88a9-de018c0f2f3e",
+    "alias" : "registration",
+    "description" : "registration flow",
+    "providerId" : "basic-flow",
+    "topLevel" : true,
+    "builtIn" : true,
+    "authenticationExecutions" : [ {
+      "authenticator" : "registration-page-form",
+      "authenticatorFlow" : true,
+      "requirement" : "REQUIRED",
+      "priority" : 10,
+      "autheticatorFlow" : true,
+      "flowAlias" : "registration form",
+      "userSetupAllowed" : false
+    } ]
+  }, {
+    "id" : "e26131b1-5820-405b-98b5-5dd1ff5d146e",
+    "alias" : "registration form",
+    "description" : "registration form",
+    "providerId" : "form-flow",
+    "topLevel" : false,
+    "builtIn" : true,
+    "authenticationExecutions" : [ {
+      "authenticator" : "registration-user-creation",
+      "authenticatorFlow" : false,
+      "requirement" : "REQUIRED",
+      "priority" : 20,
+      "autheticatorFlow" : false,
+      "userSetupAllowed" : false
+    }, {
+      "authenticator" : "registration-password-action",
+      "authenticatorFlow" : false,
+      "requirement" : "REQUIRED",
+      "priority" : 50,
+      "autheticatorFlow" : false,
+      "userSetupAllowed" : false
+    }, {
+      "authenticator" : "registration-recaptcha-action",
+      "authenticatorFlow" : false,
+      "requirement" : "DISABLED",
+      "priority" : 60,
+      "autheticatorFlow" : false,
+      "userSetupAllowed" : false
+    } ]
+  }, {
+    "id" : "d7de4f38-5c54-434b-b429-109bc617d88e",
+    "alias" : "reset credentials",
+    "description" : "Reset credentials for a user if they forgot their password or something",
+    "providerId" : "basic-flow",
+    "topLevel" : true,
+    "builtIn" : true,
+    "authenticationExecutions" : [ {
+      "authenticator" : "reset-credentials-choose-user",
+      "authenticatorFlow" : false,
+      "requirement" : "REQUIRED",
+      "priority" : 10,
+      "autheticatorFlow" : false,
+      "userSetupAllowed" : false
+    }, {
+      "authenticator" : "reset-credential-email",
+      "authenticatorFlow" : false,
+      "requirement" : "REQUIRED",
+      "priority" : 20,
+      "autheticatorFlow" : false,
+      "userSetupAllowed" : false
+    }, {
+      "authenticator" : "reset-password",
+      "authenticatorFlow" : false,
+      "requirement" : "REQUIRED",
+      "priority" : 30,
+      "autheticatorFlow" : false,
+      "userSetupAllowed" : false
+    }, {
+      "authenticatorFlow" : true,
+      "requirement" : "CONDITIONAL",
+      "priority" : 40,
+      "autheticatorFlow" : true,
+      "flowAlias" : "Reset - Conditional OTP",
+      "userSetupAllowed" : false
+    } ]
+  }, {
+    "id" : "8a5af7f0-4be1-4a71-82e6-53b998ab9996",
+    "alias" : "saml ecp",
+    "description" : "SAML ECP Profile Authentication Flow",
+    "providerId" : "basic-flow",
+    "topLevel" : true,
+    "builtIn" : true,
+    "authenticationExecutions" : [ {
+      "authenticator" : "http-basic-authenticator",
+      "authenticatorFlow" : false,
+      "requirement" : "REQUIRED",
+      "priority" : 10,
+      "autheticatorFlow" : false,
+      "userSetupAllowed" : false
+    } ]
+  } ],
+  "authenticatorConfig" : [ {
+    "id" : "ad975f49-59a4-4091-9591-a533e4a9b162",
+    "alias" : "create unique user config",
+    "config" : {
+      "require.password.update.after.registration" : "false"
+    }
+  }, {
+    "id" : "f0a940bd-6086-461e-89c2-18dcebdc8f57",
+    "alias" : "review profile config",
+    "config" : {
+      "update.profile.on.first.login" : "missing"
+    }
+  } ],
+  "requiredActions" : [ {
+    "alias" : "CONFIGURE_TOTP",
+    "name" : "Configure OTP",
+    "providerId" : "CONFIGURE_TOTP",
+    "enabled" : true,
+    "defaultAction" : false,
+    "priority" : 10,
+    "config" : { }
+  }, {
+    "alias" : "TERMS_AND_CONDITIONS",
+    "name" : "Terms and Conditions",
+    "providerId" : "TERMS_AND_CONDITIONS",
+    "enabled" : false,
+    "defaultAction" : false,
+    "priority" : 20,
+    "config" : { }
+  }, {
+    "alias" : "UPDATE_PASSWORD",
+    "name" : "Update Password",
+    "providerId" : "UPDATE_PASSWORD",
+    "enabled" : true,
+    "defaultAction" : false,
+    "priority" : 30,
+    "config" : { }
+  }, {
+    "alias" : "UPDATE_PROFILE",
+    "name" : "Update Profile",
+    "providerId" : "UPDATE_PROFILE",
+    "enabled" : true,
+    "defaultAction" : false,
+    "priority" : 40,
+    "config" : { }
+  }, {
+    "alias" : "VERIFY_EMAIL",
+    "name" : "Verify Email",
+    "providerId" : "VERIFY_EMAIL",
+    "enabled" : true,
+    "defaultAction" : false,
+    "priority" : 50,
+    "config" : { }
+  }, {
+    "alias" : "delete_account",
+    "name" : "Delete Account",
+    "providerId" : "delete_account",
+    "enabled" : false,
+    "defaultAction" : false,
+    "priority" : 60,
+    "config" : { }
+  }, {
+    "alias" : "webauthn-register",
+    "name" : "Webauthn Register",
+    "providerId" : "webauthn-register",
+    "enabled" : true,
+    "defaultAction" : false,
+    "priority" : 70,
+    "config" : { }
+  }, {
+    "alias" : "webauthn-register-passwordless",
+    "name" : "Webauthn Register Passwordless",
+    "providerId" : "webauthn-register-passwordless",
+    "enabled" : true,
+    "defaultAction" : false,
+    "priority" : 80,
+    "config" : { }
+  }, {
+    "alias" : "update_user_locale",
+    "name" : "Update User Locale",
+    "providerId" : "update_user_locale",
+    "enabled" : true,
+    "defaultAction" : false,
+    "priority" : 1000,
+    "config" : { }
+  } ],
+  "browserFlow" : "browser",
+  "registrationFlow" : "registration",
+  "directGrantFlow" : "direct grant",
+  "resetCredentialsFlow" : "reset credentials",
+  "clientAuthenticationFlow" : "clients",
+  "dockerAuthenticationFlow" : "docker auth",
+  "attributes" : {
+    "cibaBackchannelTokenDeliveryMode" : "poll",
+    "cibaExpiresIn" : "120",
+    "cibaAuthRequestedUserHint" : "login_hint",
+    "oauth2DeviceCodeLifespan" : "600",
+    "clientOfflineSessionMaxLifespan" : "0",
+    "oauth2DevicePollingInterval" : "5",
+    "clientSessionIdleTimeout" : "0",
+    "parRequestUriLifespan" : "60",
+    "clientSessionMaxLifespan" : "0",
+    "clientOfflineSessionIdleTimeout" : "0",
+    "cibaInterval" : "5",
+    "realmReusableOtpCode" : "false"
+  },
+  "keycloakVersion" : "23.0.7",
+  "userManagedAccessAllowed" : false,
+  "clientProfiles" : {
+    "profiles" : [ ]
+  },
+  "clientPolicies" : {
+    "policies" : [ ]
+  }
+}
\ No newline at end of file
diff --git a/docs/configuration/authentication/oidc_digid.rst b/docs/configuration/authentication/oidc_digid.rst
index 0da24f2027..aa75d549f4 100644
--- a/docs/configuration/authentication/oidc_digid.rst
+++ b/docs/configuration/authentication/oidc_digid.rst
@@ -17,15 +17,31 @@ flow:
 
 .. _configuration_oidc_digid_appgroup:
 
-Configureren van OIDC voor DigiD
-================================
+Configureren van OIDC-provider
+==============================
 
 Contacteer de IAM beheerders in je organisatie om een *Client* aan te
 maken in de omgeving van de OpenID Connect provider.
 
+**Redirect URI (vanaf Open Formulieren 2.7.0)**
+
+.. warning::
+
+    Zorg dat Open Formulieren :ref:`geïnstalleerd <installation_index>` is met de
+    ``USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS=false``
+    :ref:`omgevingsvariabele<installation_environment_config>`, anders worden de legacy
+    (zie hieronder) endpoints gebruikt.
+
+Voor de **Redirect URI** vul je ``https://open-formulieren.gemeente.nl/auth/oidc/callback/`` in,
+waarbij je ``open-formulieren.gemeente.nl`` vervangt door het relevante domein.
+
+**Redirect URI (legacy)**
+
 Voor de **Redirect URI** vul je ``https://open-formulieren.gemeente.nl/digid-oidc/callback/`` in,
 waarbij je ``open-formulieren.gemeente.nl`` vervangt door het relevante domein.
 
+**Gegevens**
+
 Aan het eind van dit proces moet je de volgende gegevens hebben:
 
 * Server adres, bijvoorbeeld ``login.gemeente.nl``
diff --git a/docs/configuration/authentication/oidc_eherkenning.rst b/docs/configuration/authentication/oidc_eherkenning.rst
index 6d27ed7f05..13d47143a0 100644
--- a/docs/configuration/authentication/oidc_eherkenning.rst
+++ b/docs/configuration/authentication/oidc_eherkenning.rst
@@ -17,15 +17,31 @@ flow:
 
 .. _configuration_oidc_eherkenning_appgroup:
 
-Configureren van OIDC voor eHerkenning
-======================================
+Configureren van OIDC-provider
+==============================
 
 Contacteer de IAM beheerders in je organisatie om een *Client* aan te
 maken in de omgeving van de OpenID Connect provider.
 
+**Redirect URI (vanaf Open Formulieren 2.7.0)**
+
+.. warning::
+
+    Zorg dat Open Formulieren :ref:`geïnstalleerd <installation_index>` is met de
+    ``USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS=false``
+    :ref:`omgevingsvariabele<installation_environment_config>`, anders worden de legacy
+    (zie hieronder) endpoints gebruikt.
+
+Voor de **Redirect URI** vul je ``https://open-formulieren.gemeente.nl/auth/oidc/callback/`` in,
+waarbij je ``open-formulieren.gemeente.nl`` vervangt door het relevante domein.
+
+**Redirect URI (legacy)**
+
 Voor de **Redirect URI** vul je ``https://open-formulieren.gemeente.nl/eherkenning-oidc/callback/`` in,
 waarbij je ``open-formulieren.gemeente.nl`` vervangt door het relevante domein.
 
+**Gegevens**
+
 Aan het eind van dit proces moet je de volgende gegevens hebben:
 
 * Server adres, bijvoorbeeld ``login.gemeente.nl``
diff --git a/docs/configuration/authentication/oidc_machtigen.rst b/docs/configuration/authentication/oidc_machtigen.rst
index d9a3dcc2d3..2800af9070 100644
--- a/docs/configuration/authentication/oidc_machtigen.rst
+++ b/docs/configuration/authentication/oidc_machtigen.rst
@@ -4,15 +4,19 @@
 OpenID Connect voor inloggen met DigiD Machtigen en eHerkenning bewindvoering
 =============================================================================
 
-Open Formulieren ondersteunt `DigiD Machtigen`_ en eHerkenning bewindvoering login voor burgers via het OpenID Connect
-protocol (OIDC).
-Burgers kunnen inloggen op Open Formulieren met hun DigiD/eHerkenning account en een formulier invullen namens iemand
+Open Formulieren ondersteunt `DigiD Machtigen`_ en eHerkenning bewindvoering login voor
+burgers via het OpenID Connect protocol (OIDC). Burgers kunnen inloggen op Open
+Formulieren met hun DigiD/eHerkenning account en een formulier invullen namens iemand
 anders. In deze flow:
 
-* Een gebruiker klikt op de knop *Inloggen met DigiD Machtigen* of *Inloggen met eHerkenning bewindvoering* die op de startpagina van een formulier staat.
-* De gebruiker wordt via de omgeving van de OpenID Connect provider (bijv. `Keycloak`_) naar DigiD/eHerkenning geleid, waar de gebruiker kan inloggen met *hun eigen* DigiD/eHerkenning inloggegevens.
+* Een gebruiker klikt op de knop *Inloggen met DigiD Machtigen* of *Inloggen met
+  eHerkenning bewindvoering* die op de startpagina van een formulier staat.
+* De gebruiker wordt via de omgeving van de OpenID Connect provider (bijv. `Keycloak`_)
+  naar DigiD/eHerkenning geleid, waar de gebruiker kan inloggen met *hun eigen*
+  DigiD/eHerkenning inloggegevens.
 * De gebruiker kan dan kiezen namens wie ze het formulier willen invullen.
-* De gebruiker wordt daarna terug naar de OIDC omgeving gestuurd, die op zijn beurt de gebruiker weer terugstuurt naar Open Formulieren
+* De gebruiker wordt daarna terug naar de OIDC omgeving gestuurd, die op zijn beurt de
+  gebruiker weer terugstuurt naar Open Formulieren
 * De gebruiker kan verder met het invullen van het formulier
 
 .. _DigiD Machtigen: https://machtigen.digid.nl/
@@ -20,12 +24,13 @@ anders. In deze flow:
 
 .. _configuration_oidc_digid_machtigen_appgroup:
 
-Configureren van OIDC voor DigiD Machtigen
-==========================================
+Configureren van OIDC-provider voor DigiD Machtigen
+===================================================
 
-De stappen hier zijn dezelfde als voor :ref:`configuration_oidc_digid_appgroup`, maar de **Redirect URI**
-is ``https://open-formulieren.gemeente.nl/digid-oidc-machtigen/callback/`` (met het juiste domein in plaats van
-``open-formulieren.gemeente.nl``).
+De stappen hier zijn dezelfde als voor :ref:`configuration_oidc_digid_appgroup`.
+
+.. warning:: Indien je de legacy **Redirect URI** gebruikt, dan is de waarde
+   ``https://open-formulieren.gemeente.nl/digid-machtigen-oidc/callback/``.
 
 Aan het eind van dit proces moet u de volgende gegevens hebben:
 
@@ -60,12 +65,13 @@ Nu kan er een formulier aangemaakt worden met het authenticatie backend ``DigiD
 
 .. _configuration_oidc_eh_bewindvoering_appgroup:
 
-Configureren van OIDC voor eHerkenning bewindvoering
-====================================================
+Configureren van OIDC-provider voor eHerkenning bewindvoering
+=============================================================
+
+De stappen hier zijn dezelfde als voor :ref:`configuration_oidc_digid_machtigen_appgroup`.
 
-De stappen hier zijn dezelfde als voor :ref:`configuration_oidc_digid_machtigen_appgroup`, maar de **Redirect URI**
-is ``https://open-formulieren.gemeente.nl/eherkenning-bewindvoering-oidc/callback/`` (met het juiste domein in plaats van
-``open-formulieren.gemeente.nl``).
+.. warning:: Indien je de legacy **Redirect URI** gebruikt, dan is de waarde
+   ``https://open-formulieren.gemeente.nl/eherkenning-bewindvoering-oidc/callback/``.
 
 Aan het eind van dit proces moet u de volgende gegevens hebben:
 
diff --git a/docs/configuration/authentication/oidc_org.rst b/docs/configuration/authentication/oidc_org.rst
index 7e137fad8e..e95b091ad4 100644
--- a/docs/configuration/authentication/oidc_org.rst
+++ b/docs/configuration/authentication/oidc_org.rst
@@ -11,29 +11,41 @@ OpenID Connect for organization members
   admins for the management interface, please go 
   :ref:`here <configuration_authentication_oidc>`.
 
-Open Forms supports login on forms by *organization members* through Single Sign On (SSO) via the OpenID Connect protocol (OIDC).
+Open Forms supports login on forms by *organization members* through Single Sign On
+(SSO) via the OpenID Connect protocol (OIDC).
 
-Members of the organization can login to forms for internal use by the organization using the same OpenID Connect configuration that is used for the management interface.
+Members of the organization can login to forms for internal use by the organization
+using the same OpenID Connect configuration that is used for the management interface.
 In this flow:
 
-1. The organization member clicks *Inloggen met OpenID Connect* on the internal form.
-2. The member gets redirected to the login flow of the OpenID Connect provider where the member logs in.
-3. After completion of the OpenID Connect provider login the member is redirected back to the form in Open Forms.
+1. The organization member clicks *Inloggen met OpenID Connect* on the (internal) form.
+2. The member gets redirected to the login flow of the OpenID Connect provider where
+   the member logs in.
+3. After completion of the OpenID Connect provider login the member is redirected back
+   to the form in Open Forms.
 4. The member is now logged into Open Forms and can proceed to complete the form.
-5. Open Forms optionally stores the employee ID (from the OIDC claims) on the user record _and_ the form submission.
+5. Open Forms optionally stores the employee ID (from the OIDC claims) on the user
+   record *and* the form submission.
 
 .. _configuration_authentication_oidc_org_appgroup:
 
 Configuring OIDC for login of organization members
 ==================================================
 
-The OpenID Connect configuration is shared with :ref:`the configuration of the management interface <configuration_authentication_oidc>` and follows the same steps with a few addtional notes:
+The OpenID Connect configuration is shared with
+:ref:`the configuration of the management interface <configuration_authentication_oidc>`
+and follows the same steps with a few addtional notes:
 
-- The plugin callback URL needs to be registered at the OpenID Connect provider. Contact the organizations IAM and ask them add to the whitelist ``https://open-formulieren.gemeente.nl/org-oidc/callback/`` (replace ``open-formulieren.gemeente.nl`` with the domain of your Open Forms installation).
+- It is not recommended to use the *Default groups* configuration option when using
+  OpenID Connect for organization members to authenticate on forms.
 
-- It is not recommended to use the *Default groups* configuration option when using OpenID Connect for organization members to authenticate on forms.
-
-- To store user information from OpenID and track an "Employee ID" it is required to configure the ``claim mapping``. This is JSON object where the claims from the OIDC user-info gets mapped to attributes on the user in Open Forms. For more info and options on configuring the mapping see `mozilla-django-oidc-db <https://github.com/maykinmedia/mozilla-django-oidc-db>`_ (Section 4.1, User profile) and the documentation of your OpenID Connect provider for the structure of the returned user-info.
+- To store user information from OpenID and track an "Employee ID" it is required to
+  configure the ``claim mapping``. This is JSON object where the claims from the OIDC
+  user-info gets mapped to attributes on the user in Open Forms. For more info and
+  options on configuring the mapping see
+  `mozilla-django-oidc-db <https://github.com/maykinmedia/mozilla-django-oidc-db>`_
+  (Section 4.1, User profile) and the documentation of your OpenID Connect provider for
+  the structure of the returned user-info.
 
   Example:
 
@@ -46,13 +58,13 @@ The OpenID Connect configuration is shared with :ref:`the configuration of the m
         "employee_id": "name_of_claim_with_employee_id"
     }
 
-  Note we set the ``employee_id`` to track the member on both the submission and the created user.
+  Note we set the ``employee_id`` to track the member on both the submission and the
+  created user.
 
 - We recommend configuring the roles on the OIDC provider side together with the
   ``Groups glob pattern`` to automatically assign the correct groups when an employee
   authenticates via OIDC. More information about permissions and groups is available
   in the :ref:`manual <manual_accounts>` (in Dutch).
 
-
-After completing these steps a form can be created with the authentication backend ``Organization via OpenID Connect``, see :ref:`manual_forms_basics`.
-
+After completing these steps a form can be created with the authentication backend
+``Organization via OpenID Connect``, see :ref:`manual_forms_basics`.
diff --git a/docs/configuration/general/oidc.rst b/docs/configuration/general/oidc.rst
index 116ae33c81..96bc289269 100644
--- a/docs/configuration/general/oidc.rst
+++ b/docs/configuration/general/oidc.rst
@@ -36,6 +36,21 @@ Configureren van OIDC-provider
 Contacteer de IAM beheerders in je organisatie om een *Client* of *App* aan te
 maken in de omgeving van de OpenID Connect provider.
 
+**Redirect URI (vanaf Open Formulieren 2.7.0)**
+
+.. warning::
+
+    Zorg dat Open Formulieren :ref:`geïnstalleerd <installation_index>` is met de
+    ``USE_LEGACY_OIDC_ENDPOINTS=false`` en ``USE_LEGACY_ORG_OIDC_ENDPOINTS=false``
+    :ref:`omgevingsvariabelen<installation_environment_config>`, anders worden de legacy
+    (zie hieronder) endpoints gebruikt.
+
+Voor de **Redirect URI** vul je ``https://open-formulieren.gemeente.nl/auth/oidc/callback/`` in,
+waarbij je ``open-formulieren.gemeente.nl`` vervangt door het relevante domein. Deze
+Redirect URI wordt ook gebruikt voor :ref:`configuration_authentication_oidc_org`.
+
+**Redirect URI (legacy)**
+
 Voor de **Redirect URI** vul je ``https://open-formulieren.gemeente.nl/oidc/callback/`` in,
 waarbij je ``open-formulieren.gemeente.nl`` vervangt door het relevante domein.
 
@@ -44,6 +59,8 @@ formulieren, voeg dan ook direct
 ``https://open-formulieren.gemeente.nl/oidc-org/callback/`` toe. Je kan hier 
 meer over lezen op :ref:`configuration_authentication_oidc_org`.
 
+**Gegevens**
+
 Aan het eind van dit proces moet je de volgende gegevens hebben (on premise):
 
 * Server adres, bijvoorbeeld ``login.gemeente.nl``
diff --git a/docs/developers/backend/tests.rst b/docs/developers/backend/tests.rst
index 0335d54186..1d4f341056 100644
--- a/docs/developers/backend/tests.rst
+++ b/docs/developers/backend/tests.rst
@@ -14,10 +14,10 @@ The testsuite uses Django's standard test mechanism:
 
 .. code-block:: bash
 
-    python src/manage.py test src --exclude=e2e
+    python src/manage.py test src --exclude-tag=e2e --exclude-tag=migrations
 
-will run all the tests discovered in the ``src`` directory, excluding
-:ref:`developers_backend_tests_e2e`.
+will run all the tests discovered in the ``src`` directory, excluding slow tests like
+:ref:`end-to-end <developers_backend_tests_e2e>` and migration tests.
 
 You can also limit the tests to run by python path:
 
diff --git a/docs/installation/config.rst b/docs/installation/config.rst
index 70a6c2b2df..d7d87aedd8 100644
--- a/docs/installation/config.rst
+++ b/docs/installation/config.rst
@@ -242,9 +242,6 @@ Other settings
 * ``CACHE_AXES``: The Redis cache location for Axes (used to prevent brute
   force attacks). Defaults to ``localhost:6379/0``.
 
-* ``CACHE_OIDC``: The Redis cache location for the OIDC configuration. Defaults
-  to ``localhost:6379/0``.
-
 * ``ENVIRONMENT``: Short string to indicate the environment (test, production,
   etc.) Defaults to ``""``.
 
@@ -265,6 +262,23 @@ Other settings
   enable :ref:`Organization accounts <configuration_authentication_oidc>`. Defaults
   to ``False``.
 
+* ``USE_LEGACY_OIDC_ENDPOINTS``: Defaults to ``True`` for backwards compatibility
+  reasons. New installations should opt-out. If ``False``, the OIDC callback URL is
+  ``/auth/oidc/callback/``, if ``True``, it is ``/oidc/callback/``.
+
+* ``USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS``: Defaults to ``True`` for backwards compatibility
+  reasons. New installations should opt-out. If ``False``, the OIDC callback URL is
+  ``/auth/oidc/callback/``, if ``True``, they are:
+
+      - ``/digid-oidc/callback/``
+      - ``/eherkenning-oidc/callback/``
+      - ``/digid-machtigen-oidc/callback/``
+      - ``/eherkenning-bewindvoering-oidc/callback/``
+
+* ``USE_LEGACY_ORG_OIDC_ENDPOINTS``: Defaults to ``True`` for backwards compatibility
+  reasons. New installations should opt-out. If ``False``, the OIDC callback URL is
+  ``/auth/oidc/callback/``, if ``True``, it is ``/org-oidc/callback/``.
+
 * ``SESSION_EXPIRE_AT_BROWSER_CLOSE``: Controls if sessions expire at browser close.
   This applies to both the session of end-users filling out forms and staff using the
   administrative interface. Enabling this forces users to log in every time they open
diff --git a/docs/installation/upgrade-250.rst b/docs/installation/upgrade-250.rst
index aed17957ce..1140dd1a3a 100644
--- a/docs/installation/upgrade-250.rst
+++ b/docs/installation/upgrade-250.rst
@@ -1,8 +1,8 @@
 .. _installation_upgrade_250:
 
-====================================================
-Upgrade details to Open Forms 2.5.0 (IN DEVELOPMENT)
-====================================================
+===================================
+Upgrade details to Open Forms 2.5.0
+===================================
 
 We do our best to avoid breaking changes, but at times we cannot guarantee that your
 configuration will keep working flawlessly. Open Forms 2.5.0 is such a release - and
diff --git a/requirements/base.in b/requirements/base.in
index 6dc092495e..32e64765a5 100644
--- a/requirements/base.in
+++ b/requirements/base.in
@@ -46,7 +46,7 @@ django-capture-tag
 django-colorfield
 django-cookie-consent
 django-cors-headers
-django-digid-eherkenning
+django-digid-eherkenning[oidc]
 django-flags
 django-hijack
 django-import-export
diff --git a/requirements/base.txt b/requirements/base.txt
index ab2f8d4f78..74188ada00 100644
--- a/requirements/base.txt
+++ b/requirements/base.txt
@@ -161,8 +161,10 @@ django-csp==3.8
     # via -r requirements/base.in
 django-csp-reports==1.8.1
     # via -r requirements/base.in
-django-digid-eherkenning==0.13.1
-    # via -r requirements/base.in
+django-digid-eherkenning[oidc]==0.14.0
+    # via
+    #   -r requirements/base.in
+    #   django-digid-eherkenning
 django-filter==23.2
     # via -r requirements/base.in
 django-flags==5.0.13
@@ -332,8 +334,10 @@ maykin-python3-saml==1.16.1
     # via django-digid-eherkenning
 mozilla-django-oidc==4.0.0
     # via mozilla-django-oidc-db
-mozilla-django-oidc-db==0.15.0
-    # via -r requirements/base.in
+mozilla-django-oidc-db==0.18.0
+    # via
+    #   -r requirements/base.in
+    #   django-digid-eherkenning
 o365==2.0.31
     # via -r requirements/base.in
 oauthlib==3.2.2
@@ -507,6 +511,7 @@ typing-extensions==4.11.0
     # via
     #   -r requirements/base.in
     #   asgiref
+    #   mozilla-django-oidc-db
     #   qrcode
     #   schwifty
     #   zgw-consumers
diff --git a/requirements/ci.txt b/requirements/ci.txt
index f55bf4976f..8c243e6613 100644
--- a/requirements/ci.txt
+++ b/requirements/ci.txt
@@ -264,10 +264,11 @@ django-csp-reports==1.8.1
     # via
     #   -c requirements/base.txt
     #   -r requirements/base.txt
-django-digid-eherkenning==0.13.1
+django-digid-eherkenning[oidc]==0.14.0
     # via
     #   -c requirements/base.txt
     #   -r requirements/base.txt
+    #   django-digid-eherkenning
 django-filter==23.2
     # via
     #   -c requirements/base.txt
@@ -613,10 +614,11 @@ mozilla-django-oidc==4.0.0
     #   -c requirements/base.txt
     #   -r requirements/base.txt
     #   mozilla-django-oidc-db
-mozilla-django-oidc-db==0.15.0
+mozilla-django-oidc-db==0.18.0
     # via
     #   -c requirements/base.txt
     #   -r requirements/base.txt
+    #   django-digid-eherkenning
 multidict==6.0.4
     # via yarl
 mypy-extensions==0.4.3
@@ -1021,6 +1023,7 @@ typing-extensions==4.11.0
     #   -r requirements/base.txt
     #   asgiref
     #   black
+    #   mozilla-django-oidc-db
     #   pyee
     #   qrcode
     #   schwifty
diff --git a/requirements/dev.txt b/requirements/dev.txt
index a8d9f0a135..f957268a4d 100644
--- a/requirements/dev.txt
+++ b/requirements/dev.txt
@@ -290,10 +290,11 @@ django-csp-reports==1.8.1
     #   -r requirements/ci.txt
 django-debug-toolbar==4.3.0
     # via -r requirements/dev.in
-django-digid-eherkenning==0.13.1
+django-digid-eherkenning[oidc]==0.14.0
     # via
     #   -c requirements/ci.txt
     #   -r requirements/ci.txt
+    #   django-digid-eherkenning
 django-extensions==3.2.3
     # via -r requirements/dev.in
 django-filter==23.2
@@ -688,10 +689,11 @@ mozilla-django-oidc==4.0.0
     #   -c requirements/ci.txt
     #   -r requirements/ci.txt
     #   mozilla-django-oidc-db
-mozilla-django-oidc-db==0.15.0
+mozilla-django-oidc-db==0.18.0
     # via
     #   -c requirements/ci.txt
     #   -r requirements/ci.txt
+    #   django-digid-eherkenning
 multidict==6.0.4
     # via
     #   -c requirements/ci.txt
@@ -1189,6 +1191,7 @@ typing-extensions==4.11.0
     #   -r requirements/ci.txt
     #   asgiref
     #   black
+    #   mozilla-django-oidc-db
     #   pyee
     #   qrcode
     #   schwifty
diff --git a/requirements/extensions.txt b/requirements/extensions.txt
index 82267e3fe4..710ec82d7d 100644
--- a/requirements/extensions.txt
+++ b/requirements/extensions.txt
@@ -230,10 +230,11 @@ django-csp-reports==1.8.1
     # via
     #   -c requirements/base.in
     #   -r requirements/base.txt
-django-digid-eherkenning==0.13.1
+django-digid-eherkenning[oidc]==0.14.0
     # via
     #   -c requirements/base.in
     #   -r requirements/base.txt
+    #   django-digid-eherkenning
 django-filter==23.2
     # via
     #   -c requirements/base.in
@@ -510,10 +511,11 @@ mozilla-django-oidc==4.0.0
     # via
     #   -r requirements/base.txt
     #   mozilla-django-oidc-db
-mozilla-django-oidc-db==0.15.0
+mozilla-django-oidc-db==0.18.0
     # via
     #   -c requirements/base.in
     #   -r requirements/base.txt
+    #   django-digid-eherkenning
 o365==2.0.31
     # via
     #   -c requirements/base.in
@@ -797,6 +799,7 @@ typing-extensions==4.11.0
     #   -c requirements/base.in
     #   -r requirements/base.txt
     #   asgiref
+    #   mozilla-django-oidc-db
     #   qrcode
     #   schwifty
     #   zgw-consumers
diff --git a/src/digid_eherkenning_oidc_generics/__init__.py b/src/digid_eherkenning_oidc_generics/__init__.py
deleted file mode 100644
index a5e7acd93b..0000000000
--- a/src/digid_eherkenning_oidc_generics/__init__.py
+++ /dev/null
@@ -1,59 +0,0 @@
-"""
-DigiD-eHerkenning-OIDC-generics abstracts authenticating over OIDC.
-
-DigiD/eHerkenning are typically exposed via SAML bindings, but there exist identity
-providers that abstract this and instead offer an OpenID Connect flow to log in with
-DigiD and/or eHerkenning. This package facilitates integrating with such providers.
-
-The architecture and authentication flows are tricky in some places. Here's an attempt
-to explain it.
-
-**Configuration**
-
-Each authentication means (DigiD, eHerkenning, mandate (machtigen) variants...) is
-mapped to an OpenID client configuration, which roughly holds:
-
-- the OIDC endpoints to use/redirect users to
-- the OAUTH2 client ID and secret to use, which indicate to the IdP which authentication
-  means they should send the user to
-- which claims to look up/extract from the UserInfo endpoint/JWT
-
-These are stored in (subclasses of) the
-:class:`~digid_herkenning_oidc_generics.models.OpenIDConnectBaseConfig` model.
-
-**Authentication flow**
-
-When a user starts a login flow, they:
-
-1. Click the appriopriate button/link
-2. A Django view processes this and looks up the relevant configuration
-3. The view redirects the user to the identity provider (typically a different domain)
-4. Authenticate with the IdP
-5. The IdP redirects back to our application
-6. Our callback view performs the OIDC exchange and extracts + stores the relevant user
-   information
-7. Finally, the callback view looks up where the user needs to be redirected to and
-   sends them that way.
-
-Steps 2-3 are called the "init" phase in this package, while steps 6-7 are the
-"callback" phase.
-
-**Init phase**
-
-The package supports the init phase by providing an
-:class:`~digid_eherkenning_oidc_generics.views.OIDCInit` 'view' class.
-
-.. autoclass:: digid_eherkenning_oidc_generics.views.OIDCInit
-
-Concrete views bound to configuration classes are:
-
-* :attr:`~digid_herkenning_oidc_generics.views.digid_init`
-* :attr:`~digid_herkenning_oidc_generics.views.digid_machtigen_init`
-* :attr:`~digid_herkenning_oidc_generics.views.eherkenning_init`
-* :attr:`~digid_herkenning_oidc_generics.views.eherkenning_bewindvoering_init`
-
-**Callback phase**
-
-TODO
-
-"""
diff --git a/src/digid_eherkenning_oidc_generics/admin.py b/src/digid_eherkenning_oidc_generics/admin.py
deleted file mode 100644
index 6b23a53e1e..0000000000
--- a/src/digid_eherkenning_oidc_generics/admin.py
+++ /dev/null
@@ -1,205 +0,0 @@
-from django.contrib import admin
-from django.utils.translation import gettext_lazy as _
-
-from solo.admin import SingletonModelAdmin
-
-from .forms import (
-    OpenIDConnectDigiDMachtigenConfigForm,
-    OpenIDConnectEHerkenningBewindvoeringConfigForm,
-    OpenIDConnectEHerkenningConfigForm,
-    OpenIDConnectPublicConfigForm,
-)
-from .models import (
-    OpenIDConnectDigiDMachtigenConfig,
-    OpenIDConnectEHerkenningBewindvoeringConfig,
-    OpenIDConnectEHerkenningConfig,
-    OpenIDConnectPublicConfig,
-)
-
-
-class OpenIDConnectConfigBaseAdmin(SingletonModelAdmin):
-    fieldsets = (
-        (
-            _("Activation"),
-            {"fields": ("enabled",)},
-        ),
-        (
-            _("Common settings"),
-            {
-                "fields": (
-                    "identifier_claim_name",
-                    "oidc_rp_client_id",
-                    "oidc_rp_client_secret",
-                    "oidc_rp_scopes_list",
-                    "oidc_rp_sign_algo",
-                    "oidc_rp_idp_sign_key",
-                )
-            },
-        ),
-        (
-            _("Endpoints"),
-            {
-                "fields": (
-                    "oidc_op_discovery_endpoint",
-                    "oidc_op_jwks_endpoint",
-                    "oidc_op_authorization_endpoint",
-                    "oidc_op_token_endpoint",
-                    "oidc_token_use_basic_auth",
-                    "oidc_op_user_endpoint",
-                    "oidc_op_logout_endpoint",
-                )
-            },
-        ),
-        (_("Keycloak specific settings"), {"fields": ("oidc_keycloak_idp_hint",)}),
-        (
-            _("Advanced settings"),
-            {
-                "fields": (
-                    "oidc_use_nonce",
-                    "oidc_nonce_size",
-                    "oidc_state_size",
-                    "oidc_exempt_urls",
-                    "userinfo_claims_source",
-                ),
-                "classes": [
-                    "collapse in",
-                ],
-            },
-        ),
-    )
-
-
-@admin.register(OpenIDConnectPublicConfig)
-class OpenIDConnectConfigDigiDAdmin(OpenIDConnectConfigBaseAdmin):
-    form = OpenIDConnectPublicConfigForm
-
-
-@admin.register(OpenIDConnectEHerkenningConfig)
-class OpenIDConnectConfigEHerkenningAdmin(OpenIDConnectConfigBaseAdmin):
-    form = OpenIDConnectEHerkenningConfigForm
-
-
-@admin.register(OpenIDConnectDigiDMachtigenConfig)
-class OpenIDConnectConfigDigiDMachtigenAdmin(SingletonModelAdmin):
-    form = OpenIDConnectDigiDMachtigenConfigForm
-
-    fieldsets = (
-        (
-            _("Activation"),
-            {"fields": ("enabled",)},
-        ),
-        (
-            _("Common settings"),
-            {
-                "fields": (
-                    "oidc_rp_client_id",
-                    "oidc_rp_client_secret",
-                    "oidc_rp_scopes_list",
-                    "oidc_rp_sign_algo",
-                    "oidc_rp_idp_sign_key",
-                )
-            },
-        ),
-        (
-            _("Attributes to extract from claim"),
-            {
-                "fields": (
-                    "vertegenwoordigde_claim_name",
-                    "gemachtigde_claim_name",
-                )
-            },
-        ),
-        (
-            _("Endpoints"),
-            {
-                "fields": (
-                    "oidc_op_discovery_endpoint",
-                    "oidc_op_jwks_endpoint",
-                    "oidc_op_authorization_endpoint",
-                    "oidc_op_token_endpoint",
-                    "oidc_token_use_basic_auth",
-                    "oidc_op_user_endpoint",
-                    "oidc_op_logout_endpoint",
-                )
-            },
-        ),
-        (_("Keycloak specific settings"), {"fields": ("oidc_keycloak_idp_hint",)}),
-        (
-            _("Advanced settings"),
-            {
-                "fields": (
-                    "oidc_use_nonce",
-                    "oidc_nonce_size",
-                    "oidc_state_size",
-                    "oidc_exempt_urls",
-                    "userinfo_claims_source",
-                ),
-                "classes": [
-                    "collapse in",
-                ],
-            },
-        ),
-    )
-
-
-@admin.register(OpenIDConnectEHerkenningBewindvoeringConfig)
-class OpenIDConnectConfigEHerkenningBewindvoeringAdmin(SingletonModelAdmin):
-    form = OpenIDConnectEHerkenningBewindvoeringConfigForm
-
-    fieldsets = (
-        (
-            _("Activation"),
-            {"fields": ("enabled",)},
-        ),
-        (
-            _("Common settings"),
-            {
-                "fields": (
-                    "oidc_rp_client_id",
-                    "oidc_rp_client_secret",
-                    "oidc_rp_scopes_list",
-                    "oidc_rp_sign_algo",
-                    "oidc_rp_idp_sign_key",
-                )
-            },
-        ),
-        (
-            _("Attributes to extract from claim"),
-            {
-                "fields": (
-                    "vertegenwoordigde_company_claim_name",
-                    "gemachtigde_person_claim_name",
-                )
-            },
-        ),
-        (
-            _("Endpoints"),
-            {
-                "fields": (
-                    "oidc_op_discovery_endpoint",
-                    "oidc_op_jwks_endpoint",
-                    "oidc_op_authorization_endpoint",
-                    "oidc_op_token_endpoint",
-                    "oidc_token_use_basic_auth",
-                    "oidc_op_user_endpoint",
-                    "oidc_op_logout_endpoint",
-                )
-            },
-        ),
-        (_("Keycloak specific settings"), {"fields": ("oidc_keycloak_idp_hint",)}),
-        (
-            _("Advanced settings"),
-            {
-                "fields": (
-                    "oidc_use_nonce",
-                    "oidc_nonce_size",
-                    "oidc_state_size",
-                    "oidc_exempt_urls",
-                    "userinfo_claims_source",
-                ),
-                "classes": [
-                    "collapse in",
-                ],
-            },
-        ),
-    )
diff --git a/src/digid_eherkenning_oidc_generics/apps.py b/src/digid_eherkenning_oidc_generics/apps.py
deleted file mode 100644
index 77906b4bb5..0000000000
--- a/src/digid_eherkenning_oidc_generics/apps.py
+++ /dev/null
@@ -1,7 +0,0 @@
-from django.apps import AppConfig
-from django.utils.translation import gettext_lazy as _
-
-
-class DigiDeHerkenningOIDCAppConfig(AppConfig):
-    name = "digid_eherkenning_oidc_generics"
-    verbose_name = _("DigiD & eHerkenning via OpenID Connect")
diff --git a/src/digid_eherkenning_oidc_generics/backends.py b/src/digid_eherkenning_oidc_generics/backends.py
deleted file mode 100644
index 091f33781a..0000000000
--- a/src/digid_eherkenning_oidc_generics/backends.py
+++ /dev/null
@@ -1,31 +0,0 @@
-import logging
-
-from django.contrib.auth.models import AnonymousUser
-from django.core.exceptions import SuspiciousOperation
-
-from mozilla_django_oidc_db.backends import (
-    OIDCAuthenticationBackend as _OIDCAuthenticationBackend,
-)
-
-logger = logging.getLogger(__name__)
-
-
-class OIDCAuthenticationBackend(_OIDCAuthenticationBackend):
-    session_key = ""
-    config_identifier_field = "identifier_claim_name"
-
-    def extract_claims(self, payload):
-        self.request.session[self.session_key] = self.retrieve_identifier_claim(payload)
-
-    def get_or_create_user(self, access_token, id_token, payload):
-        user_info = self.get_userinfo(access_token, id_token, payload)
-        claims_verified = self.verify_claims(user_info)
-        if not claims_verified:
-            msg = "Claims verification failed"
-            raise SuspiciousOperation(msg)
-
-        self.extract_claims(payload)
-
-        user = AnonymousUser()
-        user.is_active = True
-        return user
diff --git a/src/digid_eherkenning_oidc_generics/exceptions.py b/src/digid_eherkenning_oidc_generics/exceptions.py
deleted file mode 100644
index e4e8527ff6..0000000000
--- a/src/digid_eherkenning_oidc_generics/exceptions.py
+++ /dev/null
@@ -1,2 +0,0 @@
-class OIDCProviderOutage(Exception):
-    pass
diff --git a/src/digid_eherkenning_oidc_generics/forms.py b/src/digid_eherkenning_oidc_generics/forms.py
deleted file mode 100644
index 29c2ed0fc0..0000000000
--- a/src/digid_eherkenning_oidc_generics/forms.py
+++ /dev/null
@@ -1,81 +0,0 @@
-from copy import deepcopy
-
-from django.core.validators import ValidationError
-from django.utils.translation import gettext_lazy as _
-
-from mozilla_django_oidc_db.constants import OIDC_MAPPING as _OIDC_MAPPING
-from mozilla_django_oidc_db.forms import OpenIDConnectConfigForm
-
-from openforms.forms.models import Form
-
-from .models import (
-    OpenIDConnectDigiDMachtigenConfig,
-    OpenIDConnectEHerkenningBewindvoeringConfig,
-    OpenIDConnectEHerkenningConfig,
-    OpenIDConnectPublicConfig,
-)
-
-OIDC_MAPPING = deepcopy(_OIDC_MAPPING)
-
-OIDC_MAPPING["oidc_op_logout_endpoint"] = "end_session_endpoint"
-
-
-class OpenIDConnectBaseConfigForm(OpenIDConnectConfigForm):
-    required_endpoints = [
-        "oidc_op_authorization_endpoint",
-        "oidc_op_token_endpoint",
-        "oidc_op_user_endpoint",
-        "oidc_op_logout_endpoint",
-    ]
-    oidc_mapping = OIDC_MAPPING
-    plugin_identifier = ""
-
-    def clean_enabled(self):
-        enabled = self.cleaned_data["enabled"]
-
-        if not enabled:
-            forms_with_backend = Form.objects.filter(
-                authentication_backends__contains=[self.plugin_identifier]
-            )
-
-            if forms_with_backend.exists():
-                raise ValidationError(
-                    _(
-                        "{plugin_identifier} is selected as authentication backend "
-                        "for one or more forms, please remove this backend from these "
-                        "forms before disabling this authentication backend."
-                    ).format(plugin_identifier=self.plugin_identifier)
-                )
-        return enabled
-
-
-class OpenIDConnectPublicConfigForm(OpenIDConnectBaseConfigForm):
-    plugin_identifier = "digid_oidc"
-
-    class Meta:
-        model = OpenIDConnectPublicConfig
-        fields = "__all__"
-
-
-class OpenIDConnectEHerkenningConfigForm(OpenIDConnectBaseConfigForm):
-    plugin_identifier = "eherkenning_oidc"
-
-    class Meta:
-        model = OpenIDConnectEHerkenningConfig
-        fields = "__all__"
-
-
-class OpenIDConnectDigiDMachtigenConfigForm(OpenIDConnectBaseConfigForm):
-    plugin_identifier = "digid_machtigen_oidc"
-
-    class Meta:
-        model = OpenIDConnectDigiDMachtigenConfig
-        fields = "__all__"
-
-
-class OpenIDConnectEHerkenningBewindvoeringConfigForm(OpenIDConnectBaseConfigForm):
-    plugin_identifier = "eherkenning_bewindvoering_oidc"
-
-    class Meta:
-        model = OpenIDConnectEHerkenningBewindvoeringConfig
-        fields = "__all__"
diff --git a/src/digid_eherkenning_oidc_generics/migrations/0001_initial_squashed_0007_auto_20221213_1347.py b/src/digid_eherkenning_oidc_generics/migrations/0001_initial_squashed_0007_auto_20221213_1347.py
deleted file mode 100644
index ac77fcb7ea..0000000000
--- a/src/digid_eherkenning_oidc_generics/migrations/0001_initial_squashed_0007_auto_20221213_1347.py
+++ /dev/null
@@ -1,801 +0,0 @@
-# Generated by Django 3.2.20 on 2023-09-08 10:43
-
-from django.db import migrations, models
-
-import django_jsonform.models.fields
-import mozilla_django_oidc_db.models
-
-import digid_eherkenning_oidc_generics.models
-
-
-class Migration(migrations.Migration):
-    dependencies = []
-
-    operations = [
-        migrations.CreateModel(
-            name="OpenIDConnectDigiDMachtigenConfig",
-            fields=[
-                (
-                    "id",
-                    models.AutoField(
-                        auto_created=True,
-                        primary_key=True,
-                        serialize=False,
-                        verbose_name="ID",
-                    ),
-                ),
-                (
-                    "enabled",
-                    models.BooleanField(
-                        default=False,
-                        help_text="Indicates whether OpenID Connect for authentication/authorization is enabled",
-                        verbose_name="enable",
-                    ),
-                ),
-                (
-                    "oidc_rp_client_id",
-                    models.CharField(
-                        help_text="OpenID Connect client ID provided by the OIDC Provider",
-                        max_length=1000,
-                        verbose_name="OpenID Connect client ID",
-                    ),
-                ),
-                (
-                    "oidc_rp_client_secret",
-                    models.CharField(
-                        help_text="OpenID Connect secret provided by the OIDC Provider",
-                        max_length=1000,
-                        verbose_name="OpenID Connect secret",
-                    ),
-                ),
-                (
-                    "oidc_rp_sign_algo",
-                    models.CharField(
-                        default="HS256",
-                        help_text="Algorithm the Identity Provider uses to sign ID tokens",
-                        max_length=50,
-                        verbose_name="OpenID sign algorithm",
-                    ),
-                ),
-                (
-                    "oidc_op_discovery_endpoint",
-                    models.URLField(
-                        blank=True,
-                        help_text="URL of your OpenID Connect provider discovery endpoint ending with a slash (`.well-known/...` will be added automatically). If this is provided, the remaining endpoints can be omitted, as they will be derived from this endpoint.",
-                        max_length=1000,
-                        verbose_name="Discovery endpoint",
-                    ),
-                ),
-                (
-                    "oidc_op_jwks_endpoint",
-                    models.URLField(
-                        blank=True,
-                        help_text="URL of your OpenID Connect provider JSON Web Key Set endpoint. Required if `RS256` is used as signing algorithm.",
-                        max_length=1000,
-                        verbose_name="JSON Web Key Set endpoint",
-                    ),
-                ),
-                (
-                    "oidc_op_authorization_endpoint",
-                    models.URLField(
-                        help_text="URL of your OpenID Connect provider authorization endpoint",
-                        max_length=1000,
-                        verbose_name="Authorization endpoint",
-                    ),
-                ),
-                (
-                    "oidc_op_token_endpoint",
-                    models.URLField(
-                        help_text="URL of your OpenID Connect provider token endpoint",
-                        max_length=1000,
-                        verbose_name="Token endpoint",
-                    ),
-                ),
-                (
-                    "oidc_op_user_endpoint",
-                    models.URLField(
-                        help_text="URL of your OpenID Connect provider userinfo endpoint",
-                        max_length=1000,
-                        verbose_name="User endpoint",
-                    ),
-                ),
-                (
-                    "oidc_rp_idp_sign_key",
-                    models.CharField(
-                        blank=True,
-                        help_text="Key the Identity Provider uses to sign ID tokens in the case of an RSA sign algorithm. Should be the signing key in PEM or DER format.",
-                        max_length=1000,
-                        verbose_name="Sign key",
-                    ),
-                ),
-                (
-                    "oidc_op_logout_endpoint",
-                    models.URLField(
-                        blank=True,
-                        help_text="URL of your OpenID Connect provider logout endpoint",
-                        max_length=1000,
-                        verbose_name="Logout endpoint",
-                    ),
-                ),
-                (
-                    "oidc_keycloak_idp_hint",
-                    models.CharField(
-                        blank=True,
-                        help_text="Specific for Keycloak: parameter that indicates which identity provider should be used (therefore skipping the Keycloak login screen).",
-                        max_length=1000,
-                        verbose_name="Keycloak Identity Provider hint",
-                    ),
-                ),
-                (
-                    "vertegenwoordigde_claim_name",
-                    models.CharField(
-                        default="aanvrager.bsn",
-                        help_text="Name of the claim in which the BSN of the person being represented is stored",
-                        max_length=50,
-                        verbose_name="vertegenwoordigde claim name",
-                    ),
-                ),
-                (
-                    "gemachtigde_claim_name",
-                    models.CharField(
-                        default="gemachtigde.bsn",
-                        help_text="Name of the claim in which the BSN of the person representing someone else is stored",
-                        max_length=50,
-                        verbose_name="gemachtigde claim name",
-                    ),
-                ),
-                (
-                    "oidc_rp_scopes_list",
-                    django_jsonform.models.fields.ArrayField(
-                        base_field=models.CharField(
-                            max_length=50, verbose_name="OpenID Connect scope"
-                        ),
-                        blank=True,
-                        default=digid_eherkenning_oidc_generics.models.get_default_scopes_bsn,
-                        help_text="OpenID Connect scopes that are requested during login. These scopes are hardcoded and must be supported by the identity provider",
-                        size=None,
-                        verbose_name="OpenID Connect scopes",
-                    ),
-                ),
-                (
-                    "oidc_exempt_urls",
-                    django_jsonform.models.fields.ArrayField(
-                        base_field=models.CharField(
-                            max_length=1000, verbose_name="Exempt URL"
-                        ),
-                        blank=True,
-                        default=list,
-                        help_text="This is a list of absolute url paths, regular expressions for url paths, or Django view names. This plus the mozilla-django-oidc urls are exempted from the session renewal by the SessionRefresh middleware.",
-                        size=None,
-                        verbose_name="URLs exempt from session renewal",
-                    ),
-                ),
-                (
-                    "oidc_nonce_size",
-                    models.PositiveIntegerField(
-                        default=32,
-                        help_text="Sets the length of the random string used for OpenID Connect nonce verification",
-                        verbose_name="Nonce size",
-                    ),
-                ),
-                (
-                    "oidc_state_size",
-                    models.PositiveIntegerField(
-                        default=32,
-                        help_text="Sets the length of the random string used for OpenID Connect state verification",
-                        verbose_name="State size",
-                    ),
-                ),
-                (
-                    "oidc_use_nonce",
-                    models.BooleanField(
-                        default=True,
-                        help_text="Controls whether the OpenID Connect client uses nonce verification",
-                        verbose_name="Use nonce",
-                    ),
-                ),
-                (
-                    "userinfo_claims_source",
-                    models.CharField(
-                        choices=[
-                            ("userinfo_endpoint", "Userinfo endpoint"),
-                            ("id_token", "ID token"),
-                        ],
-                        default="userinfo_endpoint",
-                        help_text="Indicates the source from which the user information claims should be extracted.",
-                        max_length=100,
-                        verbose_name="user information claims extracted from",
-                    ),
-                ),
-            ],
-            options={
-                "verbose_name": "OpenID Connect configuration for DigiD Machtigen",
-            },
-            bases=(mozilla_django_oidc_db.models.CachingMixin, models.Model),
-        ),
-        migrations.CreateModel(
-            name="OpenIDConnectEHerkenningBewindvoeringConfig",
-            fields=[
-                (
-                    "id",
-                    models.AutoField(
-                        auto_created=True,
-                        primary_key=True,
-                        serialize=False,
-                        verbose_name="ID",
-                    ),
-                ),
-                (
-                    "enabled",
-                    models.BooleanField(
-                        default=False,
-                        help_text="Indicates whether OpenID Connect for authentication/authorization is enabled",
-                        verbose_name="enable",
-                    ),
-                ),
-                (
-                    "oidc_rp_client_id",
-                    models.CharField(
-                        help_text="OpenID Connect client ID provided by the OIDC Provider",
-                        max_length=1000,
-                        verbose_name="OpenID Connect client ID",
-                    ),
-                ),
-                (
-                    "oidc_rp_client_secret",
-                    models.CharField(
-                        help_text="OpenID Connect secret provided by the OIDC Provider",
-                        max_length=1000,
-                        verbose_name="OpenID Connect secret",
-                    ),
-                ),
-                (
-                    "oidc_rp_sign_algo",
-                    models.CharField(
-                        default="HS256",
-                        help_text="Algorithm the Identity Provider uses to sign ID tokens",
-                        max_length=50,
-                        verbose_name="OpenID sign algorithm",
-                    ),
-                ),
-                (
-                    "oidc_op_discovery_endpoint",
-                    models.URLField(
-                        blank=True,
-                        help_text="URL of your OpenID Connect provider discovery endpoint ending with a slash (`.well-known/...` will be added automatically). If this is provided, the remaining endpoints can be omitted, as they will be derived from this endpoint.",
-                        max_length=1000,
-                        verbose_name="Discovery endpoint",
-                    ),
-                ),
-                (
-                    "oidc_op_jwks_endpoint",
-                    models.URLField(
-                        blank=True,
-                        help_text="URL of your OpenID Connect provider JSON Web Key Set endpoint. Required if `RS256` is used as signing algorithm.",
-                        max_length=1000,
-                        verbose_name="JSON Web Key Set endpoint",
-                    ),
-                ),
-                (
-                    "oidc_op_authorization_endpoint",
-                    models.URLField(
-                        help_text="URL of your OpenID Connect provider authorization endpoint",
-                        max_length=1000,
-                        verbose_name="Authorization endpoint",
-                    ),
-                ),
-                (
-                    "oidc_op_token_endpoint",
-                    models.URLField(
-                        help_text="URL of your OpenID Connect provider token endpoint",
-                        max_length=1000,
-                        verbose_name="Token endpoint",
-                    ),
-                ),
-                (
-                    "oidc_op_user_endpoint",
-                    models.URLField(
-                        help_text="URL of your OpenID Connect provider userinfo endpoint",
-                        max_length=1000,
-                        verbose_name="User endpoint",
-                    ),
-                ),
-                (
-                    "oidc_rp_idp_sign_key",
-                    models.CharField(
-                        blank=True,
-                        help_text="Key the Identity Provider uses to sign ID tokens in the case of an RSA sign algorithm. Should be the signing key in PEM or DER format.",
-                        max_length=1000,
-                        verbose_name="Sign key",
-                    ),
-                ),
-                (
-                    "oidc_use_nonce",
-                    models.BooleanField(
-                        default=True,
-                        help_text="Controls whether the OpenID Connect client uses nonce verification",
-                        verbose_name="Use nonce",
-                    ),
-                ),
-                (
-                    "oidc_nonce_size",
-                    models.PositiveIntegerField(
-                        default=32,
-                        help_text="Sets the length of the random string used for OpenID Connect nonce verification",
-                        verbose_name="Nonce size",
-                    ),
-                ),
-                (
-                    "oidc_state_size",
-                    models.PositiveIntegerField(
-                        default=32,
-                        help_text="Sets the length of the random string used for OpenID Connect state verification",
-                        verbose_name="State size",
-                    ),
-                ),
-                (
-                    "oidc_exempt_urls",
-                    django_jsonform.models.fields.ArrayField(
-                        base_field=models.CharField(
-                            max_length=1000, verbose_name="Exempt URL"
-                        ),
-                        blank=True,
-                        default=list,
-                        help_text="This is a list of absolute url paths, regular expressions for url paths, or Django view names. This plus the mozilla-django-oidc urls are exempted from the session renewal by the SessionRefresh middleware.",
-                        size=None,
-                        verbose_name="URLs exempt from session renewal",
-                    ),
-                ),
-                (
-                    "oidc_op_logout_endpoint",
-                    models.URLField(
-                        blank=True,
-                        help_text="URL of your OpenID Connect provider logout endpoint",
-                        max_length=1000,
-                        verbose_name="Logout endpoint",
-                    ),
-                ),
-                (
-                    "oidc_keycloak_idp_hint",
-                    models.CharField(
-                        blank=True,
-                        help_text="Specific for Keycloak: parameter that indicates which identity provider should be used (therefore skipping the Keycloak login screen).",
-                        max_length=1000,
-                        verbose_name="Keycloak Identity Provider hint",
-                    ),
-                ),
-                (
-                    "vertegenwoordigde_company_claim_name",
-                    models.CharField(
-                        default="aanvrager.kvk",
-                        help_text="Name of the claim in which the KVK of the company being represented is stored",
-                        max_length=50,
-                        verbose_name="vertegenwoordigde company claim name",
-                    ),
-                ),
-                (
-                    "gemachtigde_person_claim_name",
-                    models.CharField(
-                        default="gemachtigde.pseudoID",
-                        help_text="Name of the claim in which the ID of the person representing a company is stored",
-                        max_length=50,
-                        verbose_name="gemachtigde person claim name",
-                    ),
-                ),
-                (
-                    "oidc_rp_scopes_list",
-                    django_jsonform.models.fields.ArrayField(
-                        base_field=models.CharField(
-                            max_length=50, verbose_name="OpenID Connect scope"
-                        ),
-                        blank=True,
-                        default=digid_eherkenning_oidc_generics.models.get_default_scopes_bsn,
-                        help_text="OpenID Connect scopes that are requested during login. These scopes are hardcoded and must be supported by the identity provider",
-                        size=None,
-                        verbose_name="OpenID Connect scopes",
-                    ),
-                ),
-                (
-                    "userinfo_claims_source",
-                    models.CharField(
-                        choices=[
-                            ("userinfo_endpoint", "Userinfo endpoint"),
-                            ("id_token", "ID token"),
-                        ],
-                        default="userinfo_endpoint",
-                        help_text="Indicates the source from which the user information claims should be extracted.",
-                        max_length=100,
-                        verbose_name="user information claims extracted from",
-                    ),
-                ),
-            ],
-            options={
-                "verbose_name": "OpenID Connect configuration for eHerkenning Bewindvoering",
-            },
-            bases=(mozilla_django_oidc_db.models.CachingMixin, models.Model),
-        ),
-        migrations.CreateModel(
-            name="OpenIDConnectEHerkenningConfig",
-            fields=[
-                (
-                    "id",
-                    models.AutoField(
-                        auto_created=True,
-                        primary_key=True,
-                        serialize=False,
-                        verbose_name="ID",
-                    ),
-                ),
-                (
-                    "enabled",
-                    models.BooleanField(
-                        default=False,
-                        help_text="Indicates whether OpenID Connect for authentication/authorization is enabled",
-                        verbose_name="enable",
-                    ),
-                ),
-                (
-                    "oidc_rp_client_id",
-                    models.CharField(
-                        help_text="OpenID Connect client ID provided by the OIDC Provider",
-                        max_length=1000,
-                        verbose_name="OpenID Connect client ID",
-                    ),
-                ),
-                (
-                    "oidc_rp_client_secret",
-                    models.CharField(
-                        help_text="OpenID Connect secret provided by the OIDC Provider",
-                        max_length=1000,
-                        verbose_name="OpenID Connect secret",
-                    ),
-                ),
-                (
-                    "oidc_rp_sign_algo",
-                    models.CharField(
-                        default="HS256",
-                        help_text="Algorithm the Identity Provider uses to sign ID tokens",
-                        max_length=50,
-                        verbose_name="OpenID sign algorithm",
-                    ),
-                ),
-                (
-                    "oidc_op_discovery_endpoint",
-                    models.URLField(
-                        blank=True,
-                        help_text="URL of your OpenID Connect provider discovery endpoint ending with a slash (`.well-known/...` will be added automatically). If this is provided, the remaining endpoints can be omitted, as they will be derived from this endpoint.",
-                        max_length=1000,
-                        verbose_name="Discovery endpoint",
-                    ),
-                ),
-                (
-                    "oidc_op_jwks_endpoint",
-                    models.URLField(
-                        blank=True,
-                        help_text="URL of your OpenID Connect provider JSON Web Key Set endpoint. Required if `RS256` is used as signing algorithm.",
-                        max_length=1000,
-                        verbose_name="JSON Web Key Set endpoint",
-                    ),
-                ),
-                (
-                    "oidc_op_authorization_endpoint",
-                    models.URLField(
-                        help_text="URL of your OpenID Connect provider authorization endpoint",
-                        max_length=1000,
-                        verbose_name="Authorization endpoint",
-                    ),
-                ),
-                (
-                    "oidc_op_token_endpoint",
-                    models.URLField(
-                        help_text="URL of your OpenID Connect provider token endpoint",
-                        max_length=1000,
-                        verbose_name="Token endpoint",
-                    ),
-                ),
-                (
-                    "oidc_op_user_endpoint",
-                    models.URLField(
-                        help_text="URL of your OpenID Connect provider userinfo endpoint",
-                        max_length=1000,
-                        verbose_name="User endpoint",
-                    ),
-                ),
-                (
-                    "oidc_rp_idp_sign_key",
-                    models.CharField(
-                        blank=True,
-                        help_text="Key the Identity Provider uses to sign ID tokens in the case of an RSA sign algorithm. Should be the signing key in PEM or DER format.",
-                        max_length=1000,
-                        verbose_name="Sign key",
-                    ),
-                ),
-                (
-                    "oidc_op_logout_endpoint",
-                    models.URLField(
-                        blank=True,
-                        help_text="URL of your OpenID Connect provider logout endpoint",
-                        max_length=1000,
-                        verbose_name="Logout endpoint",
-                    ),
-                ),
-                (
-                    "oidc_keycloak_idp_hint",
-                    models.CharField(
-                        blank=True,
-                        help_text="Specific for Keycloak: parameter that indicates which identity provider should be used (therefore skipping the Keycloak login screen).",
-                        max_length=1000,
-                        verbose_name="Keycloak Identity Provider hint",
-                    ),
-                ),
-                (
-                    "identifier_claim_name",
-                    models.CharField(
-                        default="kvk",
-                        help_text="The name of the claim in which the KVK of the user is stored",
-                        max_length=100,
-                        verbose_name="KVK claim name",
-                    ),
-                ),
-                (
-                    "oidc_rp_scopes_list",
-                    django_jsonform.models.fields.ArrayField(
-                        base_field=models.CharField(
-                            max_length=50, verbose_name="OpenID Connect scope"
-                        ),
-                        blank=True,
-                        default=digid_eherkenning_oidc_generics.models.get_default_scopes_kvk,
-                        help_text="OpenID Connect scopes that are requested during login. These scopes are hardcoded and must be supported by the identity provider",
-                        size=None,
-                        verbose_name="OpenID Connect scopes",
-                    ),
-                ),
-                (
-                    "oidc_exempt_urls",
-                    django_jsonform.models.fields.ArrayField(
-                        base_field=models.CharField(
-                            max_length=1000, verbose_name="Exempt URL"
-                        ),
-                        blank=True,
-                        default=list,
-                        help_text="This is a list of absolute url paths, regular expressions for url paths, or Django view names. This plus the mozilla-django-oidc urls are exempted from the session renewal by the SessionRefresh middleware.",
-                        size=None,
-                        verbose_name="URLs exempt from session renewal",
-                    ),
-                ),
-                (
-                    "oidc_nonce_size",
-                    models.PositiveIntegerField(
-                        default=32,
-                        help_text="Sets the length of the random string used for OpenID Connect nonce verification",
-                        verbose_name="Nonce size",
-                    ),
-                ),
-                (
-                    "oidc_state_size",
-                    models.PositiveIntegerField(
-                        default=32,
-                        help_text="Sets the length of the random string used for OpenID Connect state verification",
-                        verbose_name="State size",
-                    ),
-                ),
-                (
-                    "oidc_use_nonce",
-                    models.BooleanField(
-                        default=True,
-                        help_text="Controls whether the OpenID Connect client uses nonce verification",
-                        verbose_name="Use nonce",
-                    ),
-                ),
-                (
-                    "userinfo_claims_source",
-                    models.CharField(
-                        choices=[
-                            ("userinfo_endpoint", "Userinfo endpoint"),
-                            ("id_token", "ID token"),
-                        ],
-                        default="userinfo_endpoint",
-                        help_text="Indicates the source from which the user information claims should be extracted.",
-                        max_length=100,
-                        verbose_name="user information claims extracted from",
-                    ),
-                ),
-            ],
-            options={
-                "verbose_name": "OpenID Connect configuration for eHerkenning",
-            },
-            bases=(mozilla_django_oidc_db.models.CachingMixin, models.Model),
-        ),
-        migrations.CreateModel(
-            name="OpenIDConnectPublicConfig",
-            fields=[
-                (
-                    "id",
-                    models.AutoField(
-                        auto_created=True,
-                        primary_key=True,
-                        serialize=False,
-                        verbose_name="ID",
-                    ),
-                ),
-                (
-                    "enabled",
-                    models.BooleanField(
-                        default=False,
-                        help_text="Indicates whether OpenID Connect for authentication/authorization is enabled",
-                        verbose_name="enable",
-                    ),
-                ),
-                (
-                    "oidc_rp_client_id",
-                    models.CharField(
-                        help_text="OpenID Connect client ID provided by the OIDC Provider",
-                        max_length=1000,
-                        verbose_name="OpenID Connect client ID",
-                    ),
-                ),
-                (
-                    "oidc_rp_client_secret",
-                    models.CharField(
-                        help_text="OpenID Connect secret provided by the OIDC Provider",
-                        max_length=1000,
-                        verbose_name="OpenID Connect secret",
-                    ),
-                ),
-                (
-                    "oidc_rp_sign_algo",
-                    models.CharField(
-                        default="HS256",
-                        help_text="Algorithm the Identity Provider uses to sign ID tokens",
-                        max_length=50,
-                        verbose_name="OpenID sign algorithm",
-                    ),
-                ),
-                (
-                    "oidc_op_discovery_endpoint",
-                    models.URLField(
-                        blank=True,
-                        help_text="URL of your OpenID Connect provider discovery endpoint ending with a slash (`.well-known/...` will be added automatically). If this is provided, the remaining endpoints can be omitted, as they will be derived from this endpoint.",
-                        max_length=1000,
-                        verbose_name="Discovery endpoint",
-                    ),
-                ),
-                (
-                    "oidc_op_jwks_endpoint",
-                    models.URLField(
-                        blank=True,
-                        help_text="URL of your OpenID Connect provider JSON Web Key Set endpoint. Required if `RS256` is used as signing algorithm.",
-                        max_length=1000,
-                        verbose_name="JSON Web Key Set endpoint",
-                    ),
-                ),
-                (
-                    "oidc_op_authorization_endpoint",
-                    models.URLField(
-                        help_text="URL of your OpenID Connect provider authorization endpoint",
-                        max_length=1000,
-                        verbose_name="Authorization endpoint",
-                    ),
-                ),
-                (
-                    "oidc_op_token_endpoint",
-                    models.URLField(
-                        help_text="URL of your OpenID Connect provider token endpoint",
-                        max_length=1000,
-                        verbose_name="Token endpoint",
-                    ),
-                ),
-                (
-                    "oidc_op_user_endpoint",
-                    models.URLField(
-                        help_text="URL of your OpenID Connect provider userinfo endpoint",
-                        max_length=1000,
-                        verbose_name="User endpoint",
-                    ),
-                ),
-                (
-                    "oidc_rp_idp_sign_key",
-                    models.CharField(
-                        blank=True,
-                        help_text="Key the Identity Provider uses to sign ID tokens in the case of an RSA sign algorithm. Should be the signing key in PEM or DER format.",
-                        max_length=1000,
-                        verbose_name="Sign key",
-                    ),
-                ),
-                (
-                    "oidc_op_logout_endpoint",
-                    models.URLField(
-                        blank=True,
-                        help_text="URL of your OpenID Connect provider logout endpoint",
-                        max_length=1000,
-                        verbose_name="Logout endpoint",
-                    ),
-                ),
-                (
-                    "oidc_keycloak_idp_hint",
-                    models.CharField(
-                        blank=True,
-                        help_text="Specific for Keycloak: parameter that indicates which identity provider should be used (therefore skipping the Keycloak login screen).",
-                        max_length=1000,
-                        verbose_name="Keycloak Identity Provider hint",
-                    ),
-                ),
-                (
-                    "identifier_claim_name",
-                    models.CharField(
-                        default="bsn",
-                        help_text="The name of the claim in which the BSN of the user is stored",
-                        max_length=100,
-                        verbose_name="BSN claim name",
-                    ),
-                ),
-                (
-                    "oidc_rp_scopes_list",
-                    django_jsonform.models.fields.ArrayField(
-                        base_field=models.CharField(
-                            max_length=50, verbose_name="OpenID Connect scope"
-                        ),
-                        blank=True,
-                        default=digid_eherkenning_oidc_generics.models.get_default_scopes_bsn,
-                        help_text="OpenID Connect scopes that are requested during login. These scopes are hardcoded and must be supported by the identity provider",
-                        size=None,
-                        verbose_name="OpenID Connect scopes",
-                    ),
-                ),
-                (
-                    "oidc_exempt_urls",
-                    django_jsonform.models.fields.ArrayField(
-                        base_field=models.CharField(
-                            max_length=1000, verbose_name="Exempt URL"
-                        ),
-                        blank=True,
-                        default=list,
-                        help_text="This is a list of absolute url paths, regular expressions for url paths, or Django view names. This plus the mozilla-django-oidc urls are exempted from the session renewal by the SessionRefresh middleware.",
-                        size=None,
-                        verbose_name="URLs exempt from session renewal",
-                    ),
-                ),
-                (
-                    "oidc_nonce_size",
-                    models.PositiveIntegerField(
-                        default=32,
-                        help_text="Sets the length of the random string used for OpenID Connect nonce verification",
-                        verbose_name="Nonce size",
-                    ),
-                ),
-                (
-                    "oidc_state_size",
-                    models.PositiveIntegerField(
-                        default=32,
-                        help_text="Sets the length of the random string used for OpenID Connect state verification",
-                        verbose_name="State size",
-                    ),
-                ),
-                (
-                    "oidc_use_nonce",
-                    models.BooleanField(
-                        default=True,
-                        help_text="Controls whether the OpenID Connect client uses nonce verification",
-                        verbose_name="Use nonce",
-                    ),
-                ),
-                (
-                    "userinfo_claims_source",
-                    models.CharField(
-                        choices=[
-                            ("userinfo_endpoint", "Userinfo endpoint"),
-                            ("id_token", "ID token"),
-                        ],
-                        default="userinfo_endpoint",
-                        help_text="Indicates the source from which the user information claims should be extracted.",
-                        max_length=100,
-                        verbose_name="user information claims extracted from",
-                    ),
-                ),
-            ],
-            options={
-                "verbose_name": "OpenID Connect configuration for DigiD",
-            },
-            bases=(mozilla_django_oidc_db.models.CachingMixin, models.Model),
-        ),
-    ]
diff --git a/src/digid_eherkenning_oidc_generics/migrations/0002_auto_20240207_1546.py b/src/digid_eherkenning_oidc_generics/migrations/0002_auto_20240207_1546.py
deleted file mode 100644
index fa17bca23b..0000000000
--- a/src/digid_eherkenning_oidc_generics/migrations/0002_auto_20240207_1546.py
+++ /dev/null
@@ -1,52 +0,0 @@
-# Generated by Django 3.2.24 on 2024-02-07 14:46
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        (
-            "digid_eherkenning_oidc_generics",
-            "0001_initial_squashed_0007_auto_20221213_1347",
-        ),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="openidconnectdigidmachtigenconfig",
-            name="oidc_token_use_basic_auth",
-            field=models.BooleanField(
-                default=False,
-                help_text="If enabled, the client ID and secret are sent in the HTTP Basic auth header when obtaining the access token. Otherwise, they are sent in the request body.",
-                verbose_name="Use Basic auth for token endpoint",
-            ),
-        ),
-        migrations.AddField(
-            model_name="openidconnecteherkenningbewindvoeringconfig",
-            name="oidc_token_use_basic_auth",
-            field=models.BooleanField(
-                default=False,
-                help_text="If enabled, the client ID and secret are sent in the HTTP Basic auth header when obtaining the access token. Otherwise, they are sent in the request body.",
-                verbose_name="Use Basic auth for token endpoint",
-            ),
-        ),
-        migrations.AddField(
-            model_name="openidconnecteherkenningconfig",
-            name="oidc_token_use_basic_auth",
-            field=models.BooleanField(
-                default=False,
-                help_text="If enabled, the client ID and secret are sent in the HTTP Basic auth header when obtaining the access token. Otherwise, they are sent in the request body.",
-                verbose_name="Use Basic auth for token endpoint",
-            ),
-        ),
-        migrations.AddField(
-            model_name="openidconnectpublicconfig",
-            name="oidc_token_use_basic_auth",
-            field=models.BooleanField(
-                default=False,
-                help_text="If enabled, the client ID and secret are sent in the HTTP Basic auth header when obtaining the access token. Otherwise, they are sent in the request body.",
-                verbose_name="Use Basic auth for token endpoint",
-            ),
-        ),
-    ]
diff --git a/src/digid_eherkenning_oidc_generics/mixins.py b/src/digid_eherkenning_oidc_generics/mixins.py
deleted file mode 100644
index a6e0663f80..0000000000
--- a/src/digid_eherkenning_oidc_generics/mixins.py
+++ /dev/null
@@ -1,84 +0,0 @@
-import logging
-from copy import deepcopy
-
-from django.contrib.auth.models import AnonymousUser
-from django.core.exceptions import SuspiciousOperation
-
-from glom import PathAccessError, glom
-from mozilla_django_oidc_db.mixins import SoloConfigMixin
-from mozilla_django_oidc_db.utils import obfuscate_claim_value
-
-from .models import (
-    OpenIDConnectDigiDMachtigenConfig,
-    OpenIDConnectEHerkenningBewindvoeringConfig,
-    OpenIDConnectEHerkenningConfig,
-    OpenIDConnectPublicConfig,
-)
-
-logger = logging.getLogger(__name__)
-
-
-class SoloConfigDigiDMixin(SoloConfigMixin):
-    config_class = OpenIDConnectPublicConfig
-
-
-class SoloConfigEHerkenningMixin(SoloConfigMixin):
-    config_class = OpenIDConnectEHerkenningConfig
-
-
-class SoloConfigDigiDMachtigenMixin(SoloConfigMixin):
-    config_class = OpenIDConnectDigiDMachtigenConfig
-
-
-class SoloConfigEHerkenningBewindvoeringMixin(SoloConfigMixin):
-    config_class = OpenIDConnectEHerkenningBewindvoeringConfig
-
-
-class MachtigenBackendMixin:
-    def get_or_create_user(self, access_token, id_token, payload):
-        claims_verified = self.verify_claims(payload)
-        if not claims_verified:
-            msg = "Claims verification failed"
-            raise SuspiciousOperation(msg)
-
-        self.extract_claims(payload)
-
-        user = AnonymousUser()
-        user.is_active = True
-        return user
-
-    def extract_claims(self, payload: dict) -> None:
-        self.request.session[self.session_key] = {}
-        for claim_name in self.claim_names:
-            self.request.session[self.session_key][claim_name] = glom(
-                payload, claim_name
-            )
-
-    def log_received_claims(self, claims: dict):
-        copied_claims = deepcopy(claims)
-
-        def _obfuscate_claims_values(claims_to_obfuscate: dict) -> dict:
-            for key, value in claims_to_obfuscate.items():
-                if isinstance(value, dict):
-                    _obfuscate_claims_values(value)
-                else:
-                    claims_to_obfuscate[key] = obfuscate_claim_value(value)
-            return claims_to_obfuscate
-
-        obfuscated_claims = _obfuscate_claims_values(copied_claims)
-        logger.debug("OIDC claims received: %s", obfuscated_claims)
-
-    def verify_claims(self, claims: dict) -> bool:
-        self.log_received_claims(claims)
-
-        for expected_claim in self.claim_names:
-            try:
-                glom(claims, expected_claim)
-            except PathAccessError:
-                logger.error(
-                    "`%s` not in OIDC claims, cannot proceed with eHerkenning bewindvoering authentication",
-                    expected_claim,
-                )
-                return False
-
-        return True
diff --git a/src/digid_eherkenning_oidc_generics/models.py b/src/digid_eherkenning_oidc_generics/models.py
deleted file mode 100644
index fd6abdc338..0000000000
--- a/src/digid_eherkenning_oidc_generics/models.py
+++ /dev/null
@@ -1,181 +0,0 @@
-from typing import ClassVar
-
-from django.db import models
-from django.utils.translation import gettext_lazy as _
-
-from django_jsonform.models.fields import ArrayField
-from mozilla_django_oidc_db.models import CachingMixin, OpenIDConnectConfigBase
-
-from openforms.authentication.constants import AuthAttribute
-
-
-def get_default_scopes_bsn():
-    """
-    Returns the default scopes to request for OpenID Connect logins
-    """
-    return ["openid", AuthAttribute.bsn]
-
-
-def get_default_scopes_kvk():
-    """
-    Returns the default scopes to request for OpenID Connect logins
-    """
-    return ["openid", AuthAttribute.kvk]
-
-
-class OpenIDConnectBaseConfig(CachingMixin, OpenIDConnectConfigBase):
-    """
-    Configuration for DigiD authentication via OpenID connect
-    """
-
-    oidc_op_logout_endpoint = models.URLField(
-        _("Logout endpoint"),
-        max_length=1000,
-        help_text=_("URL of your OpenID Connect provider logout endpoint"),
-        blank=True,
-    )
-
-    # Keycloak specific config
-    oidc_keycloak_idp_hint = models.CharField(
-        _("Keycloak Identity Provider hint"),
-        max_length=1000,
-        help_text=_(
-            "Specific for Keycloak: parameter that indicates which identity provider "
-            "should be used (therefore skipping the Keycloak login screen)."
-        ),
-        blank=True,
-    )
-
-    class Meta:
-        verbose_name = _("OpenID Connect configuration")
-        abstract = True
-
-
-class OpenIDConnectPublicConfig(OpenIDConnectBaseConfig):
-    """
-    Configuration for DigiD authentication via OpenID connect
-    """
-
-    identifier_claim_name = models.CharField(
-        _("BSN claim name"),
-        max_length=100,
-        help_text=_("The name of the claim in which the BSN of the user is stored"),
-        default=AuthAttribute.bsn,
-    )
-    oidc_rp_scopes_list = ArrayField(
-        verbose_name=_("OpenID Connect scopes"),
-        base_field=models.CharField(_("OpenID Connect scope"), max_length=50),
-        default=get_default_scopes_bsn,
-        blank=True,
-        help_text=_(
-            "OpenID Connect scopes that are requested during login. "
-            "These scopes are hardcoded and must be supported by the identity provider"
-        ),
-    )
-
-    custom_oidc_db_prefix: ClassVar[str] = "digid_oidc"
-    oidc_authentication_callback_url: ClassVar[str] = "digid_oidc:callback"
-
-    class Meta:
-        verbose_name = _("OpenID Connect configuration for DigiD")
-
-
-class OpenIDConnectDigiDMachtigenConfig(OpenIDConnectBaseConfig):
-    vertegenwoordigde_claim_name = models.CharField(
-        verbose_name=_("vertegenwoordigde claim name"),
-        default="aanvrager.bsn",
-        max_length=50,
-        help_text=_(
-            "Name of the claim in which the BSN of the person being represented is stored"
-        ),
-    )
-    gemachtigde_claim_name = models.CharField(
-        verbose_name=_("gemachtigde claim name"),
-        default="gemachtigde.bsn",
-        max_length=50,
-        help_text=_(
-            "Name of the claim in which the BSN of the person representing someone else is stored"
-        ),
-    )
-    oidc_rp_scopes_list = ArrayField(
-        verbose_name=_("OpenID Connect scopes"),
-        base_field=models.CharField(_("OpenID Connect scope"), max_length=50),
-        default=get_default_scopes_bsn,
-        blank=True,
-        help_text=_(
-            "OpenID Connect scopes that are requested during login. "
-            "These scopes are hardcoded and must be supported by the identity provider"
-        ),
-    )
-
-    custom_oidc_db_prefix: ClassVar[str] = "digid_machtigen_oidc"
-    oidc_authentication_callback_url: ClassVar[str] = "digid_machtigen_oidc:callback"
-
-    class Meta:
-        verbose_name = _("OpenID Connect configuration for DigiD Machtigen")
-
-
-class OpenIDConnectEHerkenningConfig(OpenIDConnectBaseConfig):
-    """
-    Configuration for eHerkenning authentication via OpenID connect
-    """
-
-    identifier_claim_name = models.CharField(
-        _("KVK claim name"),
-        max_length=100,
-        help_text=_("The name of the claim in which the KVK of the user is stored"),
-        default=AuthAttribute.kvk,
-    )
-    oidc_rp_scopes_list = ArrayField(
-        verbose_name=_("OpenID Connect scopes"),
-        base_field=models.CharField(_("OpenID Connect scope"), max_length=50),
-        default=get_default_scopes_kvk,
-        blank=True,
-        help_text=_(
-            "OpenID Connect scopes that are requested during login. "
-            "These scopes are hardcoded and must be supported by the identity provider"
-        ),
-    )
-
-    custom_oidc_db_prefix: ClassVar[str] = "eherkenning_oidc"
-    oidc_authentication_callback_url: ClassVar[str] = "eherkenning_oidc:callback"
-
-    class Meta:
-        verbose_name = _("OpenID Connect configuration for eHerkenning")
-
-
-class OpenIDConnectEHerkenningBewindvoeringConfig(OpenIDConnectBaseConfig):
-    vertegenwoordigde_company_claim_name = models.CharField(
-        verbose_name=_("vertegenwoordigde company claim name"),
-        default="aanvrager.kvk",
-        max_length=50,
-        help_text=_(
-            "Name of the claim in which the KVK of the company being represented is stored"
-        ),
-    )
-    gemachtigde_person_claim_name = models.CharField(
-        verbose_name=_("gemachtigde person claim name"),
-        default="gemachtigde.pseudoID",
-        max_length=50,
-        help_text=_(
-            "Name of the claim in which the ID of the person representing a company is stored"
-        ),
-    )
-    oidc_rp_scopes_list = ArrayField(
-        verbose_name=_("OpenID Connect scopes"),
-        base_field=models.CharField(_("OpenID Connect scope"), max_length=50),
-        default=get_default_scopes_bsn,
-        blank=True,
-        help_text=_(
-            "OpenID Connect scopes that are requested during login. "
-            "These scopes are hardcoded and must be supported by the identity provider"
-        ),
-    )
-
-    custom_oidc_db_prefix: ClassVar[str] = "eherkenning_bewindvoering_oidc"
-    oidc_authentication_callback_url: ClassVar[str] = (
-        "eherkenning_bewindvoering_oidc:callback"
-    )
-
-    class Meta:
-        verbose_name = _("OpenID Connect configuration for eHerkenning Bewindvoering")
diff --git a/src/digid_eherkenning_oidc_generics/utils.py b/src/digid_eherkenning_oidc_generics/utils.py
deleted file mode 100644
index 7618e75ad6..0000000000
--- a/src/digid_eherkenning_oidc_generics/utils.py
+++ /dev/null
@@ -1,22 +0,0 @@
-from typing import Any
-
-from mozilla_django_oidc.utils import import_from_settings
-
-from .models import OpenIDConnectBaseConfig
-
-
-def get_setting_from_config(config: OpenIDConnectBaseConfig, attr: str, *args) -> Any:
-    """
-    Look up a setting from the config record or fall back to Django settings.
-
-    TODO: port this into mozilla_django_oidc_db.
-    """
-    attr_lowercase = attr.lower()
-    if hasattr(config, attr_lowercase):
-        # Workaround for OIDC_RP_IDP_SIGN_KEY being an empty string by default.
-        # mozilla-django-oidc explicitly checks if `OIDC_RP_IDP_SIGN_KEY` is not `None`
-        # https://github.com/mozilla/mozilla-django-oidc/blob/master/mozilla_django_oidc/auth.py#L189
-        if (value_from_config := getattr(config, attr_lowercase)) == "":
-            return None
-        return value_from_config
-    return import_from_settings(attr, *args)
diff --git a/src/digid_eherkenning_oidc_generics/views.py b/src/digid_eherkenning_oidc_generics/views.py
deleted file mode 100644
index 4f04c2cc61..0000000000
--- a/src/digid_eherkenning_oidc_generics/views.py
+++ /dev/null
@@ -1,234 +0,0 @@
-import logging
-import time
-from typing import Generic, TypeVar, cast
-
-from django.contrib import auth
-from django.core.exceptions import DisallowedRedirect, SuspiciousOperation
-from django.http import HttpRequest, HttpResponseRedirect
-from django.utils.http import url_has_allowed_host_and_scheme
-
-import requests
-from mozilla_django_oidc.views import (
-    OIDCAuthenticationCallbackView as _OIDCAuthenticationCallbackView,
-    OIDCAuthenticationRequestView as _OIDCAuthenticationRequestView,
-)
-
-from .exceptions import OIDCProviderOutage
-from .models import (
-    OpenIDConnectBaseConfig,
-    OpenIDConnectDigiDMachtigenConfig,
-    OpenIDConnectEHerkenningBewindvoeringConfig,
-    OpenIDConnectEHerkenningConfig,
-    OpenIDConnectPublicConfig,
-)
-from .utils import get_setting_from_config
-
-logger = logging.getLogger(__name__)
-
-T = TypeVar("T", bound=OpenIDConnectBaseConfig)
-
-
-class OIDCInit(Generic[T], _OIDCAuthenticationRequestView):
-    """
-    A 'view' to start an OIDC authentication flow.
-
-    This view class is parametrized with the config model/class to retrieve the
-    specific configuration, such as the identity provider endpoint to redirect the
-    user to.
-
-    This view is not necessarily meant to be exposed directly via a URL pattern, but
-    rather specific views are to be created from it, e.g.:
-
-    .. code-block:: python
-
-        >>> digid_init = OIDCInit.as_view(config_class=OpenIDConnectPublicConfig)
-        >>> redirect_response = digid_init(request)
-        # Redirect to some keycloak instance, for example.
-
-    These concrete views are intended to be wrapped by your own views so that you can
-    supply the ``return_url`` parameter:
-
-    .. code-block:: python
-
-        def my_digid_login(request):
-            return digid_init(request, return_url=request.GET["next"])
-
-    Compared to :class:`mozilla_django_oidc.views.OIDCAuthenticationRequestView`, some
-    extra actions are performed:
-
-    * Any Keycloak IdP hint is added, if configured
-    * The ``return_url`` is validated against unsafe redirects
-    * The availability of the identity provider endpoint is checked, if it's not
-      available, the :class:`digid_eherkenning_oidc_generics.exceptions.OIDCProviderOutage`
-      exception is raised. Note that your own code needs to handle this appropriately!
-    """
-
-    config_class: type[OpenIDConnectBaseConfig] = OpenIDConnectBaseConfig
-    _config: T
-    """
-    The config model/class to get the endpoints/credentials from.
-
-    Specify this as a kwarg in the ``as_view(config_class=...)`` class method.
-    """
-
-    def get_settings(self, attr, *args):  # type: ignore
-        if (config := getattr(self, "_config", None)) is None:
-            # django-solo and type checking is challenging, but a new release is on the
-            # way and should fix that :fingers_crossed:
-            config = cast(T, self.config_class.get_solo())
-            self._config = config
-        return get_setting_from_config(config, attr, *args)
-
-    def get(
-        self, request: HttpRequest, return_url: str = "", *args, **kwargs
-    ) -> HttpResponseRedirect:
-        if not return_url:
-            raise ValueError("You must pass a return URL")
-
-        url_is_safe = url_has_allowed_host_and_scheme(
-            url=return_url,
-            allowed_hosts=request.get_host(),
-            require_https=request.is_secure(),
-        )
-        if not url_is_safe:
-            raise DisallowedRedirect(f"Can't redirect to '{return_url}'")
-
-        self._check_idp_availability()
-
-        # We add our own key to keep track of the redirect URL. In the case of
-        # authentication failure (or canceled logins), the session is cleared by the
-        # upstream library, so in the callback view we store this URL so that we know
-        # where to redirect with the error information.
-        self.request.session["of_redirect_next"] = return_url
-
-        response = super().get(request, *args, **kwargs)
-
-        # mozilla-django-oidc grabs this from request.GET and since that is not mutable,
-        # it's easiest to just override the session key with the correct value.
-        request.session["oidc_login_next"] = return_url
-
-        return response
-
-    def _check_idp_availability(self) -> None:
-        endpoint = self.OIDC_OP_AUTH_ENDPOINT
-        try:
-            # Verify that the identity provider endpoint can be reached. This is where
-            # the user ultimately gets redirected to.
-            response = requests.get(endpoint)
-            if response.status_code > 400:
-                response.raise_for_status()
-        except requests.RequestException as exc:
-            logger.info(
-                "OIDC provider endpoint '%s' could not be retrieved",
-                endpoint,
-                exc_info=exc,
-            )
-            raise OIDCProviderOutage() from exc
-
-    def get_extra_params(self, request: HttpRequest) -> dict[str, str]:
-        """
-        Add a keycloak identity provider hint if configured.
-        """
-        extra = super().get_extra_params(request)
-        options = self.config_class._meta
-        # Store which config class to use in the params so that the callback view can
-        # extract this again.
-        # TODO: verify this cannot be tampered with!
-        extra["config"] = f"{options.app_label}.{options.object_name}"
-        if kc_idp_hint := self.get_settings("OIDC_KEYCLOAK_IDP_HINT", ""):
-            extra["kc_idp_hint"] = kc_idp_hint
-        return extra
-
-
-digid_init = OIDCInit.as_view(config_class=OpenIDConnectPublicConfig)
-digid_machtigen_init = OIDCInit.as_view(config_class=OpenIDConnectDigiDMachtigenConfig)
-eherkenning_init = OIDCInit.as_view(config_class=OpenIDConnectEHerkenningConfig)
-eherkenning_bewindvoering_init = OIDCInit.as_view(
-    config_class=OpenIDConnectEHerkenningBewindvoeringConfig
-)
-
-
-class OIDCAuthenticationCallbackView(_OIDCAuthenticationCallbackView):
-    auth_backend_class = None
-
-    def get(self, request):
-        """
-        Callback handler for OIDC authorization code flow
-
-        Copied from mozilla-django-oidc but modified to directly authenticate using
-        the configured backend class, instead of using Django's default authentication
-        mechanism. This removes the need to include these backends in `settings.AUTHENTICATION_BACKENDS`
-        """
-
-        if request.GET.get("error"):
-            # Ouch! Something important failed.
-
-            # Delete the state entry also for failed authentication attempts
-            # to prevent replay attacks.
-            if (
-                "state" in request.GET
-                and "oidc_states" in request.session
-                and request.GET["state"] in request.session["oidc_states"]
-            ):  # pragma: no cover
-                del request.session["oidc_states"][request.GET["state"]]
-                request.session.save()
-
-            # Make sure the user doesn't get to continue to be logged in
-            # otherwise the refresh middleware will force the user to
-            # redirect to authorize again if the session refresh has
-            # expired.
-            if request.user.is_authenticated:
-                auth.logout(request)
-            assert not request.user.is_authenticated
-        elif "code" in request.GET and "state" in request.GET:
-
-            # Check instead of "oidc_state" check if the "oidc_states" session key exists!
-            if "oidc_states" not in request.session:
-                return self.login_failure()
-
-            # State and Nonce are stored in the session "oidc_states" dictionary.
-            # State is the key, the value is a dictionary with the Nonce in the "nonce" field.
-            state = request.GET.get("state")
-            if state not in request.session["oidc_states"]:
-                msg = "OIDC callback state not found in session `oidc_states`!"
-                raise SuspiciousOperation(msg)
-
-            # Get the nonce from the dictionary for further processing and delete the entry to
-            # prevent replay attacks.
-            nonce = request.session["oidc_states"][state]["nonce"]
-            del request.session["oidc_states"][state]
-
-            # Authenticating is slow, so save the updated oidc_states.
-            request.session.save()
-            # Reset the session. This forces the session to get reloaded from the database after
-            # fetching the token from the OpenID connect provider.
-            # Without this step we would overwrite items that are being added/removed from the
-            # session in parallel browser tabs.
-            request.session = request.session.__class__(request.session.session_key)
-
-            kwargs = {
-                "request": request,
-                "nonce": nonce,
-            }
-            self.user = self.auth_backend_class().authenticate(**kwargs)
-
-            if self.user and self.user.is_active:
-                return self.login_success()
-        return self.login_failure()
-
-    def login_success(self):
-        """
-        Overridden to not actually log the user in, since setting the BSN in
-        the session variables is all that matters
-        """
-
-        # Figure out when this id_token will expire. This is ignored unless you're
-        # using the RenewIDToken middleware.
-        expiration_interval = self.get_settings(
-            "OIDC_RENEW_ID_TOKEN_EXPIRY_SECONDS", 60 * 15
-        )
-        self.request.session["oidc_id_token_expiration"] = (
-            time.time() + expiration_interval
-        )
-
-        return HttpResponseRedirect(self.success_url)
diff --git a/src/openapi.yaml b/src/openapi.yaml
index 662ae294e8..0ca54a7074 100644
--- a/src/openapi.yaml
+++ b/src/openapi.yaml
@@ -5944,6 +5944,7 @@ paths:
           format: uuid
         description: UUID of the submission for which this co-sign authentication
           applies. Presence of this parameter marks a flow as a co-sign flow.
+        deprecated: true
       - in: query
         name: next
         schema:
@@ -6688,23 +6689,23 @@ components:
       - supportsLoaOverride
     AuthenticationBackendsEnum:
       enum:
-      - digid
-      - eherkenning
-      - eidas
       - digid_oidc
       - eherkenning_oidc
       - digid_machtigen_oidc
       - eherkenning_bewindvoering_oidc
+      - digid
+      - eherkenning
+      - eidas
       - org-oidc
       type: string
       description: |-
-        * `digid` - DigiD
-        * `eherkenning` - eHerkenning
-        * `eidas` - eIDAS
         * `digid_oidc` - DigiD
         * `eherkenning_oidc` - eHerkenning
         * `digid_machtigen_oidc` - DigiD Machtigen
         * `eherkenning_bewindvoering_oidc` - eHerkenning bewindvoering
+        * `digid` - DigiD
+        * `eherkenning` - eHerkenning
+        * `eidas` - eIDAS
         * `org-oidc` - OpenID Connect
     AvailableLanguagesEnum:
       enum:
diff --git a/src/openforms/accounts/tests/data/vcr_cassettes/OIDCFLowTests/OIDCFLowTests.test_duplicate_email_unique_constraint_violated.yaml b/src/openforms/accounts/tests/data/vcr_cassettes/OIDCFLowTests/OIDCFLowTests.test_duplicate_email_unique_constraint_violated.yaml
new file mode 100644
index 0000000000..7e17f9983a
--- /dev/null
+++ b/src/openforms/accounts/tests/data/vcr_cassettes/OIDCFLowTests/OIDCFLowTests.test_duplicate_email_unique_constraint_violated.yaml
@@ -0,0 +1,314 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=openid&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Foidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n        <script type=\"module\">\n            import
+        { checkCookiesAndSetTimer } from \"/resources/1rz7o/login/keycloak/js/authChecker.js\";\n\n
+        \           checkCookiesAndSetTimer(\n              \"80550c25-22d6-4bb2-a71d-e68871660572\",\n
+        \             \"njHHLHoRZCM\",\n              \"/realms/test/login-actions/restart?client_id=testid&tab_id=njHHLHoRZCM&skip_logout=true\"\n
+        \           );\n        </script>\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       Sign in to your account\n\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-form\">\n
+        \         <div id=\"kc-form-wrapper\">\n                <form id=\"kc-form-login\"
+        onsubmit=\"login.disabled = true; return true;\" action=\"http://localhost:8080/realms/test/login-actions/authenticate?session_code=UU9D4914-4iH6bseaNMSaQ49wYLob8gcmyMj9wwMJSk&amp;execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&amp;client_id=testid&amp;tab_id=njHHLHoRZCM\"
+        method=\"post\">\n                        <div class=\"form-group\">\n                            <label
+        for=\"username\" class=\"pf-c-form__label pf-c-form__label-text\">Username
+        or email</label>\n\n                            <input tabindex=\"1\" id=\"username\"
+        class=\"pf-c-form-control\" name=\"username\" value=\"\"  type=\"text\" autofocus
+        autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n\n\n                        </div>\n\n                    <div
+        class=\"form-group\">\n                        <label for=\"password\" class=\"pf-c-form__label
+        pf-c-form__label-text\">Password</label>\n\n                        <div class=\"pf-c-input-group\">\n
+        \                           <input tabindex=\"2\" id=\"password\" class=\"pf-c-form-control\"
+        name=\"password\" type=\"password\" autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n                            <button class=\"pf-c-button
+        pf-m-control\" type=\"button\" aria-label=\"Show password\"\n                                    aria-controls=\"password\"
+        \ data-password-toggle\n                                    data-icon-show=\"fa
+        fa-eye\" data-icon-hide=\"fa fa-eye-slash\"\n                                    data-label-show=\"Show
+        password\" data-label-hide=\"Hide password\">\n                                <i
+        class=\"fa fa-eye\" aria-hidden=\"true\"></i>\n                            </button>\n
+        \                       </div>\n\n\n                    </div>\n\n                    <div
+        class=\"form-group login-pf-settings\">\n                        <div id=\"kc-form-options\">\n
+        \                           </div>\n                            <div class=\"\">\n
+        \                           </div>\n\n                      </div>\n\n                      <div
+        id=\"kc-form-buttons\" class=\"form-group\">\n                          <input
+        type=\"hidden\" id=\"id-hidden-input\" name=\"credentialId\" />\n                          <input
+        tabindex=\"4\" class=\"pf-c-button pf-m-primary pf-m-block btn-lg\" name=\"login\"
+        id=\"kc-login\" type=\"submit\" value=\"Sign In\"/>\n                      </div>\n
+        \               </form>\n            </div>\n        </div>\n        <script
+        type=\"module\" src=\"/resources/1rz7o/login/keycloak/js/passwordVisibility.js\"></script>\n\n\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - AUTH_SESSION_ID=80550c25-22d6-4bb2-a71d-e68871660572; Version=1; Path=/realms/test/;
+        SameSite=None; Secure; HttpOnly
+      - AUTH_SESSION_ID_LEGACY=80550c25-22d6-4bb2-a71d-e68871660572; Version=1; Path=/realms/test/;
+        HttpOnly
+      - KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9vaWRjL2NhbGxiYWNrLyIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJodHRwOi8vdGVzdHNlcnZlci9vaWRjL2NhbGxiYWNrLyIsInN0YXRlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyJ9fQ.f7ZABGR0O48xm61gDKLOR_LjWH9a59wtTbGXUfm78sI;
+        Version=1; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '4466'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: username=admin&password=admin&credentialId=&login=Sign+In
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '57'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      Cookie:
+      - AUTH_SESSION_ID_LEGACY=80550c25-22d6-4bb2-a71d-e68871660572; KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9vaWRjL2NhbGxiYWNrLyIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJodHRwOi8vdGVzdHNlcnZlci9vaWRjL2NhbGxiYWNrLyIsInN0YXRlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyJ9fQ.f7ZABGR0O48xm61gDKLOR_LjWH9a59wtTbGXUfm78sI
+      User-Agent:
+      - python-requests/2.32.2
+    method: POST
+    uri: http://localhost:8080/realms/test/login-actions/authenticate?session_code=UU9D4914-4iH6bseaNMSaQ49wYLob8gcmyMj9wwMJSk&execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&client_id=testid&tab_id=njHHLHoRZCM
+  response:
+    body:
+      string: ''
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Location:
+      - http://testserver/oidc/callback/?state=not-a-random-string&session_state=80550c25-22d6-4bb2-a71d-e68871660572&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest&code=c6a91978-ab00-402a-b550-a016b9fad38c.80550c25-22d6-4bb2-a71d-e68871660572.adf4ad83-4550-4619-9231-73bd8d700f45
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - KEYCLOAK_LOCALE=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      - KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/; HttpOnly
+      - KC_AUTH_STATE=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/
+      - KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY1MDUwMzQsImlhdCI6MTcxNjQ2OTAzNCwianRpIjoiYzc1ODY1NGMtNWZjZC00ZTNiLWEyYmUtODE0MWEzZGJjZTlhIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiNmRiMmRiODctZGUzMS00ZTMwLTlmMjUtY2VmZTVkYThiMTU0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiI4MDU1MGMyNS0yMmQ2LTRiYjItYTcxZC1lNjg4NzE2NjA1NzIiLCJzaWQiOiI4MDU1MGMyNS0yMmQ2LTRiYjItYTcxZC1lNjg4NzE2NjA1NzIiLCJzdGF0ZV9jaGVja2VyIjoiVmN6Q0kwc052TWtRSHllV0JaNUFwek5hbVRTUHVlR24tbVFTcVZXT0s0OCJ9.TH48pGwttPAwdBUmgOtOuDSb6nRq4ak94xzgIGjNakE;
+        Version=1; Path=/realms/test/; SameSite=None; Secure; HttpOnly
+      - KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY1MDUwMzQsImlhdCI6MTcxNjQ2OTAzNCwianRpIjoiYzc1ODY1NGMtNWZjZC00ZTNiLWEyYmUtODE0MWEzZGJjZTlhIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiNmRiMmRiODctZGUzMS00ZTMwLTlmMjUtY2VmZTVkYThiMTU0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiI4MDU1MGMyNS0yMmQ2LTRiYjItYTcxZC1lNjg4NzE2NjA1NzIiLCJzaWQiOiI4MDU1MGMyNS0yMmQ2LTRiYjItYTcxZC1lNjg4NzE2NjA1NzIiLCJzdGF0ZV9jaGVja2VyIjoiVmN6Q0kwc052TWtRSHllV0JaNUFwek5hbVRTUHVlR24tbVFTcVZXT0s0OCJ9.TH48pGwttPAwdBUmgOtOuDSb6nRq4ak94xzgIGjNakE;
+        Version=1; Path=/realms/test/; HttpOnly
+      - KEYCLOAK_SESSION=test/6db2db87-de31-4e30-9f25-cefe5da8b154/80550c25-22d6-4bb2-a71d-e68871660572;
+        Version=1; Expires=Thu, 23-May-2024 22:57:14 GMT; Max-Age=36000; Path=/realms/test/;
+        SameSite=None; Secure
+      - KEYCLOAK_SESSION_LEGACY=test/6db2db87-de31-4e30-9f25-cefe5da8b154/80550c25-22d6-4bb2-a71d-e68871660572;
+        Version=1; Expires=Thu, 23-May-2024 22:57:14 GMT; Max-Age=36000; Path=/realms/test/
+      - KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '0'
+    status:
+      code: 302
+      message: Found
+- request:
+    body: client_id=testid&client_secret=7DB3KUAAizYCcmZufpHRVOcD0TOkNO3I&grant_type=authorization_code&code=c6a91978-ab00-402a-b550-a016b9fad38c.80550c25-22d6-4bb2-a71d-e68871660572.adf4ad83-4550-4619-9231-73bd8d700f45&redirect_uri=http%3A%2F%2Ftestserver%2Foidc%2Fcallback%2F
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '267'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      User-Agent:
+      - python-requests/2.32.2
+    method: POST
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/token
+  response:
+    body:
+      string: '{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjkzMzUsImlhdCI6MTcxNjQ2OTAzNSwiYXV0aF90aW1lIjoxNzE2NDY5MDM0LCJqdGkiOiJkY2JmNTk0YS0yMzhiLTQ4N2UtYTBmYy1jYzZjMzk0YjY0OTUiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNmRiMmRiODctZGUzMS00ZTMwLTlmMjUtY2VmZTVkYThiMTU0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6IjgwNTUwYzI1LTIyZDYtNGJiMi1hNzFkLWU2ODg3MTY2MDU3MiIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgYnNuIiwic2lkIjoiODA1NTBjMjUtMjJkNi00YmIyLWE3MWQtZTY4ODcxNjYwNTcyIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiZW1haWwiOiJhZG1pbkBleGFtcGxlLmNvbSJ9.mz47DGdw3hGnXQkfpWtyx2fw1RxbWaF8QghtY0R1ncNYX85N-PpQwpHsD-DPV3pylJbjMRcx6ZFXw_7ji87y7yV2mV7R7ILuIbwb4vIHQsW6wLiNXLMXNdl4SyIRO5XQRCkPCtREzvhBfiZ5YD8nDPB-g21Cbhd63lk3WNM2OQ3tq1zT6jVqWIlxKhbyDMyqDPRRDh6EdY-yeDLSd1nCjE8aXxGZVaHezwA3nU1pEmJNb2XzJL4a1tte4yDRQmAyH6bDvKVBT_5Y2_jBC30TiHVr8zIV6HQN_glTqSRnI3gAP-M_Y5VAfAxRhGYxMRvJmABoO47Hnf8QJD9pOEnAkg","expires_in":300,"refresh_expires_in":1799,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0NzA4MzQsImlhdCI6MTcxNjQ2OTAzNSwianRpIjoiYzc4MWI1ZDAtZGNhNi00YzhiLWE5ZmQtMzA5MjU2ZGEzNGYwIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiNmRiMmRiODctZGUzMS00ZTMwLTlmMjUtY2VmZTVkYThiMTU0IiwidHlwIjoiUmVmcmVzaCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiI4MDU1MGMyNS0yMmQ2LTRiYjItYTcxZC1lNjg4NzE2NjA1NzIiLCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIGt2ayBic24iLCJzaWQiOiI4MDU1MGMyNS0yMmQ2LTRiYjItYTcxZC1lNjg4NzE2NjA1NzIifQ.VAo16SvWvp_LeqVHWYVhB4FGMaGMy_-JQJwpQU5Sa48","token_type":"Bearer","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjkzMzUsImlhdCI6MTcxNjQ2OTAzNSwiYXV0aF90aW1lIjoxNzE2NDY5MDM0LCJqdGkiOiJiZWZlNDVjMC0wZTZmLTQyNTMtYTExMi00ZDdiNmZhN2ZjZTMiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJ0ZXN0aWQiLCJzdWIiOiI2ZGIyZGI4Ny1kZTMxLTRlMzAtOWYyNS1jZWZlNWRhOGIxNTQiLCJ0eXAiOiJJRCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiI4MDU1MGMyNS0yMmQ2LTRiYjItYTcxZC1lNjg4NzE2NjA1NzIiLCJhdF9oYXNoIjoiQ0UwQlhMZmNTU1I3NEQxZi1ZRENIZyIsImFjciI6IjEiLCJzaWQiOiI4MDU1MGMyNS0yMmQ2LTRiYjItYTcxZC1lNjg4NzE2NjA1NzIiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4iLCJlbWFpbCI6ImFkbWluQGV4YW1wbGUuY29tIn0.v_usY-Pdo9N6TWfQwiSAfXggmfM6cv-lmDO7H8aHoC8XEYrc1AG4vGpR7uxZO5oInGdxInUlZmwJTmZ3ElhNsZ-rtzMRyH2kVB7Rzwp3nOfs8Qk7if2VSV_zTm_0hYxd4B9JTQ1iiQC9IjGEuwl1SsMDSaP62sFDrfPaKQ4-ivGpc1QziWtflnQx_DquJj6DrNBaNJ825D-t0zm5fdUqQPlhiEYywzJldB-HQiwwZF3AeMnBTvqV4G4OPgv4QjHo-58Y4WSEiQqXRtlWay400jxAeDRLqWn8Qu1F8x97dPIPAkkgWVxdVAu---3AIN1EUy_anP75JIVUEISk4B_itQ","not-before-policy":0,"session_state":"80550c25-22d6-4bb2-a71d-e68871660572","scope":"openid
+        email profile kvk bsn"}'
+    headers:
+      Cache-Control:
+      - no-store
+      Content-Type:
+      - application/json
+      Pragma:
+      - no-cache
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '3443'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Authorization:
+      - Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjkzMzUsImlhdCI6MTcxNjQ2OTAzNSwiYXV0aF90aW1lIjoxNzE2NDY5MDM0LCJqdGkiOiJkY2JmNTk0YS0yMzhiLTQ4N2UtYTBmYy1jYzZjMzk0YjY0OTUiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNmRiMmRiODctZGUzMS00ZTMwLTlmMjUtY2VmZTVkYThiMTU0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6IjgwNTUwYzI1LTIyZDYtNGJiMi1hNzFkLWU2ODg3MTY2MDU3MiIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgYnNuIiwic2lkIjoiODA1NTBjMjUtMjJkNi00YmIyLWE3MWQtZTY4ODcxNjYwNTcyIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiZW1haWwiOiJhZG1pbkBleGFtcGxlLmNvbSJ9.mz47DGdw3hGnXQkfpWtyx2fw1RxbWaF8QghtY0R1ncNYX85N-PpQwpHsD-DPV3pylJbjMRcx6ZFXw_7ji87y7yV2mV7R7ILuIbwb4vIHQsW6wLiNXLMXNdl4SyIRO5XQRCkPCtREzvhBfiZ5YD8nDPB-g21Cbhd63lk3WNM2OQ3tq1zT6jVqWIlxKhbyDMyqDPRRDh6EdY-yeDLSd1nCjE8aXxGZVaHezwA3nU1pEmJNb2XzJL4a1tte4yDRQmAyH6bDvKVBT_5Y2_jBC30TiHVr8zIV6HQN_glTqSRnI3gAP-M_Y5VAfAxRhGYxMRvJmABoO47Hnf8QJD9pOEnAkg
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/userinfo
+  response:
+    body:
+      string: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJzdWIiOiI2ZGIyZGI4Ny1kZTMxLTRlMzAtOWYyNS1jZWZlNWRhOGIxNTQiLCJhdWQiOiJ0ZXN0aWQiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4iLCJlbWFpbCI6ImFkbWluQGV4YW1wbGUuY29tIn0.JOw15ll6KCKOWcVDnth2wlYiF9XhBH7rtbWbN6cJjrk2iRH4MN0LbIRY7JLUpyXZv10aYqMa4pOKZK1TEEMdam1fDn58tUDpckq8EcGVo3XAWM737C64oL8a1ivhWIG37TPpgJyPlJL31lJ4WPGxVf-xSlCTRaZ0rqHI4FoqOrzrjnbwZg6crYagA8Zp4zzqVFEQ312VTxXVkIcsrw7pl5k29Ip0AhNXaB1VBTUTj4arUpfaM7ncewiKc7nVij87WeoziG-HaBTvCrTN7JMwBDrNvvsAOmht1P3g9lHu_XbpP9jahA73ecMXef1cV2txB-W80HNC-X2OXuz6cIrsiw
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/jwt
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '698'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+version: 1
diff --git a/src/openforms/accounts/tests/data/vcr_cassettes/OIDCFLowTests/OIDCFLowTests.test_happy_flow.yaml b/src/openforms/accounts/tests/data/vcr_cassettes/OIDCFLowTests/OIDCFLowTests.test_happy_flow.yaml
new file mode 100644
index 0000000000..88a90bfdcf
--- /dev/null
+++ b/src/openforms/accounts/tests/data/vcr_cassettes/OIDCFLowTests/OIDCFLowTests.test_happy_flow.yaml
@@ -0,0 +1,314 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=openid&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Foidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n        <script type=\"module\">\n            import
+        { checkCookiesAndSetTimer } from \"/resources/1rz7o/login/keycloak/js/authChecker.js\";\n\n
+        \           checkCookiesAndSetTimer(\n              \"c3b5b1f2-4bf9-488b-bed6-1edee3734d1f\",\n
+        \             \"sIbVnUOdrgo\",\n              \"/realms/test/login-actions/restart?client_id=testid&tab_id=sIbVnUOdrgo&skip_logout=true\"\n
+        \           );\n        </script>\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       Sign in to your account\n\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-form\">\n
+        \         <div id=\"kc-form-wrapper\">\n                <form id=\"kc-form-login\"
+        onsubmit=\"login.disabled = true; return true;\" action=\"http://localhost:8080/realms/test/login-actions/authenticate?session_code=IMfjw269h3bzNCjsFUxMyAlhX78DMgf_2isleVcw9sA&amp;execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&amp;client_id=testid&amp;tab_id=sIbVnUOdrgo\"
+        method=\"post\">\n                        <div class=\"form-group\">\n                            <label
+        for=\"username\" class=\"pf-c-form__label pf-c-form__label-text\">Username
+        or email</label>\n\n                            <input tabindex=\"1\" id=\"username\"
+        class=\"pf-c-form-control\" name=\"username\" value=\"\"  type=\"text\" autofocus
+        autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n\n\n                        </div>\n\n                    <div
+        class=\"form-group\">\n                        <label for=\"password\" class=\"pf-c-form__label
+        pf-c-form__label-text\">Password</label>\n\n                        <div class=\"pf-c-input-group\">\n
+        \                           <input tabindex=\"2\" id=\"password\" class=\"pf-c-form-control\"
+        name=\"password\" type=\"password\" autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n                            <button class=\"pf-c-button
+        pf-m-control\" type=\"button\" aria-label=\"Show password\"\n                                    aria-controls=\"password\"
+        \ data-password-toggle\n                                    data-icon-show=\"fa
+        fa-eye\" data-icon-hide=\"fa fa-eye-slash\"\n                                    data-label-show=\"Show
+        password\" data-label-hide=\"Hide password\">\n                                <i
+        class=\"fa fa-eye\" aria-hidden=\"true\"></i>\n                            </button>\n
+        \                       </div>\n\n\n                    </div>\n\n                    <div
+        class=\"form-group login-pf-settings\">\n                        <div id=\"kc-form-options\">\n
+        \                           </div>\n                            <div class=\"\">\n
+        \                           </div>\n\n                      </div>\n\n                      <div
+        id=\"kc-form-buttons\" class=\"form-group\">\n                          <input
+        type=\"hidden\" id=\"id-hidden-input\" name=\"credentialId\" />\n                          <input
+        tabindex=\"4\" class=\"pf-c-button pf-m-primary pf-m-block btn-lg\" name=\"login\"
+        id=\"kc-login\" type=\"submit\" value=\"Sign In\"/>\n                      </div>\n
+        \               </form>\n            </div>\n        </div>\n        <script
+        type=\"module\" src=\"/resources/1rz7o/login/keycloak/js/passwordVisibility.js\"></script>\n\n\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - AUTH_SESSION_ID=c3b5b1f2-4bf9-488b-bed6-1edee3734d1f; Version=1; Path=/realms/test/;
+        SameSite=None; Secure; HttpOnly
+      - AUTH_SESSION_ID_LEGACY=c3b5b1f2-4bf9-488b-bed6-1edee3734d1f; Version=1; Path=/realms/test/;
+        HttpOnly
+      - KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9vaWRjL2NhbGxiYWNrLyIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJodHRwOi8vdGVzdHNlcnZlci9vaWRjL2NhbGxiYWNrLyIsInN0YXRlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyJ9fQ.f7ZABGR0O48xm61gDKLOR_LjWH9a59wtTbGXUfm78sI;
+        Version=1; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '4466'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: username=admin&password=admin&credentialId=&login=Sign+In
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '57'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      Cookie:
+      - AUTH_SESSION_ID_LEGACY=c3b5b1f2-4bf9-488b-bed6-1edee3734d1f; KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9vaWRjL2NhbGxiYWNrLyIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJodHRwOi8vdGVzdHNlcnZlci9vaWRjL2NhbGxiYWNrLyIsInN0YXRlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyJ9fQ.f7ZABGR0O48xm61gDKLOR_LjWH9a59wtTbGXUfm78sI
+      User-Agent:
+      - python-requests/2.32.2
+    method: POST
+    uri: http://localhost:8080/realms/test/login-actions/authenticate?session_code=IMfjw269h3bzNCjsFUxMyAlhX78DMgf_2isleVcw9sA&execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&client_id=testid&tab_id=sIbVnUOdrgo
+  response:
+    body:
+      string: ''
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Location:
+      - http://testserver/oidc/callback/?state=not-a-random-string&session_state=c3b5b1f2-4bf9-488b-bed6-1edee3734d1f&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest&code=ca5a69c2-2883-4087-ab83-9ac459cc12fa.c3b5b1f2-4bf9-488b-bed6-1edee3734d1f.adf4ad83-4550-4619-9231-73bd8d700f45
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - KEYCLOAK_LOCALE=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      - KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/; HttpOnly
+      - KC_AUTH_STATE=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/
+      - KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY1MDUwMzUsImlhdCI6MTcxNjQ2OTAzNSwianRpIjoiYmVlN2U3ZDAtY2E1ZS00YjQ1LWE4MzktZjQzZmJkZmI2NzUwIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiNmRiMmRiODctZGUzMS00ZTMwLTlmMjUtY2VmZTVkYThiMTU0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiJjM2I1YjFmMi00YmY5LTQ4OGItYmVkNi0xZWRlZTM3MzRkMWYiLCJzaWQiOiJjM2I1YjFmMi00YmY5LTQ4OGItYmVkNi0xZWRlZTM3MzRkMWYiLCJzdGF0ZV9jaGVja2VyIjoiMXBJYllqSUVPbzBvWjBOLUtEWTlJRzcwckpqQlUyMnlGTXNIelNQV21uayJ9.qVE1dwuXYAQCG3v3Wdu153Em7PDadb-p8ZQpias8JeI;
+        Version=1; Path=/realms/test/; SameSite=None; Secure; HttpOnly
+      - KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY1MDUwMzUsImlhdCI6MTcxNjQ2OTAzNSwianRpIjoiYmVlN2U3ZDAtY2E1ZS00YjQ1LWE4MzktZjQzZmJkZmI2NzUwIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiNmRiMmRiODctZGUzMS00ZTMwLTlmMjUtY2VmZTVkYThiMTU0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiJjM2I1YjFmMi00YmY5LTQ4OGItYmVkNi0xZWRlZTM3MzRkMWYiLCJzaWQiOiJjM2I1YjFmMi00YmY5LTQ4OGItYmVkNi0xZWRlZTM3MzRkMWYiLCJzdGF0ZV9jaGVja2VyIjoiMXBJYllqSUVPbzBvWjBOLUtEWTlJRzcwckpqQlUyMnlGTXNIelNQV21uayJ9.qVE1dwuXYAQCG3v3Wdu153Em7PDadb-p8ZQpias8JeI;
+        Version=1; Path=/realms/test/; HttpOnly
+      - KEYCLOAK_SESSION=test/6db2db87-de31-4e30-9f25-cefe5da8b154/c3b5b1f2-4bf9-488b-bed6-1edee3734d1f;
+        Version=1; Expires=Thu, 23-May-2024 22:57:15 GMT; Max-Age=36000; Path=/realms/test/;
+        SameSite=None; Secure
+      - KEYCLOAK_SESSION_LEGACY=test/6db2db87-de31-4e30-9f25-cefe5da8b154/c3b5b1f2-4bf9-488b-bed6-1edee3734d1f;
+        Version=1; Expires=Thu, 23-May-2024 22:57:15 GMT; Max-Age=36000; Path=/realms/test/
+      - KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '0'
+    status:
+      code: 302
+      message: Found
+- request:
+    body: client_id=testid&client_secret=7DB3KUAAizYCcmZufpHRVOcD0TOkNO3I&grant_type=authorization_code&code=ca5a69c2-2883-4087-ab83-9ac459cc12fa.c3b5b1f2-4bf9-488b-bed6-1edee3734d1f.adf4ad83-4550-4619-9231-73bd8d700f45&redirect_uri=http%3A%2F%2Ftestserver%2Foidc%2Fcallback%2F
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '267'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      User-Agent:
+      - python-requests/2.32.2
+    method: POST
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/token
+  response:
+    body:
+      string: '{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjkzMzUsImlhdCI6MTcxNjQ2OTAzNSwiYXV0aF90aW1lIjoxNzE2NDY5MDM1LCJqdGkiOiI1MTg2YzFhNC1hNDljLTRjZGMtYWYxMS01ZTFlNTRmNjA5ZjIiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNmRiMmRiODctZGUzMS00ZTMwLTlmMjUtY2VmZTVkYThiMTU0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6ImMzYjViMWYyLTRiZjktNDg4Yi1iZWQ2LTFlZGVlMzczNGQxZiIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgYnNuIiwic2lkIjoiYzNiNWIxZjItNGJmOS00ODhiLWJlZDYtMWVkZWUzNzM0ZDFmIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiZW1haWwiOiJhZG1pbkBleGFtcGxlLmNvbSJ9.davFz7HL1a1DMJIoN0afUno2D0fNZGuhnvbTvbLjiidy1psJYQ10kQ1fN7BJ3SjmjmWwNNfwYvao9X5LCo__6mx8Hve_aVZe_qayDO2NvC5pd74zsDvw4K4eg7BJzGz8mmXhz990LzuxiEpmMAArLxA3oPFdUYREq7hLi5DOPWVS9VvHO8IOFlgGxaY544Ne9YYYyPYBNfXM2Opax9vIjuHwbc-Wj0BOHV9qTOKlO9zP58OYGbl-loeVa4VIAKMsQd1e5o-atcfFg5FqmNSuPOCq65aPvz8kKFCagGi-ATLpqDE35kz3WohuGDmPXBLuoPla9wZdGPksyA0ZaXxynQ","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0NzA4MzUsImlhdCI6MTcxNjQ2OTAzNSwianRpIjoiYTY4NzE2NjctNTRiNi00NTRiLWFkZWQtYWE4NDZmY2UxNTA5IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiNmRiMmRiODctZGUzMS00ZTMwLTlmMjUtY2VmZTVkYThiMTU0IiwidHlwIjoiUmVmcmVzaCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiJjM2I1YjFmMi00YmY5LTQ4OGItYmVkNi0xZWRlZTM3MzRkMWYiLCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIGt2ayBic24iLCJzaWQiOiJjM2I1YjFmMi00YmY5LTQ4OGItYmVkNi0xZWRlZTM3MzRkMWYifQ.96vrmyT9wEbfoRnFY-sM18qd7TqyRKesnw6gkyTFZhU","token_type":"Bearer","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjkzMzUsImlhdCI6MTcxNjQ2OTAzNSwiYXV0aF90aW1lIjoxNzE2NDY5MDM1LCJqdGkiOiI3ZjQ4ZTE4Zi0wZWJmLTQwNDEtYjZkYS0wMjg5ZjUzZjM0OGYiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJ0ZXN0aWQiLCJzdWIiOiI2ZGIyZGI4Ny1kZTMxLTRlMzAtOWYyNS1jZWZlNWRhOGIxNTQiLCJ0eXAiOiJJRCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiJjM2I1YjFmMi00YmY5LTQ4OGItYmVkNi0xZWRlZTM3MzRkMWYiLCJhdF9oYXNoIjoiN210NmF3RzB0VDdNR0dyU0pIZG5XZyIsImFjciI6IjEiLCJzaWQiOiJjM2I1YjFmMi00YmY5LTQ4OGItYmVkNi0xZWRlZTM3MzRkMWYiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4iLCJlbWFpbCI6ImFkbWluQGV4YW1wbGUuY29tIn0.mfCuzUmfNqMFbIgtYbBkjxd8Q-ncxUIpuRChVnKB4M97THc5aev4G4-VhOgSdpbruxwGFNuxiCQ0MmrdsNepq9E9WFHlZsoFEmmaw5dDTYFWtxqdM1tmdKSzHoTEwm10QHiOTvF_CYJJ2ubv48SjG3_1wm7k0OmrjrZ0bzOYWmsHtSJDbnNuhveFjJp9lHgJmWA8fZma9b6YkUuEvsEz8MsCUqHHv4ws-2yybgfmWxggi_sB75Hs24NMRpPJtwSJnSVNfd3YV4fbv0f-G2uPtWBr7IKJ9fQ6Hx9YIdUk5r3AgkBWvKn6YOGG2I8CnW9zOQdWO4gJVjzrQxOV7A62PA","not-before-policy":0,"session_state":"c3b5b1f2-4bf9-488b-bed6-1edee3734d1f","scope":"openid
+        email profile kvk bsn"}'
+    headers:
+      Cache-Control:
+      - no-store
+      Content-Type:
+      - application/json
+      Pragma:
+      - no-cache
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '3443'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Authorization:
+      - Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjkzMzUsImlhdCI6MTcxNjQ2OTAzNSwiYXV0aF90aW1lIjoxNzE2NDY5MDM1LCJqdGkiOiI1MTg2YzFhNC1hNDljLTRjZGMtYWYxMS01ZTFlNTRmNjA5ZjIiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNmRiMmRiODctZGUzMS00ZTMwLTlmMjUtY2VmZTVkYThiMTU0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6ImMzYjViMWYyLTRiZjktNDg4Yi1iZWQ2LTFlZGVlMzczNGQxZiIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgYnNuIiwic2lkIjoiYzNiNWIxZjItNGJmOS00ODhiLWJlZDYtMWVkZWUzNzM0ZDFmIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiZW1haWwiOiJhZG1pbkBleGFtcGxlLmNvbSJ9.davFz7HL1a1DMJIoN0afUno2D0fNZGuhnvbTvbLjiidy1psJYQ10kQ1fN7BJ3SjmjmWwNNfwYvao9X5LCo__6mx8Hve_aVZe_qayDO2NvC5pd74zsDvw4K4eg7BJzGz8mmXhz990LzuxiEpmMAArLxA3oPFdUYREq7hLi5DOPWVS9VvHO8IOFlgGxaY544Ne9YYYyPYBNfXM2Opax9vIjuHwbc-Wj0BOHV9qTOKlO9zP58OYGbl-loeVa4VIAKMsQd1e5o-atcfFg5FqmNSuPOCq65aPvz8kKFCagGi-ATLpqDE35kz3WohuGDmPXBLuoPla9wZdGPksyA0ZaXxynQ
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/userinfo
+  response:
+    body:
+      string: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJzdWIiOiI2ZGIyZGI4Ny1kZTMxLTRlMzAtOWYyNS1jZWZlNWRhOGIxNTQiLCJhdWQiOiJ0ZXN0aWQiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4iLCJlbWFpbCI6ImFkbWluQGV4YW1wbGUuY29tIn0.JOw15ll6KCKOWcVDnth2wlYiF9XhBH7rtbWbN6cJjrk2iRH4MN0LbIRY7JLUpyXZv10aYqMa4pOKZK1TEEMdam1fDn58tUDpckq8EcGVo3XAWM737C64oL8a1ivhWIG37TPpgJyPlJL31lJ4WPGxVf-xSlCTRaZ0rqHI4FoqOrzrjnbwZg6crYagA8Zp4zzqVFEQ312VTxXVkIcsrw7pl5k29Ip0AhNXaB1VBTUTj4arUpfaM7ncewiKc7nVij87WeoziG-HaBTvCrTN7JMwBDrNvvsAOmht1P3g9lHu_XbpP9jahA73ecMXef1cV2txB-W80HNC-X2OXuz6cIrsiw
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/jwt
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '698'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+version: 1
diff --git a/src/openforms/accounts/tests/data/vcr_cassettes/OIDCFLowTests/OIDCFLowTests.test_happy_flow_existing_user.yaml b/src/openforms/accounts/tests/data/vcr_cassettes/OIDCFLowTests/OIDCFLowTests.test_happy_flow_existing_user.yaml
new file mode 100644
index 0000000000..419c1e7973
--- /dev/null
+++ b/src/openforms/accounts/tests/data/vcr_cassettes/OIDCFLowTests/OIDCFLowTests.test_happy_flow_existing_user.yaml
@@ -0,0 +1,314 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=openid&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Foidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n        <script type=\"module\">\n            import
+        { checkCookiesAndSetTimer } from \"/resources/1rz7o/login/keycloak/js/authChecker.js\";\n\n
+        \           checkCookiesAndSetTimer(\n              \"375f1de6-f279-462d-ad03-5e520bb5ec8d\",\n
+        \             \"VEhr-Z2xFvY\",\n              \"/realms/test/login-actions/restart?client_id=testid&tab_id=VEhr-Z2xFvY&skip_logout=true\"\n
+        \           );\n        </script>\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       Sign in to your account\n\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-form\">\n
+        \         <div id=\"kc-form-wrapper\">\n                <form id=\"kc-form-login\"
+        onsubmit=\"login.disabled = true; return true;\" action=\"http://localhost:8080/realms/test/login-actions/authenticate?session_code=6QihpIOuTNlojr95BaoT04YSO6icbaaM2EMKzNWrujE&amp;execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&amp;client_id=testid&amp;tab_id=VEhr-Z2xFvY\"
+        method=\"post\">\n                        <div class=\"form-group\">\n                            <label
+        for=\"username\" class=\"pf-c-form__label pf-c-form__label-text\">Username
+        or email</label>\n\n                            <input tabindex=\"1\" id=\"username\"
+        class=\"pf-c-form-control\" name=\"username\" value=\"\"  type=\"text\" autofocus
+        autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n\n\n                        </div>\n\n                    <div
+        class=\"form-group\">\n                        <label for=\"password\" class=\"pf-c-form__label
+        pf-c-form__label-text\">Password</label>\n\n                        <div class=\"pf-c-input-group\">\n
+        \                           <input tabindex=\"2\" id=\"password\" class=\"pf-c-form-control\"
+        name=\"password\" type=\"password\" autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n                            <button class=\"pf-c-button
+        pf-m-control\" type=\"button\" aria-label=\"Show password\"\n                                    aria-controls=\"password\"
+        \ data-password-toggle\n                                    data-icon-show=\"fa
+        fa-eye\" data-icon-hide=\"fa fa-eye-slash\"\n                                    data-label-show=\"Show
+        password\" data-label-hide=\"Hide password\">\n                                <i
+        class=\"fa fa-eye\" aria-hidden=\"true\"></i>\n                            </button>\n
+        \                       </div>\n\n\n                    </div>\n\n                    <div
+        class=\"form-group login-pf-settings\">\n                        <div id=\"kc-form-options\">\n
+        \                           </div>\n                            <div class=\"\">\n
+        \                           </div>\n\n                      </div>\n\n                      <div
+        id=\"kc-form-buttons\" class=\"form-group\">\n                          <input
+        type=\"hidden\" id=\"id-hidden-input\" name=\"credentialId\" />\n                          <input
+        tabindex=\"4\" class=\"pf-c-button pf-m-primary pf-m-block btn-lg\" name=\"login\"
+        id=\"kc-login\" type=\"submit\" value=\"Sign In\"/>\n                      </div>\n
+        \               </form>\n            </div>\n        </div>\n        <script
+        type=\"module\" src=\"/resources/1rz7o/login/keycloak/js/passwordVisibility.js\"></script>\n\n\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - AUTH_SESSION_ID=375f1de6-f279-462d-ad03-5e520bb5ec8d; Version=1; Path=/realms/test/;
+        SameSite=None; Secure; HttpOnly
+      - AUTH_SESSION_ID_LEGACY=375f1de6-f279-462d-ad03-5e520bb5ec8d; Version=1; Path=/realms/test/;
+        HttpOnly
+      - KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9vaWRjL2NhbGxiYWNrLyIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJodHRwOi8vdGVzdHNlcnZlci9vaWRjL2NhbGxiYWNrLyIsInN0YXRlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyJ9fQ.f7ZABGR0O48xm61gDKLOR_LjWH9a59wtTbGXUfm78sI;
+        Version=1; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '4466'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: username=admin&password=admin&credentialId=&login=Sign+In
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '57'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      Cookie:
+      - AUTH_SESSION_ID_LEGACY=375f1de6-f279-462d-ad03-5e520bb5ec8d; KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9vaWRjL2NhbGxiYWNrLyIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJodHRwOi8vdGVzdHNlcnZlci9vaWRjL2NhbGxiYWNrLyIsInN0YXRlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyJ9fQ.f7ZABGR0O48xm61gDKLOR_LjWH9a59wtTbGXUfm78sI
+      User-Agent:
+      - python-requests/2.32.2
+    method: POST
+    uri: http://localhost:8080/realms/test/login-actions/authenticate?session_code=6QihpIOuTNlojr95BaoT04YSO6icbaaM2EMKzNWrujE&execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&client_id=testid&tab_id=VEhr-Z2xFvY
+  response:
+    body:
+      string: ''
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Location:
+      - http://testserver/oidc/callback/?state=not-a-random-string&session_state=375f1de6-f279-462d-ad03-5e520bb5ec8d&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest&code=8e9e69e9-105e-414e-8ea3-7bf661026e73.375f1de6-f279-462d-ad03-5e520bb5ec8d.adf4ad83-4550-4619-9231-73bd8d700f45
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - KEYCLOAK_LOCALE=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      - KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/; HttpOnly
+      - KC_AUTH_STATE=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/
+      - KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY1MDUwMzUsImlhdCI6MTcxNjQ2OTAzNSwianRpIjoiODcyMWI4MDEtYjMwNC00NjZkLTkzODYtZWM4NTdjOGE5Yzg4IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiNmRiMmRiODctZGUzMS00ZTMwLTlmMjUtY2VmZTVkYThiMTU0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiIzNzVmMWRlNi1mMjc5LTQ2MmQtYWQwMy01ZTUyMGJiNWVjOGQiLCJzaWQiOiIzNzVmMWRlNi1mMjc5LTQ2MmQtYWQwMy01ZTUyMGJiNWVjOGQiLCJzdGF0ZV9jaGVja2VyIjoibGE4Sms0UXFmUTRsZEFfMUEzYXV6eW00WHlGcUVGMXl3eXNfYjVDaFl4YyJ9.hNeVYblFwRFrka1HCwk76UKGaYrCuTXHUnxoZ6xgMhQ;
+        Version=1; Path=/realms/test/; SameSite=None; Secure; HttpOnly
+      - KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY1MDUwMzUsImlhdCI6MTcxNjQ2OTAzNSwianRpIjoiODcyMWI4MDEtYjMwNC00NjZkLTkzODYtZWM4NTdjOGE5Yzg4IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiNmRiMmRiODctZGUzMS00ZTMwLTlmMjUtY2VmZTVkYThiMTU0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiIzNzVmMWRlNi1mMjc5LTQ2MmQtYWQwMy01ZTUyMGJiNWVjOGQiLCJzaWQiOiIzNzVmMWRlNi1mMjc5LTQ2MmQtYWQwMy01ZTUyMGJiNWVjOGQiLCJzdGF0ZV9jaGVja2VyIjoibGE4Sms0UXFmUTRsZEFfMUEzYXV6eW00WHlGcUVGMXl3eXNfYjVDaFl4YyJ9.hNeVYblFwRFrka1HCwk76UKGaYrCuTXHUnxoZ6xgMhQ;
+        Version=1; Path=/realms/test/; HttpOnly
+      - KEYCLOAK_SESSION=test/6db2db87-de31-4e30-9f25-cefe5da8b154/375f1de6-f279-462d-ad03-5e520bb5ec8d;
+        Version=1; Expires=Thu, 23-May-2024 22:57:15 GMT; Max-Age=36000; Path=/realms/test/;
+        SameSite=None; Secure
+      - KEYCLOAK_SESSION_LEGACY=test/6db2db87-de31-4e30-9f25-cefe5da8b154/375f1de6-f279-462d-ad03-5e520bb5ec8d;
+        Version=1; Expires=Thu, 23-May-2024 22:57:15 GMT; Max-Age=36000; Path=/realms/test/
+      - KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '0'
+    status:
+      code: 302
+      message: Found
+- request:
+    body: client_id=testid&client_secret=7DB3KUAAizYCcmZufpHRVOcD0TOkNO3I&grant_type=authorization_code&code=8e9e69e9-105e-414e-8ea3-7bf661026e73.375f1de6-f279-462d-ad03-5e520bb5ec8d.adf4ad83-4550-4619-9231-73bd8d700f45&redirect_uri=http%3A%2F%2Ftestserver%2Foidc%2Fcallback%2F
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '267'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      User-Agent:
+      - python-requests/2.32.2
+    method: POST
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/token
+  response:
+    body:
+      string: '{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjkzMzUsImlhdCI6MTcxNjQ2OTAzNSwiYXV0aF90aW1lIjoxNzE2NDY5MDM1LCJqdGkiOiJlMDhmYzg2Zi00ODAzLTQwNjktYjY3Ni0xYjVkOTMxNWRhOTUiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNmRiMmRiODctZGUzMS00ZTMwLTlmMjUtY2VmZTVkYThiMTU0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6IjM3NWYxZGU2LWYyNzktNDYyZC1hZDAzLTVlNTIwYmI1ZWM4ZCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgYnNuIiwic2lkIjoiMzc1ZjFkZTYtZjI3OS00NjJkLWFkMDMtNWU1MjBiYjVlYzhkIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiZW1haWwiOiJhZG1pbkBleGFtcGxlLmNvbSJ9.JEWLm0cX6uCrs7BQ4DVPrHvR9HwteuO__BiP2-lppc04HQisf2ehz--RAy1RYfcalXn2Ksk-wHR_LtlrOmnVYRF2Fd6kjv5T16irxYlmxhxFi8eb15-s-EtE8D3dITHl9LUOQnYFimYHqP5oA_UZf80664_lJ18Bv0gUSEcV7ugbS1ifrhJLiQfwv2wnHLOI2As80Fuf_XVl8LrzQyvATieK_dV51qoe0_tsySoq7X37LmapV0RNiQOtbspQtsTBO_gFtCXR4eOTmqYCyHE1P2hS3edmcWGCJlxsV6zWK3ZxYA2yXjZglleL1ELFhYC3uipaxRMW5Ohx24s1Tk3NVg","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0NzA4MzUsImlhdCI6MTcxNjQ2OTAzNSwianRpIjoiODRjZmRmNzYtOWFhNC00MGZhLThjYzEtOGI3ZDAzYjBjYWFiIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiNmRiMmRiODctZGUzMS00ZTMwLTlmMjUtY2VmZTVkYThiMTU0IiwidHlwIjoiUmVmcmVzaCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiIzNzVmMWRlNi1mMjc5LTQ2MmQtYWQwMy01ZTUyMGJiNWVjOGQiLCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIGt2ayBic24iLCJzaWQiOiIzNzVmMWRlNi1mMjc5LTQ2MmQtYWQwMy01ZTUyMGJiNWVjOGQifQ.orsrRmVbPg1KI8L96i4JLn-cjSQdwoPKAfO30k-DqmY","token_type":"Bearer","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjkzMzUsImlhdCI6MTcxNjQ2OTAzNSwiYXV0aF90aW1lIjoxNzE2NDY5MDM1LCJqdGkiOiJkNTg3OGVkOS04MDFmLTRlNzUtYWVkNC0wYjE2NTc1NmE2NjYiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJ0ZXN0aWQiLCJzdWIiOiI2ZGIyZGI4Ny1kZTMxLTRlMzAtOWYyNS1jZWZlNWRhOGIxNTQiLCJ0eXAiOiJJRCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiIzNzVmMWRlNi1mMjc5LTQ2MmQtYWQwMy01ZTUyMGJiNWVjOGQiLCJhdF9oYXNoIjoiR1B0dExxOUNXcjVhcTNhMU1vQ3kxdyIsImFjciI6IjEiLCJzaWQiOiIzNzVmMWRlNi1mMjc5LTQ2MmQtYWQwMy01ZTUyMGJiNWVjOGQiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4iLCJlbWFpbCI6ImFkbWluQGV4YW1wbGUuY29tIn0.TkfKFZ5oWfVuYvi_DB6td3IZyDi3Hu1YuPRqXA-tlhKSVypLzM0UUT0aCOnQjtkbNmjdmpLCKOSMv3jjFlxlIRlw_tN66Yq71gbbuszyw6vhexOYRWXL6euSwaNXeJW9b0Vqhw0QaO7RG3o_F9UC5TCMtQX0tq09LDBgJmVlYbmWFHudfvXe6Y7AKbF93yRBnfwLZFO0TIVfSBdKo1JwrrTbIoJePqBbUmpuIJGKxkLHyrAfyyGs_1XRZf7pjMZJ48oI8KkJS-ADRhoGuHsyxXVbVQjgAYJDYcLpv98IbZj4DjgkcLj8Lawb6VxO8s11DImLjiLU6ijIZfLUR0oEyQ","not-before-policy":0,"session_state":"375f1de6-f279-462d-ad03-5e520bb5ec8d","scope":"openid
+        email profile kvk bsn"}'
+    headers:
+      Cache-Control:
+      - no-store
+      Content-Type:
+      - application/json
+      Pragma:
+      - no-cache
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '3443'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Authorization:
+      - Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjkzMzUsImlhdCI6MTcxNjQ2OTAzNSwiYXV0aF90aW1lIjoxNzE2NDY5MDM1LCJqdGkiOiJlMDhmYzg2Zi00ODAzLTQwNjktYjY3Ni0xYjVkOTMxNWRhOTUiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNmRiMmRiODctZGUzMS00ZTMwLTlmMjUtY2VmZTVkYThiMTU0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6IjM3NWYxZGU2LWYyNzktNDYyZC1hZDAzLTVlNTIwYmI1ZWM4ZCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgYnNuIiwic2lkIjoiMzc1ZjFkZTYtZjI3OS00NjJkLWFkMDMtNWU1MjBiYjVlYzhkIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiZW1haWwiOiJhZG1pbkBleGFtcGxlLmNvbSJ9.JEWLm0cX6uCrs7BQ4DVPrHvR9HwteuO__BiP2-lppc04HQisf2ehz--RAy1RYfcalXn2Ksk-wHR_LtlrOmnVYRF2Fd6kjv5T16irxYlmxhxFi8eb15-s-EtE8D3dITHl9LUOQnYFimYHqP5oA_UZf80664_lJ18Bv0gUSEcV7ugbS1ifrhJLiQfwv2wnHLOI2As80Fuf_XVl8LrzQyvATieK_dV51qoe0_tsySoq7X37LmapV0RNiQOtbspQtsTBO_gFtCXR4eOTmqYCyHE1P2hS3edmcWGCJlxsV6zWK3ZxYA2yXjZglleL1ELFhYC3uipaxRMW5Ohx24s1Tk3NVg
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/userinfo
+  response:
+    body:
+      string: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJzdWIiOiI2ZGIyZGI4Ny1kZTMxLTRlMzAtOWYyNS1jZWZlNWRhOGIxNTQiLCJhdWQiOiJ0ZXN0aWQiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4iLCJlbWFpbCI6ImFkbWluQGV4YW1wbGUuY29tIn0.JOw15ll6KCKOWcVDnth2wlYiF9XhBH7rtbWbN6cJjrk2iRH4MN0LbIRY7JLUpyXZv10aYqMa4pOKZK1TEEMdam1fDn58tUDpckq8EcGVo3XAWM737C64oL8a1ivhWIG37TPpgJyPlJL31lJ4WPGxVf-xSlCTRaZ0rqHI4FoqOrzrjnbwZg6crYagA8Zp4zzqVFEQ312VTxXVkIcsrw7pl5k29Ip0AhNXaB1VBTUTj4arUpfaM7ncewiKc7nVij87WeoziG-HaBTvCrTN7JMwBDrNvvsAOmht1P3g9lHu_XbpP9jahA73ecMXef1cV2txB-W80HNC-X2OXuz6cIrsiw
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/jwt
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '698'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+version: 1
diff --git a/src/openforms/accounts/tests/test_oidc.py b/src/openforms/accounts/tests/test_oidc.py
index a47b5d4994..439509bf11 100644
--- a/src/openforms/accounts/tests/test_oidc.py
+++ b/src/openforms/accounts/tests/test_oidc.py
@@ -1,22 +1,33 @@
-from unittest.mock import patch
+from functools import partial
+from pathlib import Path
 
-from django.test import TestCase
 from django.urls import reverse
 from django.utils.translation import gettext as _
 
 from django_webtest import WebTest
-from mozilla_django_oidc_db.models import OpenIDConnectConfig
+
+from openforms.utils.tests.keycloak import keycloak_login, mock_oidc_db_config
+from openforms.utils.tests.vcr import OFVCRMixin
 
 from ..models import User
 from .factories import StaffUserFactory
 
+TEST_FILES = (Path(__file__).parent / "data").resolve()
+
+
+mock_admin_oidc_config = partial(
+    mock_oidc_db_config,
+    app_label="mozilla_django_oidc_db",
+    model="OpenIDConnectConfig",
+    id=1,  # required for the group queries because we're using in-memory objects
+    make_users_staff=True,
+    username_claim=["preferred_username"],
+)
+
 
 class OIDCLoginButtonTestCase(WebTest):
-    @patch(
-        "mozilla_django_oidc_db.mixins.OpenIDConnectConfig.get_solo",
-        return_value=OpenIDConnectConfig(enabled=False),
-    )
-    def test_oidc_button_disabled(self, mock_get_solo):
+    @mock_admin_oidc_config(enabled=False)
+    def test_oidc_button_disabled(self):
         response = self.app.get(reverse("admin-mfa-login"))
 
         oidc_login_link = response.html.find(
@@ -25,17 +36,8 @@ def test_oidc_button_disabled(self, mock_get_solo):
         # Verify that the login button is not visible
         self.assertIsNone(oidc_login_link)
 
-    @patch(
-        "mozilla_django_oidc_db.mixins.OpenIDConnectConfig.get_solo",
-        return_value=OpenIDConnectConfig(
-            enabled=True,
-            oidc_op_token_endpoint="https://some.endpoint.nl/",
-            oidc_op_user_endpoint="https://some.endpoint.nl/",
-            oidc_rp_client_id="id",
-            oidc_rp_client_secret="secret",
-        ),
-    )
-    def test_oidc_button_enabled(self, mock_get_solo):
+    @mock_admin_oidc_config(enabled=True)
+    def test_oidc_button_enabled(self):
         response = self.app.get(reverse("admin-mfa-login"))
 
         oidc_login_link = response.html.find(
@@ -48,160 +50,88 @@ def test_oidc_button_enabled(self, mock_get_solo):
         )
 
 
-class OIDCFLowTests(TestCase):
-    @patch("mozilla_django_oidc_db.backends.OIDCAuthenticationBackend.get_userinfo")
-    @patch("mozilla_django_oidc_db.backends.OIDCAuthenticationBackend.store_tokens")
-    @patch("mozilla_django_oidc_db.backends.OIDCAuthenticationBackend.verify_token")
-    @patch("mozilla_django_oidc_db.backends.OIDCAuthenticationBackend.get_token")
-    @patch(
-        "mozilla_django_oidc_db.mixins.OpenIDConnectConfig.get_solo",
-        return_value=OpenIDConnectConfig(id=1, enabled=True),
-    )
-    def test_duplicate_email_unique_constraint_violated(
-        self,
-        mock_get_solo,
-        mock_get_token,
-        mock_verify_token,
-        mock_store_tokens,
-        mock_get_userinfo,
-    ):
+class OIDCFLowTests(OFVCRMixin, WebTest):
+    VCR_TEST_FILES = TEST_FILES
+
+    @mock_admin_oidc_config()
+    def test_duplicate_email_unique_constraint_violated(self):
         """
         Assert that duplicate email addresses result in usable user feedback.
 
         Regression test for #1199
         """
-        # set up a user with a colliding email address
-        mock_get_userinfo.return_value = {
-            "email": "collision@example.com",
-            "sub": "some_username",
-        }
-        StaffUserFactory.create(
-            username="nonmatchingusername", email="collision@example.com"
+        # this user collides on the email address
+        staff_user = StaffUserFactory.create(
+            username="no-match", email="admin@example.com"
         )
-        session = self.client.session
-        session["oidc_states"] = {"mock": {"nonce": "nonce"}}
-        session.save()
-        callback_url = reverse("oidc_authentication_callback")
-
-        # enter the login flow
-        callback_response = self.client.get(
-            callback_url, {"code": "mock", "state": "mock"}
+        login_page = self.app.get(reverse("admin-mfa-login"))
+        start_response = login_page.click(
+            description=_("Login with organization account")
+        )
+        assert start_response.status_code == 302
+        redirect_uri = keycloak_login(
+            start_response["Location"], username="admin", password="admin"
         )
 
-        error_url = reverse("admin-oidc-error")
-
-        with self.subTest("error redirects"):
-            self.assertRedirects(callback_response, error_url)
-
-        with self.subTest("exception info on error page"):
-            error_page = self.client.get(error_url)
+        error_page = self.app.get(redirect_uri, auto_follow=True)
 
+        with self.subTest("error page"):
             self.assertEqual(error_page.status_code, 200)
+            self.assertEqual(error_page.request.path, reverse("admin-oidc-error"))
             self.assertEqual(
                 error_page.context["oidc_error"],
                 """duplicate key value violates unique constraint "filled_email_unique"""
-                """"\nDETAIL:  Key (email)=(collision@example.com) already exists.\n""",
+                """"\nDETAIL:  Key (email)=(admin@example.com) already exists.\n""",
             )
             self.assertContains(
                 error_page, "duplicate key value violates unique constraint"
             )
 
-    @patch("mozilla_django_oidc_db.backends.OIDCAuthenticationBackend.get_userinfo")
-    @patch("mozilla_django_oidc_db.backends.OIDCAuthenticationBackend.store_tokens")
-    @patch("mozilla_django_oidc_db.backends.OIDCAuthenticationBackend.verify_token")
-    @patch("mozilla_django_oidc_db.backends.OIDCAuthenticationBackend.get_token")
-    @patch(
-        "mozilla_django_oidc_db.mixins.OpenIDConnectConfig.get_solo",
-        return_value=OpenIDConnectConfig(id=1, enabled=True),
-    )
-    def test_happy_flow(
-        self,
-        mock_get_solo,
-        mock_get_token,
-        mock_verify_token,
-        mock_store_tokens,
-        mock_get_userinfo,
-    ):
-        """
-        Assert that duplicate email addresses result in usable user feedback.
-
-        Regression test for #1199
-        """
-        # set up a user with a colliding email address
-        mock_get_userinfo.return_value = {
-            "email": "nocollision@example.com",
-            "sub": "some_username",
-        }
-        StaffUserFactory.create(
-            username="nonmatchingusername", email="collision@example.com"
+        with self.subTest("user state unmodified"):
+            self.assertEqual(User.objects.count(), 1)
+            staff_user.refresh_from_db()
+            self.assertEqual(staff_user.username, "no-match")
+            self.assertEqual(staff_user.email, "admin@example.com")
+            self.assertTrue(staff_user.is_staff)
+
+    @mock_admin_oidc_config()
+    def test_happy_flow(self):
+        login_page = self.app.get(reverse("admin-mfa-login"))
+        start_response = login_page.click(
+            description=_("Login with organization account")
         )
-        session = self.client.session
-        session["oidc_states"] = {"mock": {"nonce": "nonce"}}
-        session.save()
-        callback_url = reverse("oidc_authentication_callback")
-
-        # enter the login flow
-        callback_response = self.client.get(
-            callback_url, {"code": "mock", "state": "mock"}
+        assert start_response.status_code == 302
+        redirect_uri = keycloak_login(
+            start_response["Location"], username="admin", password="admin"
         )
 
-        self.assertRedirects(
-            callback_response, reverse("admin:index"), fetch_redirect_response=False
+        admin_index = self.app.get(redirect_uri, auto_follow=True)
+
+        self.assertEqual(admin_index.status_code, 200)
+        self.assertEqual(admin_index.request.path, reverse("admin:index"))
+
+        self.assertEqual(User.objects.count(), 1)
+        user = User.objects.get()
+        self.assertEqual(user.username, "admin")
+
+    @mock_admin_oidc_config(make_users_staff=False)
+    def test_happy_flow_existing_user(self):
+        staff_user = StaffUserFactory.create(username="admin", email="update-me")
+        login_page = self.app.get(reverse("admin-mfa-login"))
+        start_response = login_page.click(
+            description=_("Login with organization account")
+        )
+        assert start_response.status_code == 302
+        redirect_uri = keycloak_login(
+            start_response["Location"], username="admin", password="admin"
         )
-        self.assertTrue(User.objects.filter(email="nocollision@example.com").exists())
-
-    def test_error_page_direct_access_forbidden(self):
-        error_url = reverse("admin-oidc-error")
-
-        response = self.client.get(error_url)
-
-        self.assertEqual(response.status_code, 403)
-
-    @patch("mozilla_django_oidc_db.backends.OIDCAuthenticationBackend.get_userinfo")
-    @patch("mozilla_django_oidc_db.backends.OIDCAuthenticationBackend.store_tokens")
-    @patch("mozilla_django_oidc_db.backends.OIDCAuthenticationBackend.verify_token")
-    @patch("mozilla_django_oidc_db.backends.OIDCAuthenticationBackend.get_token")
-    @patch(
-        "mozilla_django_oidc_db.mixins.OpenIDConnectConfig.get_solo",
-        return_value=OpenIDConnectConfig(id=1, enabled=True),
-    )
-    def test_error_first_cleared_after_succesful_login(
-        self,
-        mock_get_solo,
-        mock_get_token,
-        mock_verify_token,
-        mock_store_tokens,
-        mock_get_userinfo,
-    ):
-        mock_get_userinfo.return_value = {
-            "email": "nocollision@example.com",
-            "sub": "some_username",
-        }
-        session = self.client.session
-        session["oidc-error"] = "some error"
-        session.save()
-        error_url = reverse("admin-oidc-error")
-
-        with self.subTest("with error"):
-            response = self.client.get(error_url)
-
-            self.assertEqual(response.status_code, 200)
-
-        with self.subTest("after succesful login"):
-            session["oidc_states"] = {"mock": {"nonce": "nonce"}}
-            session.save()
-            callback_url = reverse("oidc_authentication_callback")
-
-            # enter the login flow
-            callback_response = self.client.get(
-                callback_url, {"code": "mock", "state": "mock"}
-            )
 
-            self.assertRedirects(
-                callback_response, reverse("admin:index"), fetch_redirect_response=False
-            )
+        admin_index = self.app.get(redirect_uri, auto_follow=True)
 
-            with self.subTest("check error page again"):
-                response = self.client.get(error_url)
+        self.assertEqual(admin_index.status_code, 200)
+        self.assertEqual(admin_index.request.path, reverse("admin:index"))
 
-                self.assertEqual(response.status_code, 403)
+        self.assertEqual(User.objects.count(), 1)
+        staff_user.refresh_from_db()
+        self.assertEqual(staff_user.username, "admin")
+        self.assertEqual(staff_user.email, "admin@example.com")
diff --git a/src/openforms/admin/tests/test_admin_login.py b/src/openforms/admin/tests/test_admin_login.py
index d5d25a9e18..a7fb644fed 100644
--- a/src/openforms/admin/tests/test_admin_login.py
+++ b/src/openforms/admin/tests/test_admin_login.py
@@ -83,7 +83,7 @@ def setUp(self):
         super().setUp()
 
         patcher = patch(
-            "mozilla_django_oidc_db.mixins.OpenIDConnectConfig.get_solo",
+            "mozilla_django_oidc_db.models.OpenIDConnectConfig.get_solo",
             return_value=OpenIDConnectConfig(
                 enabled=True,
                 oidc_op_authorization_endpoint="https://oidc.example.com/",
diff --git a/src/openforms/authentication/api/tests/test_endpoints.py b/src/openforms/authentication/api/tests/test_endpoints.py
index 71db37c362..926a74ceb3 100644
--- a/src/openforms/authentication/api/tests/test_endpoints.py
+++ b/src/openforms/authentication/api/tests/test_endpoints.py
@@ -1,12 +1,14 @@
 from unittest.mock import patch
 
 from django.db.models import TextChoices
+from django.test import override_settings
 
 from rest_framework import status
 from rest_framework.reverse import reverse, reverse_lazy
 from rest_framework.test import APITestCase
 
 from openforms.accounts.tests.factories import UserFactory
+from openforms.config.models import GlobalConfiguration
 from openforms.utils.tests.feature_flags import enable_feature_flag
 
 from ...base import BasePlugin
@@ -69,6 +71,7 @@ def test_authenticated_and_staff(self):
         self.assertEqual(response.status_code, status.HTTP_200_OK)
 
 
+@override_settings(SOLO_CACHE=None)
 class ResponseTests(APITestCase):
     @classmethod
     def setUpTestData(cls):
@@ -130,3 +133,16 @@ def test_demo_plugin(self):
         ]
         self.assertEqual(response.status_code, status.HTTP_200_OK)
         self.assertEqual(response.json(), expected)
+
+    def test_disabled_plugins_are_not_returned(self):
+        config = GlobalConfiguration.get_solo()
+        config.plugin_configuration = {
+            "authentication": {"plugin1": {"enabled": False}},
+        }
+        config.save()
+        endpoint = reverse("api:authentication-plugin-list")
+
+        response = self.client.get(endpoint)
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.json(), [])
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/admin.py b/src/openforms/authentication/contrib/digid_eherkenning_oidc/admin.py
new file mode 100644
index 0000000000..b4341e2b1c
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/admin.py
@@ -0,0 +1,89 @@
+from django import forms
+from django.contrib import admin
+from django.utils.translation import gettext_lazy as _
+
+from digid_eherkenning.oidc.admin import (
+    DigiDConfigAdmin as _DigiDConfigAdmin,
+    DigiDMachtigenConfigAdmin as _DigiDMachtigenConfigAdmin,
+    EHerkenningBewindvoeringConfigAdmin as _EHerkenningBewindvoeringConfigAdmin,
+    EHerkenningConfigAdmin as _EHerkenningConfigAdmin,
+    admin_modelform_factory,
+)
+from digid_eherkenning.oidc.models import (
+    DigiDConfig,
+    DigiDMachtigenConfig,
+    EHerkenningBewindvoeringConfig,
+    EHerkenningConfig,
+)
+from mozilla_django_oidc_db.forms import OpenIDConnectConfigForm
+
+from openforms.forms.models import Form
+
+from .models import (
+    OFDigiDConfig,
+    OFDigiDMachtigenConfig,
+    OFEHerkenningBewindvoeringConfig,
+    OFEHerkenningConfig,
+)
+from .plugin import get_config_to_plugin
+
+# unregister the default app admins so we can add in our own behaviour
+admin.site.unregister(DigiDMachtigenConfig)
+admin.site.unregister(EHerkenningBewindvoeringConfig)
+admin.site.unregister(EHerkenningConfig)
+admin.site.unregister(DigiDConfig)
+
+
+class OIDCConfigForm(OpenIDConnectConfigForm):
+    """
+    Custom form class to block backend disabling if any form uses it.
+    """
+
+    def clean_enabled(self):
+        """
+        Scan the (live) forms to see if any might be using this backend.
+
+        Disabling a backend while it is being used as a plugin on a live form would
+        break this form, so we warn the users for this.
+        """
+        enabled = self.cleaned_data["enabled"]
+        # Nothing to do if it is being or stays enabled
+        if enabled:
+            return enabled
+
+        # deteermine which plugin ID we need to query for
+        plugin = get_config_to_plugin()[self._meta.model]
+        forms_with_backend = Form.objects.live().filter(
+            authentication_backends__contains=[plugin.identifier]
+        )
+        if forms_with_backend.exists():
+            raise forms.ValidationError(
+                _(
+                    "{plugin_identifier} is selected as authentication backend "
+                    "for one or more forms, please remove this backend from these "
+                    "forms before disabling this authentication backend."
+                ).format(plugin_identifier=plugin.verbose_name)
+            )
+        return enabled
+
+
+@admin.register(OFDigiDConfig)
+class DigiDConfigAdmin(_DigiDConfigAdmin):
+    form = admin_modelform_factory(OFDigiDConfig, form=OIDCConfigForm)
+
+
+@admin.register(OFDigiDMachtigenConfig)
+class DigiDMachtigenConfigAdmin(_DigiDMachtigenConfigAdmin):
+    form = admin_modelform_factory(OFDigiDMachtigenConfig, form=OIDCConfigForm)
+
+
+@admin.register(OFEHerkenningConfig)
+class EHerkenningConfigAdmin(_EHerkenningConfigAdmin):
+    form = admin_modelform_factory(OFEHerkenningConfig, form=OIDCConfigForm)
+
+
+@admin.register(OFEHerkenningBewindvoeringConfig)
+class EHerkenningBewindvoeringConfigAdmin(_EHerkenningBewindvoeringConfigAdmin):
+    form = admin_modelform_factory(
+        OFEHerkenningBewindvoeringConfig, form=OIDCConfigForm
+    )
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/backends.py b/src/openforms/authentication/contrib/digid_eherkenning_oidc/backends.py
index a87789a5bc..60190882a8 100644
--- a/src/openforms/authentication/contrib/digid_eherkenning_oidc/backends.py
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/backends.py
@@ -1,65 +1,133 @@
 import logging
 
-from digid_eherkenning_oidc_generics.backends import OIDCAuthenticationBackend
-from digid_eherkenning_oidc_generics.mixins import (
-    MachtigenBackendMixin,
-    SoloConfigDigiDMachtigenMixin,
-    SoloConfigDigiDMixin,
-    SoloConfigEHerkenningBewindvoeringMixin,
-    SoloConfigEHerkenningMixin,
-)
+from django.contrib.auth.models import AnonymousUser
+from django.core.exceptions import PermissionDenied
+from django.http import HttpRequest
+
+from digid_eherkenning.oidc.models import OpenIDConnectBaseConfig
+from glom import Path, PathAccessError, glom
+from mozilla_django_oidc_db.backends import OIDCAuthenticationBackend
+from mozilla_django_oidc_db.config import dynamic_setting
+from mozilla_django_oidc_db.typing import ClaimPath
+from mozilla_django_oidc_db.utils import obfuscate_claims
+from typing_extensions import override
 
-from .constants import (
-    DIGID_MACHTIGEN_OIDC_AUTH_SESSION_KEY,
-    DIGID_OIDC_AUTH_SESSION_KEY,
-    EHERKENNING_BEWINDVOERING_OIDC_AUTH_SESSION_KEY,
-    EHERKENNING_OIDC_AUTH_SESSION_KEY,
+from openforms.typing import JSONObject
+
+from .models import (
+    OFDigiDConfig,
+    OFDigiDMachtigenConfig,
+    OFEHerkenningBewindvoeringConfig,
+    OFEHerkenningConfig,
 )
+from .plugin import get_config_to_plugin
 
 logger = logging.getLogger(__name__)
 
 
-class OIDCAuthenticationDigiDBackend(SoloConfigDigiDMixin, OIDCAuthenticationBackend):
+class DigiDEHerkenningOIDCBackend(OIDCAuthenticationBackend):
     """
-    Allows logging in via OIDC with DigiD
+    A backend specialised to the digid-eherkenning-generics subclassed model.
     """
 
-    session_key = DIGID_OIDC_AUTH_SESSION_KEY
-
-
-class OIDCAuthenticationEHerkenningBackend(
-    SoloConfigEHerkenningMixin, OIDCAuthenticationBackend
-):
+    MANDATE_CLAIMS = dynamic_setting[dict[str, ClaimPath]]()
     """
-    Allows logging in via OIDC with DigiD
+    Mapping of destination key and the claim paths to extract.
     """
 
-    session_key = EHERKENNING_OIDC_AUTH_SESSION_KEY
+    @override
+    def _check_candidate_backend(self) -> bool:
+        # if we're dealing with a mozilla-django-oidc-db config that is *not* a
+        # digid-eherkenning-generics subclass, then don't bother.
+        if not issubclass(self.config_class, OpenIDConnectBaseConfig):
+            return False
+        return super()._check_candidate_backend()
+
+    def get_or_create_user(
+        self, access_token: str, id_token: str, payload: JSONObject
+    ) -> AnonymousUser:
+        """
+        Return a "fake" Django user.
+
+        If the claims are valid, we only process them and do not create or update an
+        actual Django user.
+        """
+        assert isinstance(self.request, HttpRequest)
+
+        user_info = self.get_userinfo(access_token, id_token, payload)
+        claims_verified = self.verify_claims(user_info)
+        if not claims_verified:
+            msg = "Claims verification failed"
+            # Raise PermissionDenied rather than SuspiciousOperation - this makes it
+            # Django stops trying other (OIDC) authentication backends, which fail
+            # because the code was already exchanged for an access token.
+            # Note that this backend only runs for the DigiD/eHerkenning configs at all,
+            # and those aren't particularly compatible with the admin-OIDC flow anyway.
+            # See :meth:`_check_candidate_backend` that prevents this backend from being
+            # used for admin OIDC.
+            raise PermissionDenied(msg)
+
+        self._extract_and_store_claims(payload)
+
+        user = AnonymousUser()
+        user.is_active = True  # type: ignore
+        return user
+
+    @override
+    def verify_claims(self, claims) -> bool:
+        """Verify the provided claims to decide if authentication should be allowed."""
+        if self.config_class in (OFDigiDConfig, OFEHerkenningConfig):
+            return super().verify_claims(claims)
+
+        assert self.config_class in (
+            OFDigiDMachtigenConfig,
+            OFEHerkenningBewindvoeringConfig,
+        )
+
+        assert claims, "Empty claims should have been blocked earlier"
+        obfuscated_claims = obfuscate_claims(claims, self.OIDCDB_SENSITIVE_CLAIMS)
+        logger.debug("OIDC claims received: %s", obfuscated_claims)
+
+        for claim_path in self.MANDATE_CLAIMS.values():
+            try:
+                glom(claims, Path(*claim_path))
+            except PathAccessError:
+                logger.error(
+                    "`%s` not found in the OIDC claims, cannot "
+                    "proceed with authentication",
+                    " > ".join(claim_path),
+                )
+                return False
 
+        return True
 
-class OIDCAuthenticationDigiDMachtigenBackend(
-    MachtigenBackendMixin, SoloConfigDigiDMachtigenMixin, OIDCAuthenticationBackend
-):
-    session_key = DIGID_MACHTIGEN_OIDC_AUTH_SESSION_KEY
+    def _extract_and_store_claims(self, claims: JSONObject) -> None:
+        """
+        Extract the required claims and store them in the session.
 
-    @property
-    def claim_names(self):
-        return [
-            self.config.vertegenwoordigde_claim_name,
-            self.config.gemachtigde_claim_name,
-        ]
+        TODO: extend this to grab more information from the claims.
+        """
+        config_to_plugin = get_config_to_plugin()
+        assert self.config_class and self.config_class in config_to_plugin
+        session_key = config_to_plugin[self.config_class].session_key
 
+        session_value: JSONObject | str
 
-class OIDCAuthenticationEHerkenningBewindvoeringBackend(
-    MachtigenBackendMixin,
-    SoloConfigEHerkenningBewindvoeringMixin,
-    OIDCAuthenticationBackend,
-):
-    session_key = EHERKENNING_BEWINDVOERING_OIDC_AUTH_SESSION_KEY
+        # DigiD/eHerkenning without machtigen -> stores the BSN/KVK directly
+        if self.config_class in (OFDigiDConfig, OFEHerkenningConfig):
+            claim_bits = self.OIDCDB_USERNAME_CLAIM
+            session_value = glom(claims, Path(*claim_bits), default="")
+        # DigiD/eHerkenning with machtigen -> store a dict of relevant claims.
+        elif self.config_class in (
+            OFDigiDMachtigenConfig,
+            OFEHerkenningBewindvoeringConfig,
+        ):
+            session_value = {
+                key: glom(claims, Path(*claim_bits))
+                for key, claim_bits in self.MANDATE_CLAIMS.items()
+            }
+        else:  # pragma: no cover
+            raise RuntimeError("Unsupported config class")
 
-    @property
-    def claim_names(self):
-        return [
-            self.config.vertegenwoordigde_company_claim_name,
-            self.config.gemachtigde_person_claim_name,
-        ]
+        assert self.request
+        self.request.session[session_key] = session_value
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/constants.py b/src/openforms/authentication/contrib/digid_eherkenning_oidc/constants.py
deleted file mode 100644
index ce6ead1307..0000000000
--- a/src/openforms/authentication/contrib/digid_eherkenning_oidc/constants.py
+++ /dev/null
@@ -1,6 +0,0 @@
-DIGID_OIDC_AUTH_SESSION_KEY = "digid_oidc:bsn"
-EHERKENNING_OIDC_AUTH_SESSION_KEY = "eherkenning_oidc:kvk"
-DIGID_MACHTIGEN_OIDC_AUTH_SESSION_KEY = "digid_machtigen_oidc:machtigen"
-EHERKENNING_BEWINDVOERING_OIDC_AUTH_SESSION_KEY = (
-    "eherkenning_bewindvoering_oidc:machtigen"
-)
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/digid_machtigen_urls.py b/src/openforms/authentication/contrib/digid_eherkenning_oidc/digid_machtigen_urls.py
deleted file mode 100644
index cec3ce2f14..0000000000
--- a/src/openforms/authentication/contrib/digid_eherkenning_oidc/digid_machtigen_urls.py
+++ /dev/null
@@ -1,16 +0,0 @@
-from django.urls import path
-
-from mozilla_django_oidc.urls import urlpatterns
-
-from .views import DigiDMachtigenOIDCAuthenticationCallbackView
-
-app_name = "digid_machtigen_oidc"
-
-
-urlpatterns = [
-    path(
-        "callback/",
-        DigiDMachtigenOIDCAuthenticationCallbackView.as_view(),
-        name="callback",
-    ),
-] + urlpatterns
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/digid_urls.py b/src/openforms/authentication/contrib/digid_eherkenning_oidc/digid_urls.py
deleted file mode 100644
index a7e5950f09..0000000000
--- a/src/openforms/authentication/contrib/digid_eherkenning_oidc/digid_urls.py
+++ /dev/null
@@ -1,16 +0,0 @@
-from django.urls import path
-
-from mozilla_django_oidc.urls import urlpatterns
-
-from .views import DigiDOIDCAuthenticationCallbackView
-
-app_name = "digid_oidc"
-
-
-urlpatterns = [
-    path(
-        "callback/",
-        DigiDOIDCAuthenticationCallbackView.as_view(),
-        name="callback",
-    ),
-] + urlpatterns
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/eherkenning_bewindvoering_urls.py b/src/openforms/authentication/contrib/digid_eherkenning_oidc/eherkenning_bewindvoering_urls.py
deleted file mode 100644
index 9d8b596da8..0000000000
--- a/src/openforms/authentication/contrib/digid_eherkenning_oidc/eherkenning_bewindvoering_urls.py
+++ /dev/null
@@ -1,16 +0,0 @@
-from django.urls import path
-
-from mozilla_django_oidc.urls import urlpatterns
-
-from .views import EHerkenningBewindvoeringOIDCAuthenticationCallbackView
-
-app_name = "eherkenning_bewindvoering_oidc"
-
-
-urlpatterns = [
-    path(
-        "callback/",
-        EHerkenningBewindvoeringOIDCAuthenticationCallbackView.as_view(),
-        name="callback",
-    ),
-] + urlpatterns
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/eherkenning_urls.py b/src/openforms/authentication/contrib/digid_eherkenning_oidc/eherkenning_urls.py
deleted file mode 100644
index 4f2ce729ca..0000000000
--- a/src/openforms/authentication/contrib/digid_eherkenning_oidc/eherkenning_urls.py
+++ /dev/null
@@ -1,16 +0,0 @@
-from django.urls import path
-
-from mozilla_django_oidc.urls import urlpatterns
-
-from .views import eHerkenningOIDCAuthenticationCallbackView
-
-app_name = "eherkenning_oidc"
-
-
-urlpatterns = [
-    path(
-        "callback/",
-        eHerkenningOIDCAuthenticationCallbackView.as_view(),
-        name="callback",
-    ),
-] + urlpatterns
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/legacy_urls.py b/src/openforms/authentication/contrib/digid_eherkenning_oidc/legacy_urls.py
new file mode 100644
index 0000000000..8039dad50c
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/legacy_urls.py
@@ -0,0 +1,60 @@
+"""
+Callback URLs for the different plugins.
+
+These plugin-specific callback URLs are deprecated and will be removed in Open Forms
+3.0. Instead, use the generic callback URL in urls.py - it can handle the different
+configs.
+"""
+
+from django.urls import include, path
+
+from mozilla_django_oidc_db.views import OIDCCallbackView
+
+oidc_callback = OIDCCallbackView.as_view()
+
+urlpatterns = [
+    path(
+        "digid-oidc/",
+        include(
+            (
+                [
+                    path("callback/", oidc_callback, name="callback"),
+                ],
+                "digid_oidc",
+            )
+        ),
+    ),
+    path(
+        "eherkenning-oidc/",
+        include(
+            (
+                [
+                    path("callback/", oidc_callback, name="callback"),
+                ],
+                "eherkenning_oidc",
+            )
+        ),
+    ),
+    path(
+        "digid-machtigen-oidc/",
+        include(
+            (
+                [
+                    path("callback/", oidc_callback, name="callback"),
+                ],
+                "digid_machtigen_oidc",
+            )
+        ),
+    ),
+    path(
+        "eherkenning-bewindvoering-oidc/",
+        include(
+            (
+                [
+                    path("callback/", oidc_callback, name="callback"),
+                ],
+                "eherkenning_bewindvoering_oidc",
+            )
+        ),
+    ),
+]
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/migrations/0001_initial.py b/src/openforms/authentication/contrib/digid_eherkenning_oidc/migrations/0001_initial.py
new file mode 100644
index 0000000000..33c1e2cf51
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/migrations/0001_initial.py
@@ -0,0 +1,66 @@
+# Generated by Django 4.2.11 on 2024-06-17 07:41
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        (
+            "digid_eherkenning_oidc_generics",
+            "0006_alter_digidconfig_oidc_rp_scopes_list_and_more",
+        ),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="OFDigiDConfig",
+            fields=[],
+            options={
+                "verbose_name": "DigiD (OIDC)",
+                "verbose_name_plural": "DigiD (OIDC)",
+                "proxy": True,
+                "indexes": [],
+                "constraints": [],
+            },
+            bases=("digid_eherkenning_oidc_generics.digidconfig",),
+        ),
+        migrations.CreateModel(
+            name="OFDigiDMachtigenConfig",
+            fields=[],
+            options={
+                "verbose_name": "DigiD Machtigen (OIDC)",
+                "verbose_name_plural": "DigiD Machtigen (OIDC)",
+                "proxy": True,
+                "indexes": [],
+                "constraints": [],
+            },
+            bases=("digid_eherkenning_oidc_generics.digidmachtigenconfig",),
+        ),
+        migrations.CreateModel(
+            name="OFEHerkenningBewindvoeringConfig",
+            fields=[],
+            options={
+                "verbose_name": "eHerkenning bewindvoering (OIDC)",
+                "verbose_name_plural": "eHerkenning bewindvoering (OIDC)",
+                "proxy": True,
+                "indexes": [],
+                "constraints": [],
+            },
+            bases=("digid_eherkenning_oidc_generics.eherkenningbewindvoeringconfig",),
+        ),
+        migrations.CreateModel(
+            name="OFEHerkenningConfig",
+            fields=[],
+            options={
+                "verbose_name": "eHerkenning (OIDC)",
+                "verbose_name_plural": "eHerkenning (OIDC)",
+                "proxy": True,
+                "indexes": [],
+                "constraints": [],
+            },
+            bases=("digid_eherkenning_oidc_generics.eherkenningconfig",),
+        ),
+    ]
diff --git a/src/digid_eherkenning_oidc_generics/migrations/__init__.py b/src/openforms/authentication/contrib/digid_eherkenning_oidc/migrations/__init__.py
similarity index 100%
rename from src/digid_eherkenning_oidc_generics/migrations/__init__.py
rename to src/openforms/authentication/contrib/digid_eherkenning_oidc/migrations/__init__.py
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/models.py b/src/openforms/authentication/contrib/digid_eherkenning_oidc/models.py
new file mode 100644
index 0000000000..2c9fff1554
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/models.py
@@ -0,0 +1,115 @@
+import warnings
+
+from django.conf import settings
+from django.utils.functional import classproperty
+from django.utils.translation import gettext_lazy as _
+
+from digid_eherkenning.oidc.models import (
+    DigiDConfig,
+    DigiDMachtigenConfig,
+    EHerkenningBewindvoeringConfig,
+    EHerkenningConfig,
+)
+from mozilla_django_oidc_db.typing import ClaimPath
+
+
+def get_callback_view(self):
+    from .views import callback_view
+
+    return callback_view
+
+
+class OFDigiDConfig(DigiDConfig):
+    class Meta:
+        proxy = True
+        verbose_name = _("DigiD (OIDC)")
+        verbose_name_plural = _("DigiD (OIDC)")
+
+    get_callback_view = get_callback_view
+
+    @classproperty
+    def oidc_authentication_callback_url(cls) -> str:  # type: ignore
+        if settings.USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS:
+            warnings.warn(
+                "Legacy DigiD-eHerkenning callback endpoints will be removed in 3.0",
+                DeprecationWarning,
+            )
+            return "digid_oidc:callback"
+        return "oidc_authentication_callback"
+
+
+class OFDigiDMachtigenConfig(DigiDMachtigenConfig):
+    class Meta:
+        proxy = True
+        verbose_name = _("DigiD Machtigen (OIDC)")
+        verbose_name_plural = _("DigiD Machtigen (OIDC)")
+
+    get_callback_view = get_callback_view
+
+    @classproperty
+    def oidc_authentication_callback_url(cls) -> str:  # type: ignore
+        if settings.USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS:
+            warnings.warn(
+                "Legacy DigiD-eHerkenning callback endpoints will be removed in 3.0",
+                DeprecationWarning,
+            )
+            return "digid_machtigen_oidc:callback"
+        return "oidc_authentication_callback"
+
+    @property
+    def mandate_claims(self) -> dict[str, ClaimPath]:
+        return {
+            "representee": self.representee_bsn_claim,
+            "authorizee": self.authorizee_bsn_claim,
+            "service_id": self.mandate_service_id_claim,
+        }
+
+
+class OFEHerkenningConfig(EHerkenningConfig):
+    class Meta:
+        proxy = True
+        verbose_name = _("eHerkenning (OIDC)")
+        verbose_name_plural = _("eHerkenning (OIDC)")
+
+    get_callback_view = get_callback_view
+
+    @classproperty
+    def oidc_authentication_callback_url(cls) -> str:  # type: ignore
+        if settings.USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS:
+            warnings.warn(
+                "Legacy DigiD-eHerkenning callback endpoints will be removed in 3.0",
+                DeprecationWarning,
+            )
+            return "eherkenning_oidc:callback"
+        return "oidc_authentication_callback"
+
+
+class OFEHerkenningBewindvoeringConfig(EHerkenningBewindvoeringConfig):
+    class Meta:
+        proxy = True
+        verbose_name = _("eHerkenning bewindvoering (OIDC)")
+        verbose_name_plural = _("eHerkenning bewindvoering (OIDC)")
+
+    get_callback_view = get_callback_view
+
+    @classproperty
+    def oidc_authentication_callback_url(cls) -> str:  # type: ignore
+        if settings.USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS:
+            warnings.warn(
+                "Legacy DigiD-eHerkenning callback endpoints will be removed in 3.0",
+                DeprecationWarning,
+            )
+            return "eherkenning_bewindvoering_oidc:callback"
+        return "oidc_authentication_callback"
+
+    @property
+    def mandate_claims(self) -> dict[str, ClaimPath]:
+        return {
+            "representee": self.representee_claim,
+            # "authorizee_legal_subject_type": self.identifier_type_claim,
+            "authorizee_legal_subject": self.legal_subject_claim,
+            "authorizee_acting_subject": self.acting_subject_claim,
+            # "authorizee_branch_number": self.branch_number_claim,
+            # "service_id": self.mandate_service_id_claim,
+            # "service_uuid": self.mandate_service_uuid_claim,
+        }
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/plugin.py b/src/openforms/authentication/contrib/digid_eherkenning_oidc/plugin.py
index fa7ec0eb04..cf306f8126 100644
--- a/src/openforms/authentication/contrib/digid_eherkenning_oidc/plugin.py
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/plugin.py
@@ -1,4 +1,6 @@
-from typing import Any, ClassVar, Protocol
+from __future__ import annotations
+
+from typing import Any, ClassVar, Generic, Protocol, TypeVar
 
 from django.http import (
     HttpRequest,
@@ -8,38 +10,47 @@
 )
 from django.utils.translation import gettext_lazy as _
 
-import requests
-from furl import furl
-from rest_framework.reverse import reverse
+from digid_eherkenning.oidc.models import OpenIDConnectBaseConfig
+from mozilla_django_oidc_db.utils import do_op_logout
+from mozilla_django_oidc_db.views import _RETURN_URL_SESSION_KEY
 
-from digid_eherkenning_oidc_generics.models import (
-    OpenIDConnectDigiDMachtigenConfig,
-    OpenIDConnectEHerkenningBewindvoeringConfig,
-    OpenIDConnectEHerkenningConfig,
-    OpenIDConnectPublicConfig,
-)
-from digid_eherkenning_oidc_generics.views import (
-    digid_init,
-    digid_machtigen_init,
-    eherkenning_bewindvoering_init,
-    eherkenning_init,
-)
 from openforms.contrib.digid_eherkenning.utils import (
     get_digid_logo,
     get_eherkenning_logo,
 )
 from openforms.forms.models import Form
+from openforms.typing import JSONObject, StrOrPromise
+from openforms.utils.urls import reverse_plus
 
 from ...base import BasePlugin, LoginLogo
 from ...constants import CO_SIGN_PARAMETER, FORM_AUTH_SESSION_KEY, AuthAttribute
 from ...exceptions import InvalidCoSignData
 from ...registry import register
-from .constants import (
-    DIGID_MACHTIGEN_OIDC_AUTH_SESSION_KEY,
-    DIGID_OIDC_AUTH_SESSION_KEY,
-    EHERKENNING_BEWINDVOERING_OIDC_AUTH_SESSION_KEY,
-    EHERKENNING_OIDC_AUTH_SESSION_KEY,
+from .models import (
+    OFDigiDConfig,
+    OFDigiDMachtigenConfig,
+    OFEHerkenningBewindvoeringConfig,
+    OFEHerkenningConfig,
 )
+from .views import (
+    digid_init,
+    digid_machtigen_init,
+    eherkenning_bewindvoering_init,
+    eherkenning_init,
+)
+
+OIDC_ID_TOKEN_SESSION_KEY = "oidc_id_token"
+
+
+def get_config_to_plugin() -> dict[type[OpenIDConnectBaseConfig], OIDCAuthentication]:
+    """
+    Get the mapping of config class to plugin identifier from the registry.
+    """
+    return {
+        plugin.config_class: plugin
+        for plugin in register
+        if isinstance(plugin, OIDCAuthentication)
+    }
 
 
 class AuthInit(Protocol):
@@ -48,21 +59,27 @@ def __call__(
     ) -> HttpResponseBase: ...
 
 
-class OIDCAuthentication(BasePlugin):
-    verbose_name = ""
-    provides_auth = ""
-    session_key = ""
-    config_class = None
+T = TypeVar("T", bound=str | JSONObject)
+
+
+class OIDCAuthentication(Generic[T], BasePlugin):
+    verbose_name: StrOrPromise = ""
+    provides_auth: AuthAttribute
+    session_key: str = ""
+    config_class: ClassVar[type[OpenIDConnectBaseConfig]]
     init_view: ClassVar[AuthInit]
 
     def start_login(self, request: HttpRequest, form: Form, form_url: str):
-        auth_return_url = reverse(
+        return_url_query = {"next": form_url}
+        if co_sign_param := request.GET.get(CO_SIGN_PARAMETER):
+            return_url_query[CO_SIGN_PARAMETER] = co_sign_param
+
+        return_url = reverse_plus(
             "authentication:return",
             kwargs={"slug": form.slug, "plugin_id": self.identifier},
+            request=request,
+            query=return_url_query,
         )
-        return_url = furl(auth_return_url).set({"next": form_url})
-        if co_sign_param := request.GET.get(CO_SIGN_PARAMETER):
-            return_url.args[CO_SIGN_PARAMETER] = co_sign_param
 
         # "evaluate" the view, this achieves two things:
         #
@@ -74,11 +91,11 @@ def start_login(self, request: HttpRequest, form: Form, form_url: str):
         #
         # This may raise `OIDCProviderOutage`, which bubbles into the generic auth
         # start_view and gets handled there.
-        response = self.init_view(request, return_url=str(return_url))
+        response = self.init_view(request, return_url=return_url)
         assert isinstance(response, HttpResponseRedirect)
         return response
 
-    def handle_co_sign(self, request: HttpRequest, form: Form) -> dict[str, Any] | None:
+    def handle_co_sign(self, request: HttpRequest, form: Form) -> dict[str, Any]:
         if not (claim := request.session.get(self.session_key)):
             raise InvalidCoSignData(f"Missing '{self.provides_auth}' parameter/value")
         return {
@@ -86,16 +103,11 @@ def handle_co_sign(self, request: HttpRequest, form: Form) -> dict[str, Any] | N
             "fields": {},
         }
 
-    def add_claims_to_sessions_if_not_cosigning(self, claim, request):
-        # set the session auth key only if we're not co-signing
-        if claim and CO_SIGN_PARAMETER not in request.GET:
-            request.session[FORM_AUTH_SESSION_KEY] = {
-                "plugin": self.identifier,
-                "attribute": self.provides_auth,
-                "value": claim,
-            }
+    def translate_auth_data(self, session_value: T) -> tuple[str, None | JSONObject]:
+        assert isinstance(session_value, str)
+        return session_value, None
 
-    def handle_return(self, request, form):
+    def handle_return(self, request: HttpRequest, form: Form):
         """
         Redirect to form URL.
         """
@@ -103,39 +115,42 @@ def handle_return(self, request, form):
         if not form_url:
             return HttpResponseBadRequest("missing 'next' parameter")
 
-        claim = request.session.get(self.session_key)
-
-        self.add_claims_to_sessions_if_not_cosigning(claim, request)
+        session_value: T | None = request.session.get(self.session_key)
+        if session_value and CO_SIGN_PARAMETER not in request.GET:
+            auth_value, machtigen_data = self.translate_auth_data(session_value)
+            _machtigen_data = {"machtigen": machtigen_data} if machtigen_data else {}
+            request.session[FORM_AUTH_SESSION_KEY] = {
+                "plugin": self.identifier,
+                "attribute": self.provides_auth,
+                "value": auth_value,
+                **_machtigen_data,
+            }
 
         return HttpResponseRedirect(form_url)
 
     def logout(self, request: HttpRequest):
-        if "oidc_id_token" in request.session:
-            logout_endpoint = self.config_class.get_solo().oidc_op_logout_endpoint
-            if logout_endpoint:
-                logout_url = furl(logout_endpoint).set(
-                    {
-                        "id_token_hint": request.session["oidc_id_token"],
-                    }
-                )
-                requests.get(str(logout_url))
-
-            del request.session["oidc_id_token"]
-
-        if "oidc_login_next" in request.session:
-            del request.session["oidc_login_next"]
-
-        if self.session_key in request.session:
-            del request.session[self.session_key]
+        if id_token := request.session.get(OIDC_ID_TOKEN_SESSION_KEY):
+            config = self.config_class.get_solo()
+            assert isinstance(config, OpenIDConnectBaseConfig)
+            do_op_logout(config, id_token)
+
+        keys_to_delete = (
+            "oidc_login_next",  # from upstream library
+            self.session_key,
+            _RETURN_URL_SESSION_KEY,
+            OIDC_ID_TOKEN_SESSION_KEY,
+        )
+        for key in keys_to_delete:
+            if key in request.session:
+                del request.session[key]
 
 
 @register("digid_oidc")
-class DigiDOIDCAuthentication(OIDCAuthentication):
+class DigiDOIDCAuthentication(OIDCAuthentication[str]):
     verbose_name = _("DigiD via OpenID Connect")
     provides_auth = AuthAttribute.bsn
-    session_key = DIGID_OIDC_AUTH_SESSION_KEY
-    claim_name = ""
-    config_class = OpenIDConnectPublicConfig
+    session_key = "digid_oidc:bsn"
+    config_class = OFDigiDConfig
     init_view = staticmethod(digid_init)
 
     def get_label(self) -> str:
@@ -146,12 +161,11 @@ def get_logo(self, request) -> LoginLogo | None:
 
 
 @register("eherkenning_oidc")
-class eHerkenningOIDCAuthentication(OIDCAuthentication):
+class eHerkenningOIDCAuthentication(OIDCAuthentication[str]):
     verbose_name = _("eHerkenning via OpenID Connect")
     provides_auth = AuthAttribute.kvk
-    session_key = EHERKENNING_OIDC_AUTH_SESSION_KEY
-    claim_name = "kvk"
-    config_class = OpenIDConnectEHerkenningConfig
+    session_key = "eherkenning_oidc:kvk"
+    config_class = OFEHerkenningConfig
     init_view = staticmethod(eherkenning_init)
 
     def get_label(self) -> str:
@@ -162,29 +176,22 @@ def get_logo(self, request) -> LoginLogo | None:
 
 
 @register("digid_machtigen_oidc")
-class DigiDMachtigenOIDCAuthentication(OIDCAuthentication):
+class DigiDMachtigenOIDCAuthentication(OIDCAuthentication[JSONObject]):
     verbose_name = _("DigiD Machtigen via OpenID Connect")
     provides_auth = AuthAttribute.bsn
-    session_key = DIGID_MACHTIGEN_OIDC_AUTH_SESSION_KEY
-    config_class = OpenIDConnectDigiDMachtigenConfig
+    session_key = "digid_machtigen_oidc:machtigen"
+    config_class = OFDigiDMachtigenConfig
     init_view = staticmethod(digid_machtigen_init)
     is_for_gemachtigde = True
 
-    def add_claims_to_sessions_if_not_cosigning(self, claim, request):
-        # set the session auth key only if we're not co-signing
-        if not claim or CO_SIGN_PARAMETER in request.GET:
-            return
-
-        config = self.config_class.get_solo()
-        machtigen_data = request.session[self.session_key]
-        request.session[FORM_AUTH_SESSION_KEY] = {
-            "plugin": self.identifier,
-            "attribute": self.provides_auth,
-            "value": claim[config.vertegenwoordigde_claim_name],
-            "machtigen": {
-                "identifier_value": machtigen_data.get(config.gemachtigde_claim_name)
-            },
-        }
+    def translate_auth_data(self, session_value: JSONObject) -> tuple[str, JSONObject]:
+        # these keys are set by the authentication backend
+        bsn_vertegenwoordigde = session_value.get("representee")
+        assert isinstance(bsn_vertegenwoordigde, str)
+        bsn_gemachtigde = session_value.get("authorizee")
+        assert isinstance(bsn_gemachtigde, str)
+
+        return bsn_vertegenwoordigde, {"identifier_value": bsn_gemachtigde}
 
     def get_label(self) -> str:
         return "DigiD Machtigen"
@@ -194,32 +201,22 @@ def get_logo(self, request) -> LoginLogo | None:
 
 
 @register("eherkenning_bewindvoering_oidc")
-class EHerkenningBewindvoeringOIDCAuthentication(OIDCAuthentication):
+class EHerkenningBewindvoeringOIDCAuthentication(OIDCAuthentication[JSONObject]):
     verbose_name = _("eHerkenning bewindvoering via OpenID Connect")
     provides_auth = AuthAttribute.kvk
-    session_key = EHERKENNING_BEWINDVOERING_OIDC_AUTH_SESSION_KEY
-    config_class = OpenIDConnectEHerkenningBewindvoeringConfig
+    session_key = "eherkenning_bewindvoering_oidc:machtigen"
+    config_class = OFEHerkenningBewindvoeringConfig
     init_view = staticmethod(eherkenning_bewindvoering_init)
     is_for_gemachtigde = True
 
-    def add_claims_to_sessions_if_not_cosigning(self, claim, request):
-        # set the session auth key only if we're not co-signing
-        if not claim or CO_SIGN_PARAMETER in request.GET:
-            return
-
-        config = self.config_class.get_solo()
-        machtigen_data = request.session[self.session_key]
-        request.session[FORM_AUTH_SESSION_KEY] = {
-            "plugin": self.identifier,
-            "attribute": self.provides_auth,
-            "value": claim[config.vertegenwoordigde_company_claim_name],
-            "machtigen": {
-                # TODO So far the only possibility is that this is a BSN.
-                "identifier_value": machtigen_data.get(
-                    config.gemachtigde_person_claim_name
-                )
-            },
-        }
+    def translate_auth_data(self, session_value: JSONObject) -> tuple[str, JSONObject]:
+        # these keys are set by the authentication backend
+        bsn_vertegenwoordigde = session_value.get("representee")
+        assert isinstance(bsn_vertegenwoordigde, str)
+        kvk_gemachtigde = session_value.get("authorizee_legal_subject")
+        assert isinstance(kvk_gemachtigde, str)
+
+        return bsn_vertegenwoordigde, {"identifier_value": kvk_gemachtigde}
 
     def get_label(self) -> str:
         return "eHerkenning bewindvoering"
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/README.md b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/README.md
new file mode 100644
index 0000000000..03037c38ea
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/README.md
@@ -0,0 +1,25 @@
+# README
+
+The integration tests for the OIDC flavour of DigiD/eHerkenning uses VCR.py. To (re-) record the
+cassettes, perform the following steps (from the root of the repo):
+
+1. Bring up the Keycloak instance
+
+   ```bash
+   cd docker/
+   docker compose -f docker-compose.keycloak.yml up -d
+   ```
+
+2. Delete the old cassettes
+
+   ```bash
+   rm -rf src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes
+   ```
+
+3. Run the tests
+
+   ```bash
+   python src/manage.py test openforms.authentication.contrib.digid_eherkenning_oidc
+   ```
+
+4. Inspect the diff and commit the changes.
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/base.py b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/base.py
new file mode 100644
index 0000000000..a463d47deb
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/base.py
@@ -0,0 +1,62 @@
+from functools import partial
+from pathlib import Path
+
+from django.test import override_settings
+
+from django_webtest import WebTest
+
+from openforms.utils.tests.keycloak import KEYCLOAK_BASE_URL, mock_oidc_db_config
+from openforms.utils.tests.vcr import OFVCRMixin
+
+TEST_FILES = (Path(__file__).parent / "data").resolve()
+
+
+def mock_config(model: str, **overrides):
+    overrides.setdefault("oidc_op_logout_endpoint", f"{KEYCLOAK_BASE_URL}/logout")
+    return mock_oidc_db_config(
+        app_label="digid_eherkenning_oidc", model=model, **overrides
+    )
+
+
+mock_digid_config = partial(
+    mock_config,
+    model="OFDigiDConfig",
+    oidc_rp_scopes_list=["openid", "bsn"],
+)
+
+mock_eherkenning_config = partial(
+    mock_config,
+    model="OFEHerkenningConfig",
+    oidc_rp_scopes_list=["openid", "kvk"],
+    identifier_type_claim=["name_qualifier"],
+    legal_subject_claim=["legalSubjectID"],
+    acting_subject_claim=["actingSubjectID"],
+    branch_number_claim=["urn:etoegang:1.9:ServiceRestriction:Vestigingsnr"],
+)
+
+mock_digid_machtigen_config = partial(
+    mock_config,
+    model="OFDigiDMachtigenConfig",
+    oidc_rp_scopes_list=["openid", "bsn"],
+    representee_bsn_claim=["aanvrager.bsn"],
+    authorizee_bsn_claim=["gemachtigde.bsn"],
+    mandate_service_id_claim=["service_id"],
+)
+
+mock_eherkenning_bewindvoering_config = partial(
+    mock_config,
+    model="OFEHerkenningBewindvoeringConfig",
+    oidc_rp_scopes_list=["openid", "bsn"],
+    identifier_type_claim=["name_qualifier"],
+    legal_subject_claim=["legalSubjectID"],
+    acting_subject_claim=["actingSubjectID"],
+    branch_number_claim=["urn:etoegang:1.9:ServiceRestriction:Vestigingsnr"],
+    representee_claim=["representeeBSN"],
+    mandate_service_id_claim=["service_id"],
+    mandate_service_uuid_claim=["service_uuid"],
+)
+
+
+@override_settings(CORS_ALLOW_ALL_ORIGINS=True, IS_HTTPS=True)
+class IntegrationTestsBase(OFVCRMixin, WebTest):
+    VCR_TEST_FILES = TEST_FILES
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDCallbackTests/DigiDCallbackTests.test_digid_error_reported_for_cancelled_login_anon_django_user.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDCallbackTests/DigiDCallbackTests.test_digid_error_reported_for_cancelled_login_anon_django_user.yaml
new file mode 100644
index 0000000000..bfe1f37dc2
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDCallbackTests/DigiDCallbackTests.test_digid_error_reported_for_cancelled_login_anon_django_user.yaml
@@ -0,0 +1,91 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=badscope&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Fdigid-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: ''
+    headers:
+      Location:
+      - http://testserver/digid-oidc/callback/?error=invalid_scope&error_description=Invalid+scopes%3A+badscope&state=not-a-random-string&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '0'
+    status:
+      code: 302
+      message: Found
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDCallbackTests/DigiDCallbackTests.test_digid_error_reported_for_cancelled_login_with_staff_django_user.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDCallbackTests/DigiDCallbackTests.test_digid_error_reported_for_cancelled_login_with_staff_django_user.yaml
new file mode 100644
index 0000000000..bfe1f37dc2
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDCallbackTests/DigiDCallbackTests.test_digid_error_reported_for_cancelled_login_with_staff_django_user.yaml
@@ -0,0 +1,91 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=badscope&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Fdigid-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: ''
+    headers:
+      Location:
+      - http://testserver/digid-oidc/callback/?error=invalid_scope&error_description=Invalid+scopes%3A+badscope&state=not-a-random-string&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '0'
+    status:
+      code: 302
+      message: Found
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDCallbackTests/DigiDCallbackTests.test_failing_claim_verification.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDCallbackTests/DigiDCallbackTests.test_failing_claim_verification.yaml
new file mode 100644
index 0000000000..61ac74073c
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDCallbackTests/DigiDCallbackTests.test_failing_claim_verification.yaml
@@ -0,0 +1,371 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=openid+bsn&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Fdigid-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n        <script type=\"module\">\n            import
+        { checkCookiesAndSetTimer } from \"/resources/1rz7o/login/keycloak/js/authChecker.js\";\n\n
+        \           checkCookiesAndSetTimer(\n              \"ba450357-f6ba-4c01-b882-cd99165d9ad5\",\n
+        \             \"bRFqvvLWaBs\",\n              \"/realms/test/login-actions/restart?client_id=testid&tab_id=bRFqvvLWaBs&skip_logout=true\"\n
+        \           );\n        </script>\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       Sign in to your account\n\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-form\">\n
+        \         <div id=\"kc-form-wrapper\">\n                <form id=\"kc-form-login\"
+        onsubmit=\"login.disabled = true; return true;\" action=\"http://localhost:8080/realms/test/login-actions/authenticate?session_code=yIKomwM8U1RdBpGPk-INQDbtkF53AGoYQ3MgumaLgqk&amp;execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&amp;client_id=testid&amp;tab_id=bRFqvvLWaBs\"
+        method=\"post\">\n                        <div class=\"form-group\">\n                            <label
+        for=\"username\" class=\"pf-c-form__label pf-c-form__label-text\">Username
+        or email</label>\n\n                            <input tabindex=\"1\" id=\"username\"
+        class=\"pf-c-form-control\" name=\"username\" value=\"\"  type=\"text\" autofocus
+        autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n\n\n                        </div>\n\n                    <div
+        class=\"form-group\">\n                        <label for=\"password\" class=\"pf-c-form__label
+        pf-c-form__label-text\">Password</label>\n\n                        <div class=\"pf-c-input-group\">\n
+        \                           <input tabindex=\"2\" id=\"password\" class=\"pf-c-form-control\"
+        name=\"password\" type=\"password\" autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n                            <button class=\"pf-c-button
+        pf-m-control\" type=\"button\" aria-label=\"Show password\"\n                                    aria-controls=\"password\"
+        \ data-password-toggle\n                                    data-icon-show=\"fa
+        fa-eye\" data-icon-hide=\"fa fa-eye-slash\"\n                                    data-label-show=\"Show
+        password\" data-label-hide=\"Hide password\">\n                                <i
+        class=\"fa fa-eye\" aria-hidden=\"true\"></i>\n                            </button>\n
+        \                       </div>\n\n\n                    </div>\n\n                    <div
+        class=\"form-group login-pf-settings\">\n                        <div id=\"kc-form-options\">\n
+        \                           </div>\n                            <div class=\"\">\n
+        \                           </div>\n\n                      </div>\n\n                      <div
+        id=\"kc-form-buttons\" class=\"form-group\">\n                          <input
+        type=\"hidden\" id=\"id-hidden-input\" name=\"credentialId\" />\n                          <input
+        tabindex=\"4\" class=\"pf-c-button pf-m-primary pf-m-block btn-lg\" name=\"login\"
+        id=\"kc-login\" type=\"submit\" value=\"Sign In\"/>\n                      </div>\n
+        \               </form>\n            </div>\n        </div>\n        <script
+        type=\"module\" src=\"/resources/1rz7o/login/keycloak/js/passwordVisibility.js\"></script>\n\n\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - AUTH_SESSION_ID=ba450357-f6ba-4c01-b882-cd99165d9ad5; Version=1; Path=/realms/test/;
+        SameSite=None; Secure; HttpOnly
+      - AUTH_SESSION_ID_LEGACY=ba450357-f6ba-4c01-b882-cd99165d9ad5; Version=1; Path=/realms/test/;
+        HttpOnly
+      - KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9kaWdpZC1vaWRjL2NhbGxiYWNrLyIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIGJzbiIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovL3Rlc3RzZXJ2ZXIvZGlnaWQtb2lkYy9jYWxsYmFjay8iLCJzdGF0ZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmciLCJub25jZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmcifX0.HScBoNNJvmVcGQXpymd_ftVGkGUJBQnuwqgk59VJnYI;
+        Version=1; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '4466'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: username=testuser&password=testuser&credentialId=&login=Sign+In
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '63'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      Cookie:
+      - AUTH_SESSION_ID_LEGACY=ba450357-f6ba-4c01-b882-cd99165d9ad5; KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9kaWdpZC1vaWRjL2NhbGxiYWNrLyIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIGJzbiIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovL3Rlc3RzZXJ2ZXIvZGlnaWQtb2lkYy9jYWxsYmFjay8iLCJzdGF0ZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmciLCJub25jZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmcifX0.HScBoNNJvmVcGQXpymd_ftVGkGUJBQnuwqgk59VJnYI
+      User-Agent:
+      - python-requests/2.31.0
+    method: POST
+    uri: http://localhost:8080/realms/test/login-actions/authenticate?session_code=yIKomwM8U1RdBpGPk-INQDbtkF53AGoYQ3MgumaLgqk&execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&client_id=testid&tab_id=bRFqvvLWaBs
+  response:
+    body:
+      string: ''
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Location:
+      - http://testserver/digid-oidc/callback/?state=not-a-random-string&session_state=ba450357-f6ba-4c01-b882-cd99165d9ad5&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest&code=30f02855-9676-442d-bc42-e4f3438d1a02.ba450357-f6ba-4c01-b882-cd99165d9ad5.adf4ad83-4550-4619-9231-73bd8d700f45
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - KEYCLOAK_LOCALE=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      - KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/; HttpOnly
+      - KC_AUTH_STATE=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/
+      - KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0OTY3OTksImlhdCI6MTcxNjQ2MDc5OSwianRpIjoiYzQ0ZTliYzEtMTJkZi00ZWRhLWI1MDYtMmQwZjE1YTE4YWQ3IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiJiYTQ1MDM1Ny1mNmJhLTRjMDEtYjg4Mi1jZDk5MTY1ZDlhZDUiLCJzaWQiOiJiYTQ1MDM1Ny1mNmJhLTRjMDEtYjg4Mi1jZDk5MTY1ZDlhZDUiLCJzdGF0ZV9jaGVja2VyIjoiSUlXQzYtREhaNHJHRkhaMnQ2WDJHS3ZsTHBZZHRTaFJHWEdjbHNlSEdlVSJ9.m4XUENhk1SRe2zrfA939BdsNgmS38Y3gPnokGvztWc8;
+        Version=1; Path=/realms/test/; SameSite=None; Secure; HttpOnly
+      - KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0OTY3OTksImlhdCI6MTcxNjQ2MDc5OSwianRpIjoiYzQ0ZTliYzEtMTJkZi00ZWRhLWI1MDYtMmQwZjE1YTE4YWQ3IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiJiYTQ1MDM1Ny1mNmJhLTRjMDEtYjg4Mi1jZDk5MTY1ZDlhZDUiLCJzaWQiOiJiYTQ1MDM1Ny1mNmJhLTRjMDEtYjg4Mi1jZDk5MTY1ZDlhZDUiLCJzdGF0ZV9jaGVja2VyIjoiSUlXQzYtREhaNHJHRkhaMnQ2WDJHS3ZsTHBZZHRTaFJHWEdjbHNlSEdlVSJ9.m4XUENhk1SRe2zrfA939BdsNgmS38Y3gPnokGvztWc8;
+        Version=1; Path=/realms/test/; HttpOnly
+      - KEYCLOAK_SESSION=test/aa10cfc7-2c4d-41f6-8fac-7bf405c572c4/ba450357-f6ba-4c01-b882-cd99165d9ad5;
+        Version=1; Expires=Thu, 23-May-2024 20:39:59 GMT; Max-Age=36000; Path=/realms/test/;
+        SameSite=None; Secure
+      - KEYCLOAK_SESSION_LEGACY=test/aa10cfc7-2c4d-41f6-8fac-7bf405c572c4/ba450357-f6ba-4c01-b882-cd99165d9ad5;
+        Version=1; Expires=Thu, 23-May-2024 20:39:59 GMT; Max-Age=36000; Path=/realms/test/
+      - KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '0'
+    status:
+      code: 302
+      message: Found
+- request:
+    body: client_id=testid&client_secret=7DB3KUAAizYCcmZufpHRVOcD0TOkNO3I&grant_type=authorization_code&code=30f02855-9676-442d-bc42-e4f3438d1a02.ba450357-f6ba-4c01-b882-cd99165d9ad5.adf4ad83-4550-4619-9231-73bd8d700f45&redirect_uri=http%3A%2F%2Ftestserver%2Fdigid-oidc%2Fcallback%2F
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '273'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      User-Agent:
+      - python-requests/2.31.0
+    method: POST
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/token
+  response:
+    body:
+      string: '{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjEwOTksImlhdCI6MTcxNjQ2MDc5OSwiYXV0aF90aW1lIjoxNzE2NDYwNzk5LCJqdGkiOiI5NWZkMWNlNi0wNTVmLTQ5NjEtYTBiOS01ZDJlNjJiNGM4NjYiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6ImJhNDUwMzU3LWY2YmEtNGMwMS1iODgyLWNkOTkxNjVkOWFkNSIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgYnNuIiwic2lkIjoiYmE0NTAzNTctZjZiYS00YzAxLWI4ODItY2Q5OTE2NWQ5YWQ1Iiwia3ZrIjoiMDEyMzQ1Njc4IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0dXNlciIsImJzbiI6IjAwMDAwMDAwMCJ9.Ls7yWV_w1sKnyZ3RFYXeZtmEthK9vLvIOyxbV-xQI_oibFp5EnPaHNBx7rQalAEpRQO2kTRW-Q7651ICmVcpGf32vJlib1FFVhgLrbkF0rai1d22vyCZs6Ul008yY1z1h9R62XpxXRZ0DPA5hWYZE39afxrwKNljSGjHjyp2NzNCPI1IJQ2P7TAsKkHFTUpaSpFXBg4xr0iyGPRLC8G1bqokrrSf02uDDD0O8kRdM88A774oD7K-WF8iKLJyjTBRJh8uquNdzPf9dvIaxkBGvmD6GOm3QpNKqXofsTbZhDoD_8xzrfBfraiMjNdu5eGOsgjJxGnscIFOk40PmFpouA","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0NjI1OTksImlhdCI6MTcxNjQ2MDc5OSwianRpIjoiZWZmZmVjNDUtNzkxYy00MzQwLTliZDMtMzYwMzFmZDM4OGM5IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiUmVmcmVzaCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiJiYTQ1MDM1Ny1mNmJhLTRjMDEtYjg4Mi1jZDk5MTY1ZDlhZDUiLCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIGt2ayBic24iLCJzaWQiOiJiYTQ1MDM1Ny1mNmJhLTRjMDEtYjg4Mi1jZDk5MTY1ZDlhZDUifQ.9etdaVa1dQLzFInp6OesD36bye0LD52K1JLMcTqNCsY","token_type":"Bearer","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjEwOTksImlhdCI6MTcxNjQ2MDc5OSwiYXV0aF90aW1lIjoxNzE2NDYwNzk5LCJqdGkiOiJkYzM1Zjk0MS05MDA0LTQwNjYtYWM5MC1lOGI2NjQ1MTUyNGUiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJ0ZXN0aWQiLCJzdWIiOiJhYTEwY2ZjNy0yYzRkLTQxZjYtOGZhYy03YmY0MDVjNTcyYzQiLCJ0eXAiOiJJRCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiJiYTQ1MDM1Ny1mNmJhLTRjMDEtYjg4Mi1jZDk5MTY1ZDlhZDUiLCJhdF9oYXNoIjoiYTdGVXMzaDdEZ05MRXRSSjVxdklkUSIsImFjciI6IjEiLCJzaWQiOiJiYTQ1MDM1Ny1mNmJhLTRjMDEtYjg4Mi1jZDk5MTY1ZDlhZDUiLCJrdmsiOiIwMTIzNDU2NzgiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3R1c2VyIiwiYnNuIjoiMDAwMDAwMDAwIn0.mP97kvUFJUy_wFRt_Rmlbl-1YKqD4D5hyChQd_TUYszsaBtPpgq_Mul6qj-jcJJAy6ECd5YsngFVmcC_mwC_H5cGcvyWy9-k6h9fge0E7_EUa2kV3m_2yVZUpzqEv_rP2KIIFl0_8ZK8UHwtXrhX5FSpmj-_XLzWLvNrOIzAVRyqErGxNDbTnuTp5Ax-X2qs4hWzhTLcMyGd_1Zyerz3xp1IFTfaPhbHFLnTZRS-H1-PNRU33bRfiNI3YUs3fR5fn8XOUHbnlfZ7Iu_Yh71lYS0pjj3s_CTVtjNXiSlAufepxmpZTJk1OvAyMQaJ5u0tjTeO33rGqgU7wVjVwgJ5TQ","not-before-policy":0,"session_state":"ba450357-f6ba-4c01-b882-cd99165d9ad5","scope":"openid
+        email profile kvk bsn"}'
+    headers:
+      Cache-Control:
+      - no-store
+      Content-Type:
+      - application/json
+      Pragma:
+      - no-cache
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '3475'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Authorization:
+      - Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjEwOTksImlhdCI6MTcxNjQ2MDc5OSwiYXV0aF90aW1lIjoxNzE2NDYwNzk5LCJqdGkiOiI5NWZkMWNlNi0wNTVmLTQ5NjEtYTBiOS01ZDJlNjJiNGM4NjYiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6ImJhNDUwMzU3LWY2YmEtNGMwMS1iODgyLWNkOTkxNjVkOWFkNSIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgYnNuIiwic2lkIjoiYmE0NTAzNTctZjZiYS00YzAxLWI4ODItY2Q5OTE2NWQ5YWQ1Iiwia3ZrIjoiMDEyMzQ1Njc4IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0dXNlciIsImJzbiI6IjAwMDAwMDAwMCJ9.Ls7yWV_w1sKnyZ3RFYXeZtmEthK9vLvIOyxbV-xQI_oibFp5EnPaHNBx7rQalAEpRQO2kTRW-Q7651ICmVcpGf32vJlib1FFVhgLrbkF0rai1d22vyCZs6Ul008yY1z1h9R62XpxXRZ0DPA5hWYZE39afxrwKNljSGjHjyp2NzNCPI1IJQ2P7TAsKkHFTUpaSpFXBg4xr0iyGPRLC8G1bqokrrSf02uDDD0O8kRdM88A774oD7K-WF8iKLJyjTBRJh8uquNdzPf9dvIaxkBGvmD6GOm3QpNKqXofsTbZhDoD_8xzrfBfraiMjNdu5eGOsgjJxGnscIFOk40PmFpouA
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/userinfo
+  response:
+    body:
+      string: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJzdWIiOiJhYTEwY2ZjNy0yYzRkLTQxZjYtOGZhYy03YmY0MDVjNTcyYzQiLCJrdmsiOiIwMTIzNDU2NzgiLCJhdWQiOiJ0ZXN0aWQiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3R1c2VyIiwiYnNuIjoiMDAwMDAwMDAwIn0.CKub7h5He-7acsX5pli41jZiatfM3eM-f5bl6M9GaSSVJLy-NHH5RDSIvpNu4K3PA5uO1nn2sfiDWvfBgsqPxvssiqcmkenf1RpgaEdn7fS_bRn1ziAkYFq5tVEICluPeYELR8FNt7XGVGPakhezPnUwsdaUOBWf7ELTgbxVdBBy3Nkjg2op456glHO4C84zjABNK5grWfLCDDEwKnw4o1gz-QWAS1TPa7yQaPOJr71zjFT-o3P7EBBkASN_CiELOpno3bBxIeTa631m9BHZ8dECiffp_GQhxMqPS9bTwqTlffc-EkIamZr_90uHs3Dw8gVySYL7YTGoGDeq6w6jEw
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/jwt
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '714'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDCallbackTests/DigiDCallbackTests.test_redirects_after_successful_auth.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDCallbackTests/DigiDCallbackTests.test_redirects_after_successful_auth.yaml
new file mode 100644
index 0000000000..4cc00716a3
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDCallbackTests/DigiDCallbackTests.test_redirects_after_successful_auth.yaml
@@ -0,0 +1,371 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=openid+bsn&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Fdigid-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n        <script type=\"module\">\n            import
+        { checkCookiesAndSetTimer } from \"/resources/1rz7o/login/keycloak/js/authChecker.js\";\n\n
+        \           checkCookiesAndSetTimer(\n              \"3114bc76-dfd1-46f3-ac41-b9fd1ffcec70\",\n
+        \             \"cB7QKE99Kcg\",\n              \"/realms/test/login-actions/restart?client_id=testid&tab_id=cB7QKE99Kcg&skip_logout=true\"\n
+        \           );\n        </script>\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       Sign in to your account\n\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-form\">\n
+        \         <div id=\"kc-form-wrapper\">\n                <form id=\"kc-form-login\"
+        onsubmit=\"login.disabled = true; return true;\" action=\"http://localhost:8080/realms/test/login-actions/authenticate?session_code=VpBSf3lWFq8CtuFRLHFM1heNdmlibKeJxe4ea8vLWKE&amp;execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&amp;client_id=testid&amp;tab_id=cB7QKE99Kcg\"
+        method=\"post\">\n                        <div class=\"form-group\">\n                            <label
+        for=\"username\" class=\"pf-c-form__label pf-c-form__label-text\">Username
+        or email</label>\n\n                            <input tabindex=\"1\" id=\"username\"
+        class=\"pf-c-form-control\" name=\"username\" value=\"\"  type=\"text\" autofocus
+        autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n\n\n                        </div>\n\n                    <div
+        class=\"form-group\">\n                        <label for=\"password\" class=\"pf-c-form__label
+        pf-c-form__label-text\">Password</label>\n\n                        <div class=\"pf-c-input-group\">\n
+        \                           <input tabindex=\"2\" id=\"password\" class=\"pf-c-form-control\"
+        name=\"password\" type=\"password\" autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n                            <button class=\"pf-c-button
+        pf-m-control\" type=\"button\" aria-label=\"Show password\"\n                                    aria-controls=\"password\"
+        \ data-password-toggle\n                                    data-icon-show=\"fa
+        fa-eye\" data-icon-hide=\"fa fa-eye-slash\"\n                                    data-label-show=\"Show
+        password\" data-label-hide=\"Hide password\">\n                                <i
+        class=\"fa fa-eye\" aria-hidden=\"true\"></i>\n                            </button>\n
+        \                       </div>\n\n\n                    </div>\n\n                    <div
+        class=\"form-group login-pf-settings\">\n                        <div id=\"kc-form-options\">\n
+        \                           </div>\n                            <div class=\"\">\n
+        \                           </div>\n\n                      </div>\n\n                      <div
+        id=\"kc-form-buttons\" class=\"form-group\">\n                          <input
+        type=\"hidden\" id=\"id-hidden-input\" name=\"credentialId\" />\n                          <input
+        tabindex=\"4\" class=\"pf-c-button pf-m-primary pf-m-block btn-lg\" name=\"login\"
+        id=\"kc-login\" type=\"submit\" value=\"Sign In\"/>\n                      </div>\n
+        \               </form>\n            </div>\n        </div>\n        <script
+        type=\"module\" src=\"/resources/1rz7o/login/keycloak/js/passwordVisibility.js\"></script>\n\n\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - AUTH_SESSION_ID=3114bc76-dfd1-46f3-ac41-b9fd1ffcec70; Version=1; Path=/realms/test/;
+        SameSite=None; Secure; HttpOnly
+      - AUTH_SESSION_ID_LEGACY=3114bc76-dfd1-46f3-ac41-b9fd1ffcec70; Version=1; Path=/realms/test/;
+        HttpOnly
+      - KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9kaWdpZC1vaWRjL2NhbGxiYWNrLyIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIGJzbiIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovL3Rlc3RzZXJ2ZXIvZGlnaWQtb2lkYy9jYWxsYmFjay8iLCJzdGF0ZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmciLCJub25jZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmcifX0.HScBoNNJvmVcGQXpymd_ftVGkGUJBQnuwqgk59VJnYI;
+        Version=1; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '4466'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: username=testuser&password=testuser&credentialId=&login=Sign+In
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '63'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      Cookie:
+      - AUTH_SESSION_ID_LEGACY=3114bc76-dfd1-46f3-ac41-b9fd1ffcec70; KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9kaWdpZC1vaWRjL2NhbGxiYWNrLyIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIGJzbiIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovL3Rlc3RzZXJ2ZXIvZGlnaWQtb2lkYy9jYWxsYmFjay8iLCJzdGF0ZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmciLCJub25jZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmcifX0.HScBoNNJvmVcGQXpymd_ftVGkGUJBQnuwqgk59VJnYI
+      User-Agent:
+      - python-requests/2.31.0
+    method: POST
+    uri: http://localhost:8080/realms/test/login-actions/authenticate?session_code=VpBSf3lWFq8CtuFRLHFM1heNdmlibKeJxe4ea8vLWKE&execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&client_id=testid&tab_id=cB7QKE99Kcg
+  response:
+    body:
+      string: ''
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Location:
+      - http://testserver/digid-oidc/callback/?state=not-a-random-string&session_state=3114bc76-dfd1-46f3-ac41-b9fd1ffcec70&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest&code=b5a57e80-99a1-4b15-aa13-a743e3776cb7.3114bc76-dfd1-46f3-ac41-b9fd1ffcec70.adf4ad83-4550-4619-9231-73bd8d700f45
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - KEYCLOAK_LOCALE=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      - KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/; HttpOnly
+      - KC_AUTH_STATE=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/
+      - KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0OTY4MDAsImlhdCI6MTcxNjQ2MDgwMCwianRpIjoiMTU5NTRjYjMtYjZhZC00ZTNmLTlmMjAtNmQ0OTNiNzJhZGEwIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiIzMTE0YmM3Ni1kZmQxLTQ2ZjMtYWM0MS1iOWZkMWZmY2VjNzAiLCJzaWQiOiIzMTE0YmM3Ni1kZmQxLTQ2ZjMtYWM0MS1iOWZkMWZmY2VjNzAiLCJzdGF0ZV9jaGVja2VyIjoiWTVVSVl2UkRtVHJUbGpWSGhCVnZRVEFCT3pXbF9qRjhfZ1NJVGh1RkpzUSJ9.i4VqQ0kFz7JgaacFgRLODlfnJ5bIxq5GniTsw8OTAho;
+        Version=1; Path=/realms/test/; SameSite=None; Secure; HttpOnly
+      - KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0OTY4MDAsImlhdCI6MTcxNjQ2MDgwMCwianRpIjoiMTU5NTRjYjMtYjZhZC00ZTNmLTlmMjAtNmQ0OTNiNzJhZGEwIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiIzMTE0YmM3Ni1kZmQxLTQ2ZjMtYWM0MS1iOWZkMWZmY2VjNzAiLCJzaWQiOiIzMTE0YmM3Ni1kZmQxLTQ2ZjMtYWM0MS1iOWZkMWZmY2VjNzAiLCJzdGF0ZV9jaGVja2VyIjoiWTVVSVl2UkRtVHJUbGpWSGhCVnZRVEFCT3pXbF9qRjhfZ1NJVGh1RkpzUSJ9.i4VqQ0kFz7JgaacFgRLODlfnJ5bIxq5GniTsw8OTAho;
+        Version=1; Path=/realms/test/; HttpOnly
+      - KEYCLOAK_SESSION=test/aa10cfc7-2c4d-41f6-8fac-7bf405c572c4/3114bc76-dfd1-46f3-ac41-b9fd1ffcec70;
+        Version=1; Expires=Thu, 23-May-2024 20:40:00 GMT; Max-Age=36000; Path=/realms/test/;
+        SameSite=None; Secure
+      - KEYCLOAK_SESSION_LEGACY=test/aa10cfc7-2c4d-41f6-8fac-7bf405c572c4/3114bc76-dfd1-46f3-ac41-b9fd1ffcec70;
+        Version=1; Expires=Thu, 23-May-2024 20:40:00 GMT; Max-Age=36000; Path=/realms/test/
+      - KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '0'
+    status:
+      code: 302
+      message: Found
+- request:
+    body: client_id=testid&client_secret=7DB3KUAAizYCcmZufpHRVOcD0TOkNO3I&grant_type=authorization_code&code=b5a57e80-99a1-4b15-aa13-a743e3776cb7.3114bc76-dfd1-46f3-ac41-b9fd1ffcec70.adf4ad83-4550-4619-9231-73bd8d700f45&redirect_uri=http%3A%2F%2Ftestserver%2Fdigid-oidc%2Fcallback%2F
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '273'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      User-Agent:
+      - python-requests/2.31.0
+    method: POST
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/token
+  response:
+    body:
+      string: '{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjExMDAsImlhdCI6MTcxNjQ2MDgwMCwiYXV0aF90aW1lIjoxNzE2NDYwODAwLCJqdGkiOiI4MjVjNjA1Yi05MTY0LTQ3NTQtYmJiNy0wZmZkYjI2NmE5ZGEiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6IjMxMTRiYzc2LWRmZDEtNDZmMy1hYzQxLWI5ZmQxZmZjZWM3MCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgYnNuIiwic2lkIjoiMzExNGJjNzYtZGZkMS00NmYzLWFjNDEtYjlmZDFmZmNlYzcwIiwia3ZrIjoiMDEyMzQ1Njc4IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0dXNlciIsImJzbiI6IjAwMDAwMDAwMCJ9.lVo9LCUi_jPabEZ3lwTWwZe9_U0itZnoB-m9dI4qFFeOKq69XfgYWRrmycPiZQmBozDViHXEq9yHICCC09hPmyvReLZ383SOPIXuKRciSZ75JiqXcR_Iq6ZiZcr-vdBquPesH6CicPqsdhkWVf0UrOlUngVtBo74GTzF7rspskl__It_XpvsDbercF9TdkER6Qdcp6WRwZnv2y2JzmmXV7uRwZRw-Oi07pFG_PsU7zGMASZlzoZKeBotdT5ISaom5-TkqNziTjH1dDBwjjyVfbG30aXaYgaHOC8fCwr5ARrWpaWrZy56dy4RHa1IrxIsDXNRvnQ6pKvtAWpQ36HX6w","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0NjI2MDAsImlhdCI6MTcxNjQ2MDgwMCwianRpIjoiY2QzOWNhMjAtNTc2My00MTkxLThiMjctMDNjMDBhY2U1MjNiIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiUmVmcmVzaCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiIzMTE0YmM3Ni1kZmQxLTQ2ZjMtYWM0MS1iOWZkMWZmY2VjNzAiLCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIGt2ayBic24iLCJzaWQiOiIzMTE0YmM3Ni1kZmQxLTQ2ZjMtYWM0MS1iOWZkMWZmY2VjNzAifQ.423SnnSzqOCTaWXN863pQsezGdNtx2y-xgKWZ7aFFJ8","token_type":"Bearer","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjExMDAsImlhdCI6MTcxNjQ2MDgwMCwiYXV0aF90aW1lIjoxNzE2NDYwODAwLCJqdGkiOiJkMGI4MTIxZC1iNTcyLTQ4MzAtYWY0ZC1lMTI4ZTNkZjZjMGUiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJ0ZXN0aWQiLCJzdWIiOiJhYTEwY2ZjNy0yYzRkLTQxZjYtOGZhYy03YmY0MDVjNTcyYzQiLCJ0eXAiOiJJRCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiIzMTE0YmM3Ni1kZmQxLTQ2ZjMtYWM0MS1iOWZkMWZmY2VjNzAiLCJhdF9oYXNoIjoiQzFnS0ZqSml3Um40ZzcwcHM1bWJBUSIsImFjciI6IjEiLCJzaWQiOiIzMTE0YmM3Ni1kZmQxLTQ2ZjMtYWM0MS1iOWZkMWZmY2VjNzAiLCJrdmsiOiIwMTIzNDU2NzgiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3R1c2VyIiwiYnNuIjoiMDAwMDAwMDAwIn0.ZQD07QUSP1C4XjE_MOg05gwEtyMboZeeJ_9ybbOjF4_ZIKS21EPwARV9CVCiuaBaQweoZ3PYmef9EWuHMYQcLE9aoUa5IV5HdPbNJove-TfpSp1PQQVIzRTYw-C1nw3iLtoSx_TtGSOomUXCiqZQplXWN-FwcZL38q1szqzRu5zJ1MryhC8IerWB0qv3DUfwPy1sKDU07ZIKkiJvpoNvmge0ycU_uAoOvaoYGcVu3c6fP_chsBxt7keSV7LrinuMCoigRjxASw6lEkYjV6qqiIXxFBr1gnRHJyc1oGye6Q5HEPJIqjLPeXbRX4pvnUBLqe1blBWnq0TfQ1J_mlEq6A","not-before-policy":0,"session_state":"3114bc76-dfd1-46f3-ac41-b9fd1ffcec70","scope":"openid
+        email profile kvk bsn"}'
+    headers:
+      Cache-Control:
+      - no-store
+      Content-Type:
+      - application/json
+      Pragma:
+      - no-cache
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '3475'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Authorization:
+      - Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjExMDAsImlhdCI6MTcxNjQ2MDgwMCwiYXV0aF90aW1lIjoxNzE2NDYwODAwLCJqdGkiOiI4MjVjNjA1Yi05MTY0LTQ3NTQtYmJiNy0wZmZkYjI2NmE5ZGEiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6IjMxMTRiYzc2LWRmZDEtNDZmMy1hYzQxLWI5ZmQxZmZjZWM3MCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgYnNuIiwic2lkIjoiMzExNGJjNzYtZGZkMS00NmYzLWFjNDEtYjlmZDFmZmNlYzcwIiwia3ZrIjoiMDEyMzQ1Njc4IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0dXNlciIsImJzbiI6IjAwMDAwMDAwMCJ9.lVo9LCUi_jPabEZ3lwTWwZe9_U0itZnoB-m9dI4qFFeOKq69XfgYWRrmycPiZQmBozDViHXEq9yHICCC09hPmyvReLZ383SOPIXuKRciSZ75JiqXcR_Iq6ZiZcr-vdBquPesH6CicPqsdhkWVf0UrOlUngVtBo74GTzF7rspskl__It_XpvsDbercF9TdkER6Qdcp6WRwZnv2y2JzmmXV7uRwZRw-Oi07pFG_PsU7zGMASZlzoZKeBotdT5ISaom5-TkqNziTjH1dDBwjjyVfbG30aXaYgaHOC8fCwr5ARrWpaWrZy56dy4RHa1IrxIsDXNRvnQ6pKvtAWpQ36HX6w
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/userinfo
+  response:
+    body:
+      string: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJzdWIiOiJhYTEwY2ZjNy0yYzRkLTQxZjYtOGZhYy03YmY0MDVjNTcyYzQiLCJrdmsiOiIwMTIzNDU2NzgiLCJhdWQiOiJ0ZXN0aWQiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3R1c2VyIiwiYnNuIjoiMDAwMDAwMDAwIn0.CKub7h5He-7acsX5pli41jZiatfM3eM-f5bl6M9GaSSVJLy-NHH5RDSIvpNu4K3PA5uO1nn2sfiDWvfBgsqPxvssiqcmkenf1RpgaEdn7fS_bRn1ziAkYFq5tVEICluPeYELR8FNt7XGVGPakhezPnUwsdaUOBWf7ELTgbxVdBBy3Nkjg2op456glHO4C84zjABNK5grWfLCDDEwKnw4o1gz-QWAS1TPa7yQaPOJr71zjFT-o3P7EBBkASN_CiELOpno3bBxIeTa631m9BHZ8dECiffp_GQhxMqPS9bTwqTlffc-EkIamZr_90uHs3Dw8gVySYL7YTGoGDeq6w6jEw
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/jwt
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '714'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDInitTests/DigiDInitTests.test_idp_availability_check.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDInitTests/DigiDInitTests.test_idp_availability_check.yaml
new file mode 100644
index 0000000000..e786ba2dc4
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDInitTests/DigiDInitTests.test_idp_availability_check.yaml
@@ -0,0 +1,26 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/i-dont-exist
+  response:
+    body:
+      string: '{"error":"Unable to find matching target resource method"}'
+    headers:
+      Content-Type:
+      - application/json
+      content-length:
+      - '58'
+    status:
+      code: 404
+      message: Not Found
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDInitTests/DigiDInitTests.test_keycloak_idp_hint_is_respected.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDInitTests/DigiDInitTests.test_keycloak_idp_hint_is_respected.yaml
new file mode 100644
index 0000000000..7556222e57
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDInitTests/DigiDInitTests.test_keycloak_idp_hint_is_respected.yaml
@@ -0,0 +1,59 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDInitTests/DigiDInitTests.test_start_flow_redirects_to_oidc_provider.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDInitTests/DigiDInitTests.test_start_flow_redirects_to_oidc_provider.yaml
new file mode 100644
index 0000000000..7556222e57
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDInitTests/DigiDInitTests.test_start_flow_redirects_to_oidc_provider.yaml
@@ -0,0 +1,59 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDLogoutTests/DigiDLogoutTests.test_logout_also_logs_out_user_in_openid_provider.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDLogoutTests/DigiDLogoutTests.test_logout_also_logs_out_user_in_openid_provider.yaml
new file mode 100644
index 0000000000..62cbec7e9c
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDLogoutTests/DigiDLogoutTests.test_logout_also_logs_out_user_in_openid_provider.yaml
@@ -0,0 +1,727 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=openid+bsn&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Fdigid-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n        <script type=\"module\">\n            import
+        { checkCookiesAndSetTimer } from \"/resources/1rz7o/login/keycloak/js/authChecker.js\";\n\n
+        \           checkCookiesAndSetTimer(\n              \"1091d9c2-bcce-4411-b721-7d5510258857\",\n
+        \             \"cDmFQs-WOzw\",\n              \"/realms/test/login-actions/restart?client_id=testid&tab_id=cDmFQs-WOzw&skip_logout=true\"\n
+        \           );\n        </script>\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       Sign in to your account\n\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-form\">\n
+        \         <div id=\"kc-form-wrapper\">\n                <form id=\"kc-form-login\"
+        onsubmit=\"login.disabled = true; return true;\" action=\"http://localhost:8080/realms/test/login-actions/authenticate?session_code=Ysrav870fVEtnC_GiQA2qPtU7gLvuDz6BWoq2Ey6Tmo&amp;execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&amp;client_id=testid&amp;tab_id=cDmFQs-WOzw\"
+        method=\"post\">\n                        <div class=\"form-group\">\n                            <label
+        for=\"username\" class=\"pf-c-form__label pf-c-form__label-text\">Username
+        or email</label>\n\n                            <input tabindex=\"1\" id=\"username\"
+        class=\"pf-c-form-control\" name=\"username\" value=\"\"  type=\"text\" autofocus
+        autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n\n\n                        </div>\n\n                    <div
+        class=\"form-group\">\n                        <label for=\"password\" class=\"pf-c-form__label
+        pf-c-form__label-text\">Password</label>\n\n                        <div class=\"pf-c-input-group\">\n
+        \                           <input tabindex=\"2\" id=\"password\" class=\"pf-c-form-control\"
+        name=\"password\" type=\"password\" autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n                            <button class=\"pf-c-button
+        pf-m-control\" type=\"button\" aria-label=\"Show password\"\n                                    aria-controls=\"password\"
+        \ data-password-toggle\n                                    data-icon-show=\"fa
+        fa-eye\" data-icon-hide=\"fa fa-eye-slash\"\n                                    data-label-show=\"Show
+        password\" data-label-hide=\"Hide password\">\n                                <i
+        class=\"fa fa-eye\" aria-hidden=\"true\"></i>\n                            </button>\n
+        \                       </div>\n\n\n                    </div>\n\n                    <div
+        class=\"form-group login-pf-settings\">\n                        <div id=\"kc-form-options\">\n
+        \                           </div>\n                            <div class=\"\">\n
+        \                           </div>\n\n                      </div>\n\n                      <div
+        id=\"kc-form-buttons\" class=\"form-group\">\n                          <input
+        type=\"hidden\" id=\"id-hidden-input\" name=\"credentialId\" />\n                          <input
+        tabindex=\"4\" class=\"pf-c-button pf-m-primary pf-m-block btn-lg\" name=\"login\"
+        id=\"kc-login\" type=\"submit\" value=\"Sign In\"/>\n                      </div>\n
+        \               </form>\n            </div>\n        </div>\n        <script
+        type=\"module\" src=\"/resources/1rz7o/login/keycloak/js/passwordVisibility.js\"></script>\n\n\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - AUTH_SESSION_ID=1091d9c2-bcce-4411-b721-7d5510258857; Version=1; Path=/realms/test/;
+        SameSite=None; Secure; HttpOnly
+      - AUTH_SESSION_ID_LEGACY=1091d9c2-bcce-4411-b721-7d5510258857; Version=1; Path=/realms/test/;
+        HttpOnly
+      - KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9kaWdpZC1vaWRjL2NhbGxiYWNrLyIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIGJzbiIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovL3Rlc3RzZXJ2ZXIvZGlnaWQtb2lkYy9jYWxsYmFjay8iLCJzdGF0ZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmciLCJub25jZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmcifX0.HScBoNNJvmVcGQXpymd_ftVGkGUJBQnuwqgk59VJnYI;
+        Version=1; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '4466'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: username=testuser&password=testuser&credentialId=&login=Sign+In
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '63'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      Cookie:
+      - AUTH_SESSION_ID_LEGACY=1091d9c2-bcce-4411-b721-7d5510258857; KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9kaWdpZC1vaWRjL2NhbGxiYWNrLyIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIGJzbiIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovL3Rlc3RzZXJ2ZXIvZGlnaWQtb2lkYy9jYWxsYmFjay8iLCJzdGF0ZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmciLCJub25jZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmcifX0.HScBoNNJvmVcGQXpymd_ftVGkGUJBQnuwqgk59VJnYI
+      User-Agent:
+      - python-requests/2.31.0
+    method: POST
+    uri: http://localhost:8080/realms/test/login-actions/authenticate?session_code=Ysrav870fVEtnC_GiQA2qPtU7gLvuDz6BWoq2Ey6Tmo&execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&client_id=testid&tab_id=cDmFQs-WOzw
+  response:
+    body:
+      string: ''
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Location:
+      - http://testserver/digid-oidc/callback/?state=not-a-random-string&session_state=1091d9c2-bcce-4411-b721-7d5510258857&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest&code=4b831994-466a-4efb-895d-192c4a0d61e0.1091d9c2-bcce-4411-b721-7d5510258857.adf4ad83-4550-4619-9231-73bd8d700f45
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - KEYCLOAK_LOCALE=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      - KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/; HttpOnly
+      - KC_AUTH_STATE=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/
+      - KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0OTY4MDIsImlhdCI6MTcxNjQ2MDgwMiwianRpIjoiNGJiYmI2ZDYtZDA0NS00NjFjLThiZTMtMDk0MTExZWFhZjQyIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiIxMDkxZDljMi1iY2NlLTQ0MTEtYjcyMS03ZDU1MTAyNTg4NTciLCJzaWQiOiIxMDkxZDljMi1iY2NlLTQ0MTEtYjcyMS03ZDU1MTAyNTg4NTciLCJzdGF0ZV9jaGVja2VyIjoiWm9QMEc0aDFlNmZkYUtiWTVqYXpsTE9PZ3hZYzJ6RXppNlVxMVByMmtwbyJ9.KTq3mw_EdHMWrrCSIZJr83TzGB0O-5-JAc2F9EgfnN0;
+        Version=1; Path=/realms/test/; SameSite=None; Secure; HttpOnly
+      - KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0OTY4MDIsImlhdCI6MTcxNjQ2MDgwMiwianRpIjoiNGJiYmI2ZDYtZDA0NS00NjFjLThiZTMtMDk0MTExZWFhZjQyIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiIxMDkxZDljMi1iY2NlLTQ0MTEtYjcyMS03ZDU1MTAyNTg4NTciLCJzaWQiOiIxMDkxZDljMi1iY2NlLTQ0MTEtYjcyMS03ZDU1MTAyNTg4NTciLCJzdGF0ZV9jaGVja2VyIjoiWm9QMEc0aDFlNmZkYUtiWTVqYXpsTE9PZ3hZYzJ6RXppNlVxMVByMmtwbyJ9.KTq3mw_EdHMWrrCSIZJr83TzGB0O-5-JAc2F9EgfnN0;
+        Version=1; Path=/realms/test/; HttpOnly
+      - KEYCLOAK_SESSION=test/aa10cfc7-2c4d-41f6-8fac-7bf405c572c4/1091d9c2-bcce-4411-b721-7d5510258857;
+        Version=1; Expires=Thu, 23-May-2024 20:40:02 GMT; Max-Age=36000; Path=/realms/test/;
+        SameSite=None; Secure
+      - KEYCLOAK_SESSION_LEGACY=test/aa10cfc7-2c4d-41f6-8fac-7bf405c572c4/1091d9c2-bcce-4411-b721-7d5510258857;
+        Version=1; Expires=Thu, 23-May-2024 20:40:02 GMT; Max-Age=36000; Path=/realms/test/
+      - KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '0'
+    status:
+      code: 302
+      message: Found
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Cookie:
+      - AUTH_SESSION_ID_LEGACY=1091d9c2-bcce-4411-b721-7d5510258857; KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0OTY4MDIsImlhdCI6MTcxNjQ2MDgwMiwianRpIjoiNGJiYmI2ZDYtZDA0NS00NjFjLThiZTMtMDk0MTExZWFhZjQyIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiIxMDkxZDljMi1iY2NlLTQ0MTEtYjcyMS03ZDU1MTAyNTg4NTciLCJzaWQiOiIxMDkxZDljMi1iY2NlLTQ0MTEtYjcyMS03ZDU1MTAyNTg4NTciLCJzdGF0ZV9jaGVja2VyIjoiWm9QMEc0aDFlNmZkYUtiWTVqYXpsTE9PZ3hZYzJ6RXppNlVxMVByMmtwbyJ9.KTq3mw_EdHMWrrCSIZJr83TzGB0O-5-JAc2F9EgfnN0;
+        KEYCLOAK_SESSION_LEGACY=test/aa10cfc7-2c4d-41f6-8fac-7bf405c572c4/1091d9c2-bcce-4411-b721-7d5510258857
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=openid+bsn&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Fdigid-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: ''
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Location:
+      - http://testserver/digid-oidc/callback/?state=not-a-random-string&session_state=1091d9c2-bcce-4411-b721-7d5510258857&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest&code=b41690e3-70b9-4d9f-b298-301c50a1c224.1091d9c2-bcce-4411-b721-7d5510258857.adf4ad83-4550-4619-9231-73bd8d700f45
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9kaWdpZC1vaWRjL2NhbGxiYWNrLyIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIGJzbiIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovL3Rlc3RzZXJ2ZXIvZGlnaWQtb2lkYy9jYWxsYmFjay8iLCJzdGF0ZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmciLCJub25jZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmcifX0.HScBoNNJvmVcGQXpymd_ftVGkGUJBQnuwqgk59VJnYI;
+        Version=1; Path=/realms/test/; HttpOnly
+      - KEYCLOAK_LOCALE=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      - KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/; HttpOnly
+      - KC_AUTH_STATE=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/
+      - KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0OTY4MDIsImlhdCI6MTcxNjQ2MDgwMiwianRpIjoiYjcxZmFhNzQtOTI3Yy00MDQyLWFhOWUtMjU4NTc1ZjIyOGVhIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiIxMDkxZDljMi1iY2NlLTQ0MTEtYjcyMS03ZDU1MTAyNTg4NTciLCJzaWQiOiIxMDkxZDljMi1iY2NlLTQ0MTEtYjcyMS03ZDU1MTAyNTg4NTciLCJzdGF0ZV9jaGVja2VyIjoiWm9QMEc0aDFlNmZkYUtiWTVqYXpsTE9PZ3hZYzJ6RXppNlVxMVByMmtwbyJ9.-ddPZrhtYlgeq1Ad8r7RXBPcZbNgn92EpCAS55FR0Jk;
+        Version=1; Path=/realms/test/; SameSite=None; Secure; HttpOnly
+      - KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0OTY4MDIsImlhdCI6MTcxNjQ2MDgwMiwianRpIjoiYjcxZmFhNzQtOTI3Yy00MDQyLWFhOWUtMjU4NTc1ZjIyOGVhIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiIxMDkxZDljMi1iY2NlLTQ0MTEtYjcyMS03ZDU1MTAyNTg4NTciLCJzaWQiOiIxMDkxZDljMi1iY2NlLTQ0MTEtYjcyMS03ZDU1MTAyNTg4NTciLCJzdGF0ZV9jaGVja2VyIjoiWm9QMEc0aDFlNmZkYUtiWTVqYXpsTE9PZ3hZYzJ6RXppNlVxMVByMmtwbyJ9.-ddPZrhtYlgeq1Ad8r7RXBPcZbNgn92EpCAS55FR0Jk;
+        Version=1; Path=/realms/test/; HttpOnly
+      - KEYCLOAK_SESSION=test/aa10cfc7-2c4d-41f6-8fac-7bf405c572c4/1091d9c2-bcce-4411-b721-7d5510258857;
+        Version=1; Expires=Thu, 23-May-2024 20:40:02 GMT; Max-Age=36000; Path=/realms/test/;
+        SameSite=None; Secure
+      - KEYCLOAK_SESSION_LEGACY=test/aa10cfc7-2c4d-41f6-8fac-7bf405c572c4/1091d9c2-bcce-4411-b721-7d5510258857;
+        Version=1; Expires=Thu, 23-May-2024 20:40:02 GMT; Max-Age=36000; Path=/realms/test/
+      - KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '0'
+    status:
+      code: 302
+      message: Found
+- request:
+    body: client_id=testid&client_secret=7DB3KUAAizYCcmZufpHRVOcD0TOkNO3I&grant_type=authorization_code&code=b41690e3-70b9-4d9f-b298-301c50a1c224.1091d9c2-bcce-4411-b721-7d5510258857.adf4ad83-4550-4619-9231-73bd8d700f45&redirect_uri=http%3A%2F%2Ftestserver%2Fdigid-oidc%2Fcallback%2F
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '273'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      User-Agent:
+      - python-requests/2.31.0
+    method: POST
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/token
+  response:
+    body:
+      string: '{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjExMDIsImlhdCI6MTcxNjQ2MDgwMiwiYXV0aF90aW1lIjoxNzE2NDYwODAyLCJqdGkiOiIxMWExMTQ5YS05YTVmLTQwMTAtOWM3My0wOTk2NWU4ZmU1MjciLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6IjEwOTFkOWMyLWJjY2UtNDQxMS1iNzIxLTdkNTUxMDI1ODg1NyIsImFjciI6IjAiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgYnNuIiwic2lkIjoiMTA5MWQ5YzItYmNjZS00NDExLWI3MjEtN2Q1NTEwMjU4ODU3Iiwia3ZrIjoiMDEyMzQ1Njc4IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0dXNlciIsImJzbiI6IjAwMDAwMDAwMCJ9.n7J_SNIHKnkH71MCKRXxLl-n1ezrHGBzkhRmxeNKiDiln21BdBJ9Jz-2PUXqbCce_Ekt-pxNPzV6toCKuHYfwoX6vgvh0djjooh4N0XO-lvx9MYHskfQInrr3Ij09Pv1EHma1RQDrYMB8bRjt8DU3xLXmlDsp3CGvm8DBk6-6t1zAR9ZKYFRDOQirGYUnpAXj-ItagBiKRxPsymLSMCCcRZqu-yea9gYk-7fMZVdqempfZ3WypRXSU-zCwg9ldREwRE5GHEQg8O-rZyC6uv9WQ6UEiKhqKeKhWlvUbnk3NGUF_qUsstOTNDA3_6565rKId9d5ji0WhvyT05DgmiHeA","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0NjI2MDIsImlhdCI6MTcxNjQ2MDgwMiwianRpIjoiNWU0NWFlMmUtZTkwMC00NDc4LTkzYjItZThjYmE5NDU3MTEzIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiUmVmcmVzaCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiIxMDkxZDljMi1iY2NlLTQ0MTEtYjcyMS03ZDU1MTAyNTg4NTciLCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIGt2ayBic24iLCJzaWQiOiIxMDkxZDljMi1iY2NlLTQ0MTEtYjcyMS03ZDU1MTAyNTg4NTcifQ.yZWH4RA-kzIxGSRs4oCd_a5zMGFe-wM0buFzzDLh2iM","token_type":"Bearer","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjExMDIsImlhdCI6MTcxNjQ2MDgwMiwiYXV0aF90aW1lIjoxNzE2NDYwODAyLCJqdGkiOiJjOTlmYWEzMi0wY2JkLTQ1MGEtOTg4Zi0xZjcxOTRmNTg1OTUiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJ0ZXN0aWQiLCJzdWIiOiJhYTEwY2ZjNy0yYzRkLTQxZjYtOGZhYy03YmY0MDVjNTcyYzQiLCJ0eXAiOiJJRCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiIxMDkxZDljMi1iY2NlLTQ0MTEtYjcyMS03ZDU1MTAyNTg4NTciLCJhdF9oYXNoIjoiYlBEQ0lPcktfMDRTcDZsREdRUE8wUSIsImFjciI6IjAiLCJzaWQiOiIxMDkxZDljMi1iY2NlLTQ0MTEtYjcyMS03ZDU1MTAyNTg4NTciLCJrdmsiOiIwMTIzNDU2NzgiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3R1c2VyIiwiYnNuIjoiMDAwMDAwMDAwIn0.gd-LkgxZsEOvVawJO-o8VpWGYLt5K00YVlJZjHlMBp1h-f8ErBTN1ijCkTWPEWbu7e8FN-UBBb02atxvdSBZNHNgwkawsyS0SVgKUzsRnH1fAOwsF4hlZDBVIJEmemWBMrf82qWYJ8FMA9sKL0aFUI9U5FaslwT8ywQMIIZYeymbbeIcFFID68-uVnhuJV2mB57BZgNsTc9iD3c70LZ8X0jfw63r_XLBYBvR11OMPRxsF0bwMtsdlxqrdrQemUYzrK6lBfZaPlBUuKMuIw7WBozgIq9G7VOGgreKr68lLDt0OAiaIQvt6v2R-1i2VSgywicc1M0oakVp1LBvCo31ug","not-before-policy":0,"session_state":"1091d9c2-bcce-4411-b721-7d5510258857","scope":"openid
+        email profile kvk bsn"}'
+    headers:
+      Cache-Control:
+      - no-store
+      Content-Type:
+      - application/json
+      Pragma:
+      - no-cache
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '3475'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Authorization:
+      - Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjExMDIsImlhdCI6MTcxNjQ2MDgwMiwiYXV0aF90aW1lIjoxNzE2NDYwODAyLCJqdGkiOiIxMWExMTQ5YS05YTVmLTQwMTAtOWM3My0wOTk2NWU4ZmU1MjciLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6IjEwOTFkOWMyLWJjY2UtNDQxMS1iNzIxLTdkNTUxMDI1ODg1NyIsImFjciI6IjAiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgYnNuIiwic2lkIjoiMTA5MWQ5YzItYmNjZS00NDExLWI3MjEtN2Q1NTEwMjU4ODU3Iiwia3ZrIjoiMDEyMzQ1Njc4IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0dXNlciIsImJzbiI6IjAwMDAwMDAwMCJ9.n7J_SNIHKnkH71MCKRXxLl-n1ezrHGBzkhRmxeNKiDiln21BdBJ9Jz-2PUXqbCce_Ekt-pxNPzV6toCKuHYfwoX6vgvh0djjooh4N0XO-lvx9MYHskfQInrr3Ij09Pv1EHma1RQDrYMB8bRjt8DU3xLXmlDsp3CGvm8DBk6-6t1zAR9ZKYFRDOQirGYUnpAXj-ItagBiKRxPsymLSMCCcRZqu-yea9gYk-7fMZVdqempfZ3WypRXSU-zCwg9ldREwRE5GHEQg8O-rZyC6uv9WQ6UEiKhqKeKhWlvUbnk3NGUF_qUsstOTNDA3_6565rKId9d5ji0WhvyT05DgmiHeA
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/userinfo
+  response:
+    body:
+      string: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJzdWIiOiJhYTEwY2ZjNy0yYzRkLTQxZjYtOGZhYy03YmY0MDVjNTcyYzQiLCJrdmsiOiIwMTIzNDU2NzgiLCJhdWQiOiJ0ZXN0aWQiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3R1c2VyIiwiYnNuIjoiMDAwMDAwMDAwIn0.CKub7h5He-7acsX5pli41jZiatfM3eM-f5bl6M9GaSSVJLy-NHH5RDSIvpNu4K3PA5uO1nn2sfiDWvfBgsqPxvssiqcmkenf1RpgaEdn7fS_bRn1ziAkYFq5tVEICluPeYELR8FNt7XGVGPakhezPnUwsdaUOBWf7ELTgbxVdBBy3Nkjg2op456glHO4C84zjABNK5grWfLCDDEwKnw4o1gz-QWAS1TPa7yQaPOJr71zjFT-o3P7EBBkASN_CiELOpno3bBxIeTa631m9BHZ8dECiffp_GQhxMqPS9bTwqTlffc-EkIamZr_90uHs3Dw8gVySYL7YTGoGDeq6w6jEw
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/jwt
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '714'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: id_token_hint=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjExMDIsImlhdCI6MTcxNjQ2MDgwMiwiYXV0aF90aW1lIjoxNzE2NDYwODAyLCJqdGkiOiJjOTlmYWEzMi0wY2JkLTQ1MGEtOTg4Zi0xZjcxOTRmNTg1OTUiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJ0ZXN0aWQiLCJzdWIiOiJhYTEwY2ZjNy0yYzRkLTQxZjYtOGZhYy03YmY0MDVjNTcyYzQiLCJ0eXAiOiJJRCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiIxMDkxZDljMi1iY2NlLTQ0MTEtYjcyMS03ZDU1MTAyNTg4NTciLCJhdF9oYXNoIjoiYlBEQ0lPcktfMDRTcDZsREdRUE8wUSIsImFjciI6IjAiLCJzaWQiOiIxMDkxZDljMi1iY2NlLTQ0MTEtYjcyMS03ZDU1MTAyNTg4NTciLCJrdmsiOiIwMTIzNDU2NzgiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3R1c2VyIiwiYnNuIjoiMDAwMDAwMDAwIn0.gd-LkgxZsEOvVawJO-o8VpWGYLt5K00YVlJZjHlMBp1h-f8ErBTN1ijCkTWPEWbu7e8FN-UBBb02atxvdSBZNHNgwkawsyS0SVgKUzsRnH1fAOwsF4hlZDBVIJEmemWBMrf82qWYJ8FMA9sKL0aFUI9U5FaslwT8ywQMIIZYeymbbeIcFFID68-uVnhuJV2mB57BZgNsTc9iD3c70LZ8X0jfw63r_XLBYBvR11OMPRxsF0bwMtsdlxqrdrQemUYzrK6lBfZaPlBUuKMuIw7WBozgIq9G7VOGgreKr68lLDt0OAiaIQvt6v2R-1i2VSgywicc1M0oakVp1LBvCo31ug
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '1132'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      User-Agent:
+      - python-requests/2.31.0
+    method: POST
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/logout
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       You are logged out\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n    <div id=\"kc-info-message\">\n
+        \       <p class=\"instruction\">You are logged out</p>\n    </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - AUTH_SESSION_ID=472c01fb-4bd5-433e-b225-11803819980e; Version=1; Path=/realms/test/;
+        SameSite=None; Secure; HttpOnly
+      - AUTH_SESSION_ID_LEGACY=472c01fb-4bd5-433e-b225-11803819980e; Version=1; Path=/realms/test/;
+        HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1566'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Cookie:
+      - AUTH_SESSION_ID_LEGACY=1091d9c2-bcce-4411-b721-7d5510258857; KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9kaWdpZC1vaWRjL2NhbGxiYWNrLyIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIGJzbiIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovL3Rlc3RzZXJ2ZXIvZGlnaWQtb2lkYy9jYWxsYmFjay8iLCJzdGF0ZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmciLCJub25jZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmcifX0.HScBoNNJvmVcGQXpymd_ftVGkGUJBQnuwqgk59VJnYI;
+        KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0OTY4MDIsImlhdCI6MTcxNjQ2MDgwMiwianRpIjoiYjcxZmFhNzQtOTI3Yy00MDQyLWFhOWUtMjU4NTc1ZjIyOGVhIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiIxMDkxZDljMi1iY2NlLTQ0MTEtYjcyMS03ZDU1MTAyNTg4NTciLCJzaWQiOiIxMDkxZDljMi1iY2NlLTQ0MTEtYjcyMS03ZDU1MTAyNTg4NTciLCJzdGF0ZV9jaGVja2VyIjoiWm9QMEc0aDFlNmZkYUtiWTVqYXpsTE9PZ3hZYzJ6RXppNlVxMVByMmtwbyJ9.-ddPZrhtYlgeq1Ad8r7RXBPcZbNgn92EpCAS55FR0Jk;
+        KEYCLOAK_SESSION_LEGACY=test/aa10cfc7-2c4d-41f6-8fac-7bf405c572c4/1091d9c2-bcce-4411-b721-7d5510258857
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=openid+bsn&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Fdigid-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n        <script type=\"module\">\n            import
+        { checkCookiesAndSetTimer } from \"/resources/1rz7o/login/keycloak/js/authChecker.js\";\n\n
+        \           checkCookiesAndSetTimer(\n              \"c54b1176-9247-4ec7-a196-fe68c22b633c\",\n
+        \             \"UGbD7h6RlFo\",\n              \"/realms/test/login-actions/restart?client_id=testid&tab_id=UGbD7h6RlFo&skip_logout=true\"\n
+        \           );\n        </script>\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       Sign in to your account\n\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-form\">\n
+        \         <div id=\"kc-form-wrapper\">\n                <form id=\"kc-form-login\"
+        onsubmit=\"login.disabled = true; return true;\" action=\"http://localhost:8080/realms/test/login-actions/authenticate?session_code=T2x987QorGuy_613VFDMj80OoCHwwjDwXlbitASSgFo&amp;execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&amp;client_id=testid&amp;tab_id=UGbD7h6RlFo\"
+        method=\"post\">\n                        <div class=\"form-group\">\n                            <label
+        for=\"username\" class=\"pf-c-form__label pf-c-form__label-text\">Username
+        or email</label>\n\n                            <input tabindex=\"1\" id=\"username\"
+        class=\"pf-c-form-control\" name=\"username\" value=\"\"  type=\"text\" autofocus
+        autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n\n\n                        </div>\n\n                    <div
+        class=\"form-group\">\n                        <label for=\"password\" class=\"pf-c-form__label
+        pf-c-form__label-text\">Password</label>\n\n                        <div class=\"pf-c-input-group\">\n
+        \                           <input tabindex=\"2\" id=\"password\" class=\"pf-c-form-control\"
+        name=\"password\" type=\"password\" autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n                            <button class=\"pf-c-button
+        pf-m-control\" type=\"button\" aria-label=\"Show password\"\n                                    aria-controls=\"password\"
+        \ data-password-toggle\n                                    data-icon-show=\"fa
+        fa-eye\" data-icon-hide=\"fa fa-eye-slash\"\n                                    data-label-show=\"Show
+        password\" data-label-hide=\"Hide password\">\n                                <i
+        class=\"fa fa-eye\" aria-hidden=\"true\"></i>\n                            </button>\n
+        \                       </div>\n\n\n                    </div>\n\n                    <div
+        class=\"form-group login-pf-settings\">\n                        <div id=\"kc-form-options\">\n
+        \                           </div>\n                            <div class=\"\">\n
+        \                           </div>\n\n                      </div>\n\n                      <div
+        id=\"kc-form-buttons\" class=\"form-group\">\n                          <input
+        type=\"hidden\" id=\"id-hidden-input\" name=\"credentialId\" />\n                          <input
+        tabindex=\"4\" class=\"pf-c-button pf-m-primary pf-m-block btn-lg\" name=\"login\"
+        id=\"kc-login\" type=\"submit\" value=\"Sign In\"/>\n                      </div>\n
+        \               </form>\n            </div>\n        </div>\n        <script
+        type=\"module\" src=\"/resources/1rz7o/login/keycloak/js/passwordVisibility.js\"></script>\n\n\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - KEYCLOAK_IDENTITY=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      - KEYCLOAK_IDENTITY_LEGACY=; Version=1; Comment=Expiring cookie; Expires=Thu,
+        01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      - KEYCLOAK_SESSION=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/
+      - KEYCLOAK_SESSION_LEGACY=; Version=1; Comment=Expiring cookie; Expires=Thu,
+        01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/realms/test/
+      - KEYCLOAK_IDENTITY=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test; HttpOnly
+      - KEYCLOAK_IDENTITY_LEGACY=; Version=1; Comment=Expiring cookie; Expires=Thu,
+        01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/realms/test; HttpOnly
+      - KEYCLOAK_SESSION=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test
+      - KEYCLOAK_SESSION_LEGACY=; Version=1; Comment=Expiring cookie; Expires=Thu,
+        01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/realms/test
+      - AUTH_SESSION_ID=c54b1176-9247-4ec7-a196-fe68c22b633c; Version=1; Path=/realms/test/;
+        SameSite=None; Secure; HttpOnly
+      - AUTH_SESSION_ID_LEGACY=c54b1176-9247-4ec7-a196-fe68c22b633c; Version=1; Path=/realms/test/;
+        HttpOnly
+      - KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9kaWdpZC1vaWRjL2NhbGxiYWNrLyIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIGJzbiIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovL3Rlc3RzZXJ2ZXIvZGlnaWQtb2lkYy9jYWxsYmFjay8iLCJzdGF0ZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmciLCJub25jZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmcifX0.HScBoNNJvmVcGQXpymd_ftVGkGUJBQnuwqgk59VJnYI;
+        Version=1; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '4466'
+    status:
+      code: 200
+      message: OK
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDMachtigenCallbackTests/DigiDMachtigenCallbackTests.test_digid_error_reported_for_cancelled_login_anon_django_user.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDMachtigenCallbackTests/DigiDMachtigenCallbackTests.test_digid_error_reported_for_cancelled_login_anon_django_user.yaml
new file mode 100644
index 0000000000..2b86cf7a33
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDMachtigenCallbackTests/DigiDMachtigenCallbackTests.test_digid_error_reported_for_cancelled_login_anon_django_user.yaml
@@ -0,0 +1,91 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=badscope&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Fdigid-machtigen-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: ''
+    headers:
+      Location:
+      - http://testserver/digid-machtigen-oidc/callback/?error=invalid_scope&error_description=Invalid+scopes%3A+badscope&state=not-a-random-string&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '0'
+    status:
+      code: 302
+      message: Found
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDMachtigenCallbackTests/DigiDMachtigenCallbackTests.test_digid_error_reported_for_cancelled_login_with_staff_django_user.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDMachtigenCallbackTests/DigiDMachtigenCallbackTests.test_digid_error_reported_for_cancelled_login_with_staff_django_user.yaml
new file mode 100644
index 0000000000..2b86cf7a33
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDMachtigenCallbackTests/DigiDMachtigenCallbackTests.test_digid_error_reported_for_cancelled_login_with_staff_django_user.yaml
@@ -0,0 +1,91 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=badscope&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Fdigid-machtigen-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: ''
+    headers:
+      Location:
+      - http://testserver/digid-machtigen-oidc/callback/?error=invalid_scope&error_description=Invalid+scopes%3A+badscope&state=not-a-random-string&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '0'
+    status:
+      code: 302
+      message: Found
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDMachtigenCallbackTests/DigiDMachtigenCallbackTests.test_failing_claim_verification.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDMachtigenCallbackTests/DigiDMachtigenCallbackTests.test_failing_claim_verification.yaml
new file mode 100644
index 0000000000..d4b7b149ca
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDMachtigenCallbackTests/DigiDMachtigenCallbackTests.test_failing_claim_verification.yaml
@@ -0,0 +1,371 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=openid+bsn&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Fdigid-machtigen-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n        <script type=\"module\">\n            import
+        { checkCookiesAndSetTimer } from \"/resources/1rz7o/login/keycloak/js/authChecker.js\";\n\n
+        \           checkCookiesAndSetTimer(\n              \"c36a7a4e-36d6-42b0-af35-87a487b825df\",\n
+        \             \"XD0LfW4IC8Q\",\n              \"/realms/test/login-actions/restart?client_id=testid&tab_id=XD0LfW4IC8Q&skip_logout=true\"\n
+        \           );\n        </script>\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       Sign in to your account\n\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-form\">\n
+        \         <div id=\"kc-form-wrapper\">\n                <form id=\"kc-form-login\"
+        onsubmit=\"login.disabled = true; return true;\" action=\"http://localhost:8080/realms/test/login-actions/authenticate?session_code=F25xxo0mG99QQNJwNaKK6MM07ElvgvzN8ohn0r81PwU&amp;execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&amp;client_id=testid&amp;tab_id=XD0LfW4IC8Q\"
+        method=\"post\">\n                        <div class=\"form-group\">\n                            <label
+        for=\"username\" class=\"pf-c-form__label pf-c-form__label-text\">Username
+        or email</label>\n\n                            <input tabindex=\"1\" id=\"username\"
+        class=\"pf-c-form-control\" name=\"username\" value=\"\"  type=\"text\" autofocus
+        autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n\n\n                        </div>\n\n                    <div
+        class=\"form-group\">\n                        <label for=\"password\" class=\"pf-c-form__label
+        pf-c-form__label-text\">Password</label>\n\n                        <div class=\"pf-c-input-group\">\n
+        \                           <input tabindex=\"2\" id=\"password\" class=\"pf-c-form-control\"
+        name=\"password\" type=\"password\" autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n                            <button class=\"pf-c-button
+        pf-m-control\" type=\"button\" aria-label=\"Show password\"\n                                    aria-controls=\"password\"
+        \ data-password-toggle\n                                    data-icon-show=\"fa
+        fa-eye\" data-icon-hide=\"fa fa-eye-slash\"\n                                    data-label-show=\"Show
+        password\" data-label-hide=\"Hide password\">\n                                <i
+        class=\"fa fa-eye\" aria-hidden=\"true\"></i>\n                            </button>\n
+        \                       </div>\n\n\n                    </div>\n\n                    <div
+        class=\"form-group login-pf-settings\">\n                        <div id=\"kc-form-options\">\n
+        \                           </div>\n                            <div class=\"\">\n
+        \                           </div>\n\n                      </div>\n\n                      <div
+        id=\"kc-form-buttons\" class=\"form-group\">\n                          <input
+        type=\"hidden\" id=\"id-hidden-input\" name=\"credentialId\" />\n                          <input
+        tabindex=\"4\" class=\"pf-c-button pf-m-primary pf-m-block btn-lg\" name=\"login\"
+        id=\"kc-login\" type=\"submit\" value=\"Sign In\"/>\n                      </div>\n
+        \               </form>\n            </div>\n        </div>\n        <script
+        type=\"module\" src=\"/resources/1rz7o/login/keycloak/js/passwordVisibility.js\"></script>\n\n\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - AUTH_SESSION_ID=c36a7a4e-36d6-42b0-af35-87a487b825df; Version=1; Path=/realms/test/;
+        SameSite=None; Secure; HttpOnly
+      - AUTH_SESSION_ID_LEGACY=c36a7a4e-36d6-42b0-af35-87a487b825df; Version=1; Path=/realms/test/;
+        HttpOnly
+      - KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9kaWdpZC1tYWNodGlnZW4tb2lkYy9jYWxsYmFjay8iLCJhY3QiOiJBVVRIRU5USUNBVEUiLCJub3RlcyI6eyJzY29wZSI6Im9wZW5pZCBic24iLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJyZXNwb25zZV90eXBlIjoiY29kZSIsInJlZGlyZWN0X3VyaSI6Imh0dHA6Ly90ZXN0c2VydmVyL2RpZ2lkLW1hY2h0aWdlbi1vaWRjL2NhbGxiYWNrLyIsInN0YXRlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyJ9fQ.CzIO8PEo0TtC0JUUGrAD0K0eHnesrWyKb05cHrA4S4k;
+        Version=1; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '4466'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: username=digid-machtigen&password=digid-machtigen&credentialId=&login=Sign+In
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '77'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      Cookie:
+      - AUTH_SESSION_ID_LEGACY=c36a7a4e-36d6-42b0-af35-87a487b825df; KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9kaWdpZC1tYWNodGlnZW4tb2lkYy9jYWxsYmFjay8iLCJhY3QiOiJBVVRIRU5USUNBVEUiLCJub3RlcyI6eyJzY29wZSI6Im9wZW5pZCBic24iLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJyZXNwb25zZV90eXBlIjoiY29kZSIsInJlZGlyZWN0X3VyaSI6Imh0dHA6Ly90ZXN0c2VydmVyL2RpZ2lkLW1hY2h0aWdlbi1vaWRjL2NhbGxiYWNrLyIsInN0YXRlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyJ9fQ.CzIO8PEo0TtC0JUUGrAD0K0eHnesrWyKb05cHrA4S4k
+      User-Agent:
+      - python-requests/2.31.0
+    method: POST
+    uri: http://localhost:8080/realms/test/login-actions/authenticate?session_code=F25xxo0mG99QQNJwNaKK6MM07ElvgvzN8ohn0r81PwU&execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&client_id=testid&tab_id=XD0LfW4IC8Q
+  response:
+    body:
+      string: ''
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Location:
+      - http://testserver/digid-machtigen-oidc/callback/?state=not-a-random-string&session_state=c36a7a4e-36d6-42b0-af35-87a487b825df&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest&code=629ab4a2-6315-45b2-9a2f-decfdcca7703.c36a7a4e-36d6-42b0-af35-87a487b825df.adf4ad83-4550-4619-9231-73bd8d700f45
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - KEYCLOAK_LOCALE=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      - KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/; HttpOnly
+      - KC_AUTH_STATE=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/
+      - KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0OTY4MDAsImlhdCI6MTcxNjQ2MDgwMCwianRpIjoiYjgzMTIxNWItMDkxNC00ODRkLTkzZmUtZmI5M2NjYzQwNjk2IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiZWM1YTFmNzAtM2QxMC00OGE4LWExOGItMmQxM2M5MjVjZDkyIiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiJjMzZhN2E0ZS0zNmQ2LTQyYjAtYWYzNS04N2E0ODdiODI1ZGYiLCJzaWQiOiJjMzZhN2E0ZS0zNmQ2LTQyYjAtYWYzNS04N2E0ODdiODI1ZGYiLCJzdGF0ZV9jaGVja2VyIjoiZlFuaWhYMWNvaUxna3VLWmZVWEV2ZVd1NmcwNW1fMDN6eDhHME4tMnpTQSJ9.viTfeSTzPDofSn-dy4CqDDqgMNCabB1uq-lhdt0T9ws;
+        Version=1; Path=/realms/test/; SameSite=None; Secure; HttpOnly
+      - KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0OTY4MDAsImlhdCI6MTcxNjQ2MDgwMCwianRpIjoiYjgzMTIxNWItMDkxNC00ODRkLTkzZmUtZmI5M2NjYzQwNjk2IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiZWM1YTFmNzAtM2QxMC00OGE4LWExOGItMmQxM2M5MjVjZDkyIiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiJjMzZhN2E0ZS0zNmQ2LTQyYjAtYWYzNS04N2E0ODdiODI1ZGYiLCJzaWQiOiJjMzZhN2E0ZS0zNmQ2LTQyYjAtYWYzNS04N2E0ODdiODI1ZGYiLCJzdGF0ZV9jaGVja2VyIjoiZlFuaWhYMWNvaUxna3VLWmZVWEV2ZVd1NmcwNW1fMDN6eDhHME4tMnpTQSJ9.viTfeSTzPDofSn-dy4CqDDqgMNCabB1uq-lhdt0T9ws;
+        Version=1; Path=/realms/test/; HttpOnly
+      - KEYCLOAK_SESSION=test/ec5a1f70-3d10-48a8-a18b-2d13c925cd92/c36a7a4e-36d6-42b0-af35-87a487b825df;
+        Version=1; Expires=Thu, 23-May-2024 20:40:00 GMT; Max-Age=36000; Path=/realms/test/;
+        SameSite=None; Secure
+      - KEYCLOAK_SESSION_LEGACY=test/ec5a1f70-3d10-48a8-a18b-2d13c925cd92/c36a7a4e-36d6-42b0-af35-87a487b825df;
+        Version=1; Expires=Thu, 23-May-2024 20:40:00 GMT; Max-Age=36000; Path=/realms/test/
+      - KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '0'
+    status:
+      code: 302
+      message: Found
+- request:
+    body: client_id=testid&client_secret=7DB3KUAAizYCcmZufpHRVOcD0TOkNO3I&grant_type=authorization_code&code=629ab4a2-6315-45b2-9a2f-decfdcca7703.c36a7a4e-36d6-42b0-af35-87a487b825df.adf4ad83-4550-4619-9231-73bd8d700f45&redirect_uri=http%3A%2F%2Ftestserver%2Fdigid-machtigen-oidc%2Fcallback%2F
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '283'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      User-Agent:
+      - python-requests/2.31.0
+    method: POST
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/token
+  response:
+    body:
+      string: '{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjExMDAsImlhdCI6MTcxNjQ2MDgwMCwiYXV0aF90aW1lIjoxNzE2NDYwODAwLCJqdGkiOiI1ZWY1ZDNhNS1kZTk0LTRlNDYtOTJhOS05NTlkMzE3YzcxMzQiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiZWM1YTFmNzAtM2QxMC00OGE4LWExOGItMmQxM2M5MjVjZDkyIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6ImMzNmE3YTRlLTM2ZDYtNDJiMC1hZjM1LTg3YTQ4N2I4MjVkZiIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgYnNuIiwic2lkIjoiYzM2YTdhNGUtMzZkNi00MmIwLWFmMzUtODdhNDg3YjgyNWRmIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJnZW1hY2h0aWdkZS5ic24iOiI5OTk5OTk5OTkiLCJhYW52cmFnZXIuYnNuIjoiMDAwMDAwMDAwIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiZGlnaWQtbWFjaHRpZ2VuIn0.W8Sb9nC6j-wMw7omQOjy28t4GhMnUVSczpoOLW8Bcd-4jWCJBYSGwGBWQ-Qdg7JP8N-OTdfRfEfbE9U6cPFvld74Rh-sdmNf-bqLpYzdYy1NWIBGnQs0SRLuCmXmk4CZEFKnYb1e4aaxnk5uqitpWbafZclPQ-T4cCJ25S3oL17RRzIU_3SWIJo9FeCJTG9WzCYf-MhmGu411RZ9sU08Zzo7eE0poLXlyiHndTlqCt9vSIpfeZ6PeFzNdUR_QVE3zZzPYAWRI21u2eliV_56ia6-Vfy2xqopZ5z3JABgT2oMgSdf_E5KGvnPfxbymLMGNmoBZIh6MF77g6Ue9r0yWg","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0NjI2MDAsImlhdCI6MTcxNjQ2MDgwMCwianRpIjoiZWVmZGVlMGYtNDliMS00YzNhLThmMmQtYTY3NjdkNjNjMGM1IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiZWM1YTFmNzAtM2QxMC00OGE4LWExOGItMmQxM2M5MjVjZDkyIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiJjMzZhN2E0ZS0zNmQ2LTQyYjAtYWYzNS04N2E0ODdiODI1ZGYiLCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIGt2ayBic24iLCJzaWQiOiJjMzZhN2E0ZS0zNmQ2LTQyYjAtYWYzNS04N2E0ODdiODI1ZGYifQ.UmYlfwf-rKrW0Su6luARcWH0lxURiflsSFn-ZJA9IfE","token_type":"Bearer","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjExMDAsImlhdCI6MTcxNjQ2MDgwMCwiYXV0aF90aW1lIjoxNzE2NDYwODAwLCJqdGkiOiIxMDk5NDc5Zi0zM2RhLTQ1ZjktOWJiMC1jNTMzYjZjODM5Y2YiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJ0ZXN0aWQiLCJzdWIiOiJlYzVhMWY3MC0zZDEwLTQ4YTgtYTE4Yi0yZDEzYzkyNWNkOTIiLCJ0eXAiOiJJRCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiJjMzZhN2E0ZS0zNmQ2LTQyYjAtYWYzNS04N2E0ODdiODI1ZGYiLCJhdF9oYXNoIjoiNGtId1hjX0FSZFZsOExkTF91dzlKQSIsImFjciI6IjEiLCJzaWQiOiJjMzZhN2E0ZS0zNmQ2LTQyYjAtYWYzNS04N2E0ODdiODI1ZGYiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImdlbWFjaHRpZ2RlLmJzbiI6Ijk5OTk5OTk5OSIsImFhbnZyYWdlci5ic24iOiIwMDAwMDAwMDAiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkaWdpZC1tYWNodGlnZW4ifQ.gCEPEYxAAs4GRIdI0ymx-mpt8jmu7B8nymTwkSJBSUYWHknuxn8OL2btJL1EoaF3EqGS6VSlzZ4Yw5lMAqxlm077GUyhSMt6yOhs0afm2NDPa688OlihOvkuuRURcpZzPQfeNvKQbJta-zSWzZz0pCvTv0o5ir7SJgohMGmwfYI0lt4m75UGX_tqdI_ojVzJT7TTMmq9VzvVWVCn032SLH_IeDxuhnyJcbDpk3gII0gRPEArp0ATFdDHvUFqD1uCpulj7NLZyflB42fcGh41JqDexbKLfg_4uT85RtKh1npIPW3_TtxsGaryJGH89tWLkXnMaVdM7uOu9VZ2wCv5Xg","not-before-policy":0,"session_state":"c36a7a4e-36d6-42b0-af35-87a487b825df","scope":"openid
+        email profile kvk bsn"}'
+    headers:
+      Cache-Control:
+      - no-store
+      Content-Type:
+      - application/json
+      Pragma:
+      - no-cache
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '3553'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Authorization:
+      - Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjExMDAsImlhdCI6MTcxNjQ2MDgwMCwiYXV0aF90aW1lIjoxNzE2NDYwODAwLCJqdGkiOiI1ZWY1ZDNhNS1kZTk0LTRlNDYtOTJhOS05NTlkMzE3YzcxMzQiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiZWM1YTFmNzAtM2QxMC00OGE4LWExOGItMmQxM2M5MjVjZDkyIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6ImMzNmE3YTRlLTM2ZDYtNDJiMC1hZjM1LTg3YTQ4N2I4MjVkZiIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgYnNuIiwic2lkIjoiYzM2YTdhNGUtMzZkNi00MmIwLWFmMzUtODdhNDg3YjgyNWRmIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJnZW1hY2h0aWdkZS5ic24iOiI5OTk5OTk5OTkiLCJhYW52cmFnZXIuYnNuIjoiMDAwMDAwMDAwIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiZGlnaWQtbWFjaHRpZ2VuIn0.W8Sb9nC6j-wMw7omQOjy28t4GhMnUVSczpoOLW8Bcd-4jWCJBYSGwGBWQ-Qdg7JP8N-OTdfRfEfbE9U6cPFvld74Rh-sdmNf-bqLpYzdYy1NWIBGnQs0SRLuCmXmk4CZEFKnYb1e4aaxnk5uqitpWbafZclPQ-T4cCJ25S3oL17RRzIU_3SWIJo9FeCJTG9WzCYf-MhmGu411RZ9sU08Zzo7eE0poLXlyiHndTlqCt9vSIpfeZ6PeFzNdUR_QVE3zZzPYAWRI21u2eliV_56ia6-Vfy2xqopZ5z3JABgT2oMgSdf_E5KGvnPfxbymLMGNmoBZIh6MF77g6Ue9r0yWg
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/userinfo
+  response:
+    body:
+      string: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJzdWIiOiJlYzVhMWY3MC0zZDEwLTQ4YTgtYTE4Yi0yZDEzYzkyNWNkOTIiLCJhdWQiOiJ0ZXN0aWQiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsImdlbWFjaHRpZ2RlLmJzbiI6Ijk5OTk5OTk5OSIsImFhbnZyYWdlci5ic24iOiIwMDAwMDAwMDAiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkaWdpZC1tYWNodGlnZW4ifQ.o49__EZYqQIn8ctrG7GKzzNx1fxyOQHbpxnIeT-swLVZNgP04xGwI-hcycw1Okb6CuRUjzsrXzI1gLzmUE2pFcpIbCkKBJuoeShH1rgiRXezcUDo8b0vDMyBrHwjrv3E8bCOJ8yI5bR4qBXR6uZDyY9ZrZLoWYyYz4f1ws6TNa3FBtVvx6j171tw14_V85jlLICOwTPFYqyQ8884n2-s4blRyVQgIl1X9fbziOsRRshsbwnh3Ldct-8wrW218Bnw_HKklxfoDj13w6xm39U0JLWb3wz9rLmfRPAuGffHEIePigCTy0NmObKWNqN7MyI2mEJf9h8cIRqgV4zVXYn_YQ
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/jwt
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '753'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDMachtigenCallbackTests/DigiDMachtigenCallbackTests.test_redirects_after_successful_auth.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDMachtigenCallbackTests/DigiDMachtigenCallbackTests.test_redirects_after_successful_auth.yaml
new file mode 100644
index 0000000000..800a32a787
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDMachtigenCallbackTests/DigiDMachtigenCallbackTests.test_redirects_after_successful_auth.yaml
@@ -0,0 +1,371 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=openid+bsn&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Fdigid-machtigen-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n        <script type=\"module\">\n            import
+        { checkCookiesAndSetTimer } from \"/resources/1rz7o/login/keycloak/js/authChecker.js\";\n\n
+        \           checkCookiesAndSetTimer(\n              \"8f3e71c1-4fcb-4660-8b90-d178424cebb5\",\n
+        \             \"dEaqEGOtJ7c\",\n              \"/realms/test/login-actions/restart?client_id=testid&tab_id=dEaqEGOtJ7c&skip_logout=true\"\n
+        \           );\n        </script>\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       Sign in to your account\n\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-form\">\n
+        \         <div id=\"kc-form-wrapper\">\n                <form id=\"kc-form-login\"
+        onsubmit=\"login.disabled = true; return true;\" action=\"http://localhost:8080/realms/test/login-actions/authenticate?session_code=6CMvQ6zDcHRkQqbwqom5M7cyjlBFNUQj29VLQ2PKwqo&amp;execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&amp;client_id=testid&amp;tab_id=dEaqEGOtJ7c\"
+        method=\"post\">\n                        <div class=\"form-group\">\n                            <label
+        for=\"username\" class=\"pf-c-form__label pf-c-form__label-text\">Username
+        or email</label>\n\n                            <input tabindex=\"1\" id=\"username\"
+        class=\"pf-c-form-control\" name=\"username\" value=\"\"  type=\"text\" autofocus
+        autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n\n\n                        </div>\n\n                    <div
+        class=\"form-group\">\n                        <label for=\"password\" class=\"pf-c-form__label
+        pf-c-form__label-text\">Password</label>\n\n                        <div class=\"pf-c-input-group\">\n
+        \                           <input tabindex=\"2\" id=\"password\" class=\"pf-c-form-control\"
+        name=\"password\" type=\"password\" autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n                            <button class=\"pf-c-button
+        pf-m-control\" type=\"button\" aria-label=\"Show password\"\n                                    aria-controls=\"password\"
+        \ data-password-toggle\n                                    data-icon-show=\"fa
+        fa-eye\" data-icon-hide=\"fa fa-eye-slash\"\n                                    data-label-show=\"Show
+        password\" data-label-hide=\"Hide password\">\n                                <i
+        class=\"fa fa-eye\" aria-hidden=\"true\"></i>\n                            </button>\n
+        \                       </div>\n\n\n                    </div>\n\n                    <div
+        class=\"form-group login-pf-settings\">\n                        <div id=\"kc-form-options\">\n
+        \                           </div>\n                            <div class=\"\">\n
+        \                           </div>\n\n                      </div>\n\n                      <div
+        id=\"kc-form-buttons\" class=\"form-group\">\n                          <input
+        type=\"hidden\" id=\"id-hidden-input\" name=\"credentialId\" />\n                          <input
+        tabindex=\"4\" class=\"pf-c-button pf-m-primary pf-m-block btn-lg\" name=\"login\"
+        id=\"kc-login\" type=\"submit\" value=\"Sign In\"/>\n                      </div>\n
+        \               </form>\n            </div>\n        </div>\n        <script
+        type=\"module\" src=\"/resources/1rz7o/login/keycloak/js/passwordVisibility.js\"></script>\n\n\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - AUTH_SESSION_ID=8f3e71c1-4fcb-4660-8b90-d178424cebb5; Version=1; Path=/realms/test/;
+        SameSite=None; Secure; HttpOnly
+      - AUTH_SESSION_ID_LEGACY=8f3e71c1-4fcb-4660-8b90-d178424cebb5; Version=1; Path=/realms/test/;
+        HttpOnly
+      - KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9kaWdpZC1tYWNodGlnZW4tb2lkYy9jYWxsYmFjay8iLCJhY3QiOiJBVVRIRU5USUNBVEUiLCJub3RlcyI6eyJzY29wZSI6Im9wZW5pZCBic24iLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJyZXNwb25zZV90eXBlIjoiY29kZSIsInJlZGlyZWN0X3VyaSI6Imh0dHA6Ly90ZXN0c2VydmVyL2RpZ2lkLW1hY2h0aWdlbi1vaWRjL2NhbGxiYWNrLyIsInN0YXRlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyJ9fQ.CzIO8PEo0TtC0JUUGrAD0K0eHnesrWyKb05cHrA4S4k;
+        Version=1; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '4466'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: username=digid-machtigen&password=digid-machtigen&credentialId=&login=Sign+In
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '77'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      Cookie:
+      - AUTH_SESSION_ID_LEGACY=8f3e71c1-4fcb-4660-8b90-d178424cebb5; KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9kaWdpZC1tYWNodGlnZW4tb2lkYy9jYWxsYmFjay8iLCJhY3QiOiJBVVRIRU5USUNBVEUiLCJub3RlcyI6eyJzY29wZSI6Im9wZW5pZCBic24iLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJyZXNwb25zZV90eXBlIjoiY29kZSIsInJlZGlyZWN0X3VyaSI6Imh0dHA6Ly90ZXN0c2VydmVyL2RpZ2lkLW1hY2h0aWdlbi1vaWRjL2NhbGxiYWNrLyIsInN0YXRlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyJ9fQ.CzIO8PEo0TtC0JUUGrAD0K0eHnesrWyKb05cHrA4S4k
+      User-Agent:
+      - python-requests/2.32.2
+    method: POST
+    uri: http://localhost:8080/realms/test/login-actions/authenticate?session_code=6CMvQ6zDcHRkQqbwqom5M7cyjlBFNUQj29VLQ2PKwqo&execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&client_id=testid&tab_id=dEaqEGOtJ7c
+  response:
+    body:
+      string: ''
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Location:
+      - http://testserver/digid-machtigen-oidc/callback/?state=not-a-random-string&session_state=8f3e71c1-4fcb-4660-8b90-d178424cebb5&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest&code=13ee42f0-cb33-4ce2-a1e0-2ef27746c7c0.8f3e71c1-4fcb-4660-8b90-d178424cebb5.adf4ad83-4550-4619-9231-73bd8d700f45
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - KEYCLOAK_LOCALE=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      - KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/; HttpOnly
+      - KC_AUTH_STATE=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/
+      - KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTgyMzMzOTIsImlhdCI6MTcxODE5NzM5MiwianRpIjoiNzc2OTY5MDUtM2M2NS00ZjhkLTlmN2QtYTcxOTFhZWQ1MzkyIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiZWM1YTFmNzAtM2QxMC00OGE4LWExOGItMmQxM2M5MjVjZDkyIiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiI4ZjNlNzFjMS00ZmNiLTQ2NjAtOGI5MC1kMTc4NDI0Y2ViYjUiLCJzaWQiOiI4ZjNlNzFjMS00ZmNiLTQ2NjAtOGI5MC1kMTc4NDI0Y2ViYjUiLCJzdGF0ZV9jaGVja2VyIjoibWdxdE1hbG9kbzF4UzQ1QkNURHNvTDFkMHktdWVGSG5pSmhjdnJGUVdwZyJ9.TuFh8PHlxLKBcZXvYoW70DwyjI9gQiD7hFBbWwQ2leU;
+        Version=1; Path=/realms/test/; SameSite=None; Secure; HttpOnly
+      - KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTgyMzMzOTIsImlhdCI6MTcxODE5NzM5MiwianRpIjoiNzc2OTY5MDUtM2M2NS00ZjhkLTlmN2QtYTcxOTFhZWQ1MzkyIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiZWM1YTFmNzAtM2QxMC00OGE4LWExOGItMmQxM2M5MjVjZDkyIiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiI4ZjNlNzFjMS00ZmNiLTQ2NjAtOGI5MC1kMTc4NDI0Y2ViYjUiLCJzaWQiOiI4ZjNlNzFjMS00ZmNiLTQ2NjAtOGI5MC1kMTc4NDI0Y2ViYjUiLCJzdGF0ZV9jaGVja2VyIjoibWdxdE1hbG9kbzF4UzQ1QkNURHNvTDFkMHktdWVGSG5pSmhjdnJGUVdwZyJ9.TuFh8PHlxLKBcZXvYoW70DwyjI9gQiD7hFBbWwQ2leU;
+        Version=1; Path=/realms/test/; HttpOnly
+      - KEYCLOAK_SESSION=test/ec5a1f70-3d10-48a8-a18b-2d13c925cd92/8f3e71c1-4fcb-4660-8b90-d178424cebb5;
+        Version=1; Expires=Wed, 12-Jun-2024 23:03:12 GMT; Max-Age=36000; Path=/realms/test/;
+        SameSite=None; Secure
+      - KEYCLOAK_SESSION_LEGACY=test/ec5a1f70-3d10-48a8-a18b-2d13c925cd92/8f3e71c1-4fcb-4660-8b90-d178424cebb5;
+        Version=1; Expires=Wed, 12-Jun-2024 23:03:12 GMT; Max-Age=36000; Path=/realms/test/
+      - KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '0'
+    status:
+      code: 302
+      message: Found
+- request:
+    body: client_id=testid&client_secret=7DB3KUAAizYCcmZufpHRVOcD0TOkNO3I&grant_type=authorization_code&code=13ee42f0-cb33-4ce2-a1e0-2ef27746c7c0.8f3e71c1-4fcb-4660-8b90-d178424cebb5.adf4ad83-4550-4619-9231-73bd8d700f45&redirect_uri=http%3A%2F%2Ftestserver%2Fdigid-machtigen-oidc%2Fcallback%2F
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '283'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      User-Agent:
+      - python-requests/2.32.2
+    method: POST
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/token
+  response:
+    body:
+      string: '{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTgxOTc2OTIsImlhdCI6MTcxODE5NzM5MiwiYXV0aF90aW1lIjoxNzE4MTk3MzkyLCJqdGkiOiIyMjg3YWNkMy1mOGI5LTRkOGEtYjBlOS05YThkYmU5ZmEyZWQiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiZWM1YTFmNzAtM2QxMC00OGE4LWExOGItMmQxM2M5MjVjZDkyIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6IjhmM2U3MWMxLTRmY2ItNDY2MC04YjkwLWQxNzg0MjRjZWJiNSIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgZ3JvdXBzIGJzbiIsInNpZCI6IjhmM2U3MWMxLTRmY2ItNDY2MC04YjkwLWQxNzg0MjRjZWJiNSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwic2VydmljZV9pZCI6ImIxOGRkNzNmLTNkY2EtNGI2Ny1hNGZiLTA2Y2I0ZWJiZTJlYiIsImdlbWFjaHRpZ2RlLmJzbiI6Ijk5OTk5OTk5OSIsImdyb3VwcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl0sImFhbnZyYWdlci5ic24iOiIwMDAwMDAwMDAiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkaWdpZC1tYWNodGlnZW4ifQ.NtRFCj5l1Dx5EMaioY6WStp2-UDmEv3gYJFnoPT_KVRifI6luWWOvxlBkJUe_FxsO5tLi80kwSUZ74TKPkMTeA6ql0TAZDKznn6UlwR1fyl4ILtSSwzBFSgE8fhAugnho8hriLxHS288DSCLbnebzCUhacypOJW1LSXqnO8KPfoShG2wJZjxlOfdmaZiWI2-ruvswzA-qDPxYkqR5qEp-ns8zKUY1KL5g_Xc_8zKiiVksR9LISe6B7UKie3CgXnrwxyxPjjYanQAHBbuB5UfExCfTl37lg3uO6ypKcXF2HTkKYxxYaYLhgKTcdqzSSjrwAWC-QsHqGhIXL-lA08IiA","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTgxOTkxOTIsImlhdCI6MTcxODE5NzM5MiwianRpIjoiMTM2MmY0NjYtNjg2ZC00YmEwLTk4NGYtNzE4MDA3MmIxNDI2IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiZWM1YTFmNzAtM2QxMC00OGE4LWExOGItMmQxM2M5MjVjZDkyIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiI4ZjNlNzFjMS00ZmNiLTQ2NjAtOGI5MC1kMTc4NDI0Y2ViYjUiLCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIGt2ayBncm91cHMgYnNuIiwic2lkIjoiOGYzZTcxYzEtNGZjYi00NjYwLThiOTAtZDE3ODQyNGNlYmI1In0.a-mNtQ8M9vn6pan33p24XFZjdQeVGOxRigi-L6o3K7c","token_type":"Bearer","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTgxOTc2OTIsImlhdCI6MTcxODE5NzM5MiwiYXV0aF90aW1lIjoxNzE4MTk3MzkyLCJqdGkiOiJhMmZmYWI1Yy1jYWFhLTQxNDUtYjU3Mi04NTdlZGQxODgwMDciLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJ0ZXN0aWQiLCJzdWIiOiJlYzVhMWY3MC0zZDEwLTQ4YTgtYTE4Yi0yZDEzYzkyNWNkOTIiLCJ0eXAiOiJJRCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiI4ZjNlNzFjMS00ZmNiLTQ2NjAtOGI5MC1kMTc4NDI0Y2ViYjUiLCJhdF9oYXNoIjoiRDlpckd4eGF2ekExd3ZFZnNSeVZidyIsImFjciI6IjEiLCJzaWQiOiI4ZjNlNzFjMS00ZmNiLTQ2NjAtOGI5MC1kMTc4NDI0Y2ViYjUiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInNlcnZpY2VfaWQiOiJiMThkZDczZi0zZGNhLTRiNjctYTRmYi0wNmNiNGViYmUyZWIiLCJnZW1hY2h0aWdkZS5ic24iOiI5OTk5OTk5OTkiLCJncm91cHMiOlsiZGVmYXVsdC1yb2xlcy10ZXN0Iiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdLCJhYW52cmFnZXIuYnNuIjoiMDAwMDAwMDAwIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiZGlnaWQtbWFjaHRpZ2VuIn0.pkeNAzhUvqteF-mZka8NHpXd7TMnWmsnbLXzx4T6WEYSQhcDw4bTKGPGscfWjqo2RoiLPPX0R0B4Zcfv6J2LhaDPeYl2Whw_tpiVpNkspFFSLuBVx8J2LeirQtXrxOwk4Hx1sgYFusD7XpWNOYKlSuoIlMeTjPsDqa_ulrbeBmCvwdK0Au_x4izYVKPSjf7hu9QvCueo2owAJ0zrkNzOZpuSGNCyaRyjqDm2hUKcxnRSMHrYD61i8gmMH6Hw4jVT6ss80WZJ5OmQBna5YrNrHEgD9e5Dg3110O_nP1uGrWf-dZvByezuBVIfnYDEHJiTbtkkkE9wR5MwESruB5at_Q","not-before-policy":0,"session_state":"8f3e71c1-4fcb-4660-8b90-d178424cebb5","scope":"openid
+        email profile kvk groups bsn"}'
+    headers:
+      Cache-Control:
+      - no-store
+      Content-Type:
+      - application/json
+      Pragma:
+      - no-cache
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '3901'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Authorization:
+      - Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTgxOTc2OTIsImlhdCI6MTcxODE5NzM5MiwiYXV0aF90aW1lIjoxNzE4MTk3MzkyLCJqdGkiOiIyMjg3YWNkMy1mOGI5LTRkOGEtYjBlOS05YThkYmU5ZmEyZWQiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiZWM1YTFmNzAtM2QxMC00OGE4LWExOGItMmQxM2M5MjVjZDkyIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6IjhmM2U3MWMxLTRmY2ItNDY2MC04YjkwLWQxNzg0MjRjZWJiNSIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgZ3JvdXBzIGJzbiIsInNpZCI6IjhmM2U3MWMxLTRmY2ItNDY2MC04YjkwLWQxNzg0MjRjZWJiNSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwic2VydmljZV9pZCI6ImIxOGRkNzNmLTNkY2EtNGI2Ny1hNGZiLTA2Y2I0ZWJiZTJlYiIsImdlbWFjaHRpZ2RlLmJzbiI6Ijk5OTk5OTk5OSIsImdyb3VwcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl0sImFhbnZyYWdlci5ic24iOiIwMDAwMDAwMDAiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkaWdpZC1tYWNodGlnZW4ifQ.NtRFCj5l1Dx5EMaioY6WStp2-UDmEv3gYJFnoPT_KVRifI6luWWOvxlBkJUe_FxsO5tLi80kwSUZ74TKPkMTeA6ql0TAZDKznn6UlwR1fyl4ILtSSwzBFSgE8fhAugnho8hriLxHS288DSCLbnebzCUhacypOJW1LSXqnO8KPfoShG2wJZjxlOfdmaZiWI2-ruvswzA-qDPxYkqR5qEp-ns8zKUY1KL5g_Xc_8zKiiVksR9LISe6B7UKie3CgXnrwxyxPjjYanQAHBbuB5UfExCfTl37lg3uO6ypKcXF2HTkKYxxYaYLhgKTcdqzSSjrwAWC-QsHqGhIXL-lA08IiA
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/userinfo
+  response:
+    body:
+      string: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJzdWIiOiJlYzVhMWY3MC0zZDEwLTQ4YTgtYTE4Yi0yZDEzYzkyNWNkOTIiLCJhdWQiOiJ0ZXN0aWQiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInNlcnZpY2VfaWQiOiJiMThkZDczZi0zZGNhLTRiNjctYTRmYi0wNmNiNGViYmUyZWIiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJnZW1hY2h0aWdkZS5ic24iOiI5OTk5OTk5OTkiLCJncm91cHMiOlsiZGVmYXVsdC1yb2xlcy10ZXN0Iiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdLCJhYW52cmFnZXIuYnNuIjoiMDAwMDAwMDAwIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiZGlnaWQtbWFjaHRpZ2VuIn0.blFPktS9rVX0fSXLqkNGT3UciAHQ5EKKqk_JK2qQ5D6Wlj6TC6BI7s5OLiTjMMXyLUOXZmfR__0_kEJBx3Em9_mM3_QTNrQvErY2yYLszx5CZnAJjp-PXKfh7pgeqFCpeYkr-pM0h13IvuqhCtqGgVHZCHg2M3k7yoHz7mqIwD1wY3XnS8gP6P6YcBO0FIgxS2sc8J3qhqhxMZQxs94yFTpSt0iiYZiCUmc72iQOH3KtdJIEvJl3Xa6AnYPqG95PdVtuRVRN0ap2ZOMZ5wK3qVW0yIBQTbpMLRl1lcXSrWsCyAcSjZG7rSzkU9dkroZUumbO45uDiJdb1GMasIyBEQ
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/jwt
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '914'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDMachtigenInitTests/DigiDMachtigenInitTests.test_idp_availability_check.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDMachtigenInitTests/DigiDMachtigenInitTests.test_idp_availability_check.yaml
new file mode 100644
index 0000000000..e786ba2dc4
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDMachtigenInitTests/DigiDMachtigenInitTests.test_idp_availability_check.yaml
@@ -0,0 +1,26 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/i-dont-exist
+  response:
+    body:
+      string: '{"error":"Unable to find matching target resource method"}'
+    headers:
+      Content-Type:
+      - application/json
+      content-length:
+      - '58'
+    status:
+      code: 404
+      message: Not Found
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDMachtigenInitTests/DigiDMachtigenInitTests.test_keycloak_idp_hint_is_respected.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDMachtigenInitTests/DigiDMachtigenInitTests.test_keycloak_idp_hint_is_respected.yaml
new file mode 100644
index 0000000000..7556222e57
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDMachtigenInitTests/DigiDMachtigenInitTests.test_keycloak_idp_hint_is_respected.yaml
@@ -0,0 +1,59 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDMachtigenInitTests/DigiDMachtigenInitTests.test_start_flow_redirects_to_oidc_provider.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDMachtigenInitTests/DigiDMachtigenInitTests.test_start_flow_redirects_to_oidc_provider.yaml
new file mode 100644
index 0000000000..7556222e57
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDMachtigenInitTests/DigiDMachtigenInitTests.test_start_flow_redirects_to_oidc_provider.yaml
@@ -0,0 +1,59 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDMachtigenLogoutTests/DigiDMachtigenLogoutTests.test_logout_also_logs_out_user_in_openid_provider.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDMachtigenLogoutTests/DigiDMachtigenLogoutTests.test_logout_also_logs_out_user_in_openid_provider.yaml
new file mode 100644
index 0000000000..2c4de37fd9
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/DigiDMachtigenLogoutTests/DigiDMachtigenLogoutTests.test_logout_also_logs_out_user_in_openid_provider.yaml
@@ -0,0 +1,727 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=openid+bsn&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Fdigid-machtigen-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n        <script type=\"module\">\n            import
+        { checkCookiesAndSetTimer } from \"/resources/1rz7o/login/keycloak/js/authChecker.js\";\n\n
+        \           checkCookiesAndSetTimer(\n              \"f81002bb-ea5e-4439-9a22-c2a573783986\",\n
+        \             \"1A_wSCIsnrw\",\n              \"/realms/test/login-actions/restart?client_id=testid&tab_id=1A_wSCIsnrw&skip_logout=true\"\n
+        \           );\n        </script>\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       Sign in to your account\n\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-form\">\n
+        \         <div id=\"kc-form-wrapper\">\n                <form id=\"kc-form-login\"
+        onsubmit=\"login.disabled = true; return true;\" action=\"http://localhost:8080/realms/test/login-actions/authenticate?session_code=YsMJJfYRlkMqfg7BM9x5BGxQfaUK8YXSLynnsGrg_Rc&amp;execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&amp;client_id=testid&amp;tab_id=1A_wSCIsnrw\"
+        method=\"post\">\n                        <div class=\"form-group\">\n                            <label
+        for=\"username\" class=\"pf-c-form__label pf-c-form__label-text\">Username
+        or email</label>\n\n                            <input tabindex=\"1\" id=\"username\"
+        class=\"pf-c-form-control\" name=\"username\" value=\"\"  type=\"text\" autofocus
+        autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n\n\n                        </div>\n\n                    <div
+        class=\"form-group\">\n                        <label for=\"password\" class=\"pf-c-form__label
+        pf-c-form__label-text\">Password</label>\n\n                        <div class=\"pf-c-input-group\">\n
+        \                           <input tabindex=\"2\" id=\"password\" class=\"pf-c-form-control\"
+        name=\"password\" type=\"password\" autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n                            <button class=\"pf-c-button
+        pf-m-control\" type=\"button\" aria-label=\"Show password\"\n                                    aria-controls=\"password\"
+        \ data-password-toggle\n                                    data-icon-show=\"fa
+        fa-eye\" data-icon-hide=\"fa fa-eye-slash\"\n                                    data-label-show=\"Show
+        password\" data-label-hide=\"Hide password\">\n                                <i
+        class=\"fa fa-eye\" aria-hidden=\"true\"></i>\n                            </button>\n
+        \                       </div>\n\n\n                    </div>\n\n                    <div
+        class=\"form-group login-pf-settings\">\n                        <div id=\"kc-form-options\">\n
+        \                           </div>\n                            <div class=\"\">\n
+        \                           </div>\n\n                      </div>\n\n                      <div
+        id=\"kc-form-buttons\" class=\"form-group\">\n                          <input
+        type=\"hidden\" id=\"id-hidden-input\" name=\"credentialId\" />\n                          <input
+        tabindex=\"4\" class=\"pf-c-button pf-m-primary pf-m-block btn-lg\" name=\"login\"
+        id=\"kc-login\" type=\"submit\" value=\"Sign In\"/>\n                      </div>\n
+        \               </form>\n            </div>\n        </div>\n        <script
+        type=\"module\" src=\"/resources/1rz7o/login/keycloak/js/passwordVisibility.js\"></script>\n\n\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - AUTH_SESSION_ID=f81002bb-ea5e-4439-9a22-c2a573783986; Version=1; Path=/realms/test/;
+        SameSite=None; Secure; HttpOnly
+      - AUTH_SESSION_ID_LEGACY=f81002bb-ea5e-4439-9a22-c2a573783986; Version=1; Path=/realms/test/;
+        HttpOnly
+      - KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9kaWdpZC1tYWNodGlnZW4tb2lkYy9jYWxsYmFjay8iLCJhY3QiOiJBVVRIRU5USUNBVEUiLCJub3RlcyI6eyJzY29wZSI6Im9wZW5pZCBic24iLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJyZXNwb25zZV90eXBlIjoiY29kZSIsInJlZGlyZWN0X3VyaSI6Imh0dHA6Ly90ZXN0c2VydmVyL2RpZ2lkLW1hY2h0aWdlbi1vaWRjL2NhbGxiYWNrLyIsInN0YXRlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyJ9fQ.CzIO8PEo0TtC0JUUGrAD0K0eHnesrWyKb05cHrA4S4k;
+        Version=1; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '4466'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: username=digid-machtigen&password=digid-machtigen&credentialId=&login=Sign+In
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '77'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      Cookie:
+      - AUTH_SESSION_ID_LEGACY=f81002bb-ea5e-4439-9a22-c2a573783986; KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9kaWdpZC1tYWNodGlnZW4tb2lkYy9jYWxsYmFjay8iLCJhY3QiOiJBVVRIRU5USUNBVEUiLCJub3RlcyI6eyJzY29wZSI6Im9wZW5pZCBic24iLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJyZXNwb25zZV90eXBlIjoiY29kZSIsInJlZGlyZWN0X3VyaSI6Imh0dHA6Ly90ZXN0c2VydmVyL2RpZ2lkLW1hY2h0aWdlbi1vaWRjL2NhbGxiYWNrLyIsInN0YXRlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyJ9fQ.CzIO8PEo0TtC0JUUGrAD0K0eHnesrWyKb05cHrA4S4k
+      User-Agent:
+      - python-requests/2.31.0
+    method: POST
+    uri: http://localhost:8080/realms/test/login-actions/authenticate?session_code=YsMJJfYRlkMqfg7BM9x5BGxQfaUK8YXSLynnsGrg_Rc&execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&client_id=testid&tab_id=1A_wSCIsnrw
+  response:
+    body:
+      string: ''
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Location:
+      - http://testserver/digid-machtigen-oidc/callback/?state=not-a-random-string&session_state=f81002bb-ea5e-4439-9a22-c2a573783986&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest&code=a31fe888-300d-44d1-b48e-4b2e60c52064.f81002bb-ea5e-4439-9a22-c2a573783986.adf4ad83-4550-4619-9231-73bd8d700f45
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - KEYCLOAK_LOCALE=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      - KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/; HttpOnly
+      - KC_AUTH_STATE=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/
+      - KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0OTY4MDIsImlhdCI6MTcxNjQ2MDgwMiwianRpIjoiNzUxYWJlNzUtMjliNS00ZGZiLWJlZWMtODAyZWEwMTZiZmI3IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiZWM1YTFmNzAtM2QxMC00OGE4LWExOGItMmQxM2M5MjVjZDkyIiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiJmODEwMDJiYi1lYTVlLTQ0MzktOWEyMi1jMmE1NzM3ODM5ODYiLCJzaWQiOiJmODEwMDJiYi1lYTVlLTQ0MzktOWEyMi1jMmE1NzM3ODM5ODYiLCJzdGF0ZV9jaGVja2VyIjoib2ZfM1dKck01UzZkU3JESHJWT2Ztall3ZHgtbHlPWDRpa0cweFRma0xYbyJ9.09qPIXCSix1bOHLQvbsEiBUb9ySV1SktTqMUJ9IA1u4;
+        Version=1; Path=/realms/test/; SameSite=None; Secure; HttpOnly
+      - KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0OTY4MDIsImlhdCI6MTcxNjQ2MDgwMiwianRpIjoiNzUxYWJlNzUtMjliNS00ZGZiLWJlZWMtODAyZWEwMTZiZmI3IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiZWM1YTFmNzAtM2QxMC00OGE4LWExOGItMmQxM2M5MjVjZDkyIiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiJmODEwMDJiYi1lYTVlLTQ0MzktOWEyMi1jMmE1NzM3ODM5ODYiLCJzaWQiOiJmODEwMDJiYi1lYTVlLTQ0MzktOWEyMi1jMmE1NzM3ODM5ODYiLCJzdGF0ZV9jaGVja2VyIjoib2ZfM1dKck01UzZkU3JESHJWT2Ztall3ZHgtbHlPWDRpa0cweFRma0xYbyJ9.09qPIXCSix1bOHLQvbsEiBUb9ySV1SktTqMUJ9IA1u4;
+        Version=1; Path=/realms/test/; HttpOnly
+      - KEYCLOAK_SESSION=test/ec5a1f70-3d10-48a8-a18b-2d13c925cd92/f81002bb-ea5e-4439-9a22-c2a573783986;
+        Version=1; Expires=Thu, 23-May-2024 20:40:02 GMT; Max-Age=36000; Path=/realms/test/;
+        SameSite=None; Secure
+      - KEYCLOAK_SESSION_LEGACY=test/ec5a1f70-3d10-48a8-a18b-2d13c925cd92/f81002bb-ea5e-4439-9a22-c2a573783986;
+        Version=1; Expires=Thu, 23-May-2024 20:40:02 GMT; Max-Age=36000; Path=/realms/test/
+      - KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '0'
+    status:
+      code: 302
+      message: Found
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Cookie:
+      - AUTH_SESSION_ID_LEGACY=f81002bb-ea5e-4439-9a22-c2a573783986; KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0OTY4MDIsImlhdCI6MTcxNjQ2MDgwMiwianRpIjoiNzUxYWJlNzUtMjliNS00ZGZiLWJlZWMtODAyZWEwMTZiZmI3IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiZWM1YTFmNzAtM2QxMC00OGE4LWExOGItMmQxM2M5MjVjZDkyIiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiJmODEwMDJiYi1lYTVlLTQ0MzktOWEyMi1jMmE1NzM3ODM5ODYiLCJzaWQiOiJmODEwMDJiYi1lYTVlLTQ0MzktOWEyMi1jMmE1NzM3ODM5ODYiLCJzdGF0ZV9jaGVja2VyIjoib2ZfM1dKck01UzZkU3JESHJWT2Ztall3ZHgtbHlPWDRpa0cweFRma0xYbyJ9.09qPIXCSix1bOHLQvbsEiBUb9ySV1SktTqMUJ9IA1u4;
+        KEYCLOAK_SESSION_LEGACY=test/ec5a1f70-3d10-48a8-a18b-2d13c925cd92/f81002bb-ea5e-4439-9a22-c2a573783986
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=openid+bsn&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Fdigid-machtigen-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: ''
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Location:
+      - http://testserver/digid-machtigen-oidc/callback/?state=not-a-random-string&session_state=f81002bb-ea5e-4439-9a22-c2a573783986&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest&code=8a0feebb-483f-4e3a-aab3-72ca24ff10fc.f81002bb-ea5e-4439-9a22-c2a573783986.adf4ad83-4550-4619-9231-73bd8d700f45
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9kaWdpZC1tYWNodGlnZW4tb2lkYy9jYWxsYmFjay8iLCJhY3QiOiJBVVRIRU5USUNBVEUiLCJub3RlcyI6eyJzY29wZSI6Im9wZW5pZCBic24iLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJyZXNwb25zZV90eXBlIjoiY29kZSIsInJlZGlyZWN0X3VyaSI6Imh0dHA6Ly90ZXN0c2VydmVyL2RpZ2lkLW1hY2h0aWdlbi1vaWRjL2NhbGxiYWNrLyIsInN0YXRlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyJ9fQ.CzIO8PEo0TtC0JUUGrAD0K0eHnesrWyKb05cHrA4S4k;
+        Version=1; Path=/realms/test/; HttpOnly
+      - KEYCLOAK_LOCALE=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      - KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/; HttpOnly
+      - KC_AUTH_STATE=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/
+      - KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0OTY4MDIsImlhdCI6MTcxNjQ2MDgwMiwianRpIjoiOTg4NDdjMDAtYjM3Ny00OTNkLWFlOWItNzU4ZTdhOTgxMThiIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiZWM1YTFmNzAtM2QxMC00OGE4LWExOGItMmQxM2M5MjVjZDkyIiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiJmODEwMDJiYi1lYTVlLTQ0MzktOWEyMi1jMmE1NzM3ODM5ODYiLCJzaWQiOiJmODEwMDJiYi1lYTVlLTQ0MzktOWEyMi1jMmE1NzM3ODM5ODYiLCJzdGF0ZV9jaGVja2VyIjoib2ZfM1dKck01UzZkU3JESHJWT2Ztall3ZHgtbHlPWDRpa0cweFRma0xYbyJ9.BXeZkKDXi8_1y5BMHBoHAv4fUROc-Bt2fvwATjjxG9A;
+        Version=1; Path=/realms/test/; SameSite=None; Secure; HttpOnly
+      - KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0OTY4MDIsImlhdCI6MTcxNjQ2MDgwMiwianRpIjoiOTg4NDdjMDAtYjM3Ny00OTNkLWFlOWItNzU4ZTdhOTgxMThiIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiZWM1YTFmNzAtM2QxMC00OGE4LWExOGItMmQxM2M5MjVjZDkyIiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiJmODEwMDJiYi1lYTVlLTQ0MzktOWEyMi1jMmE1NzM3ODM5ODYiLCJzaWQiOiJmODEwMDJiYi1lYTVlLTQ0MzktOWEyMi1jMmE1NzM3ODM5ODYiLCJzdGF0ZV9jaGVja2VyIjoib2ZfM1dKck01UzZkU3JESHJWT2Ztall3ZHgtbHlPWDRpa0cweFRma0xYbyJ9.BXeZkKDXi8_1y5BMHBoHAv4fUROc-Bt2fvwATjjxG9A;
+        Version=1; Path=/realms/test/; HttpOnly
+      - KEYCLOAK_SESSION=test/ec5a1f70-3d10-48a8-a18b-2d13c925cd92/f81002bb-ea5e-4439-9a22-c2a573783986;
+        Version=1; Expires=Thu, 23-May-2024 20:40:02 GMT; Max-Age=36000; Path=/realms/test/;
+        SameSite=None; Secure
+      - KEYCLOAK_SESSION_LEGACY=test/ec5a1f70-3d10-48a8-a18b-2d13c925cd92/f81002bb-ea5e-4439-9a22-c2a573783986;
+        Version=1; Expires=Thu, 23-May-2024 20:40:02 GMT; Max-Age=36000; Path=/realms/test/
+      - KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '0'
+    status:
+      code: 302
+      message: Found
+- request:
+    body: client_id=testid&client_secret=7DB3KUAAizYCcmZufpHRVOcD0TOkNO3I&grant_type=authorization_code&code=8a0feebb-483f-4e3a-aab3-72ca24ff10fc.f81002bb-ea5e-4439-9a22-c2a573783986.adf4ad83-4550-4619-9231-73bd8d700f45&redirect_uri=http%3A%2F%2Ftestserver%2Fdigid-machtigen-oidc%2Fcallback%2F
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '283'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      User-Agent:
+      - python-requests/2.31.0
+    method: POST
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/token
+  response:
+    body:
+      string: '{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjExMDIsImlhdCI6MTcxNjQ2MDgwMiwiYXV0aF90aW1lIjoxNzE2NDYwODAyLCJqdGkiOiI2ZmQzNTEyNS03NzQzLTRkOWEtYWNjNS0xMWVmODhkM2MxODMiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiZWM1YTFmNzAtM2QxMC00OGE4LWExOGItMmQxM2M5MjVjZDkyIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6ImY4MTAwMmJiLWVhNWUtNDQzOS05YTIyLWMyYTU3Mzc4Mzk4NiIsImFjciI6IjAiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgYnNuIiwic2lkIjoiZjgxMDAyYmItZWE1ZS00NDM5LTlhMjItYzJhNTczNzgzOTg2IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJnZW1hY2h0aWdkZS5ic24iOiI5OTk5OTk5OTkiLCJhYW52cmFnZXIuYnNuIjoiMDAwMDAwMDAwIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiZGlnaWQtbWFjaHRpZ2VuIn0.JN_G-BYrqgbyP_gxGhtlVTDEOc-cqSeLfzLQwDFDnxt2wGNKXbDGvtbscujaEQM8jr0D7Ch3JrBg-dj6vyrSVSZDS7byvq7WcprJTbEA4D6ds3S5haTRnf1HriqCX19mLJYe_F4h5i3MHc2eG2W1qUh1L5Df4ve4_j0ckpnzVAtDeJ3DIw5liyG4raxQ5cF7xgVgfTarPkoJvnP-Bu8Lc4WG1pm6yb1eROGhZF-B8Kf10yxBLpu7bNnYxVbzAem-8zthnM8ny6RccqOIbZE_pz1cOOFqdg_9fVkvB6W5PkbEDahg9mVqlfH8ff6KKPgSB0J_1f-__0kiWqBPcY0h0Q","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0NjI2MDIsImlhdCI6MTcxNjQ2MDgwMiwianRpIjoiMGE2ZGZmOTAtODc1Ni00OTZiLTkzNWQtYmYxNDBlYWUwMmYzIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiZWM1YTFmNzAtM2QxMC00OGE4LWExOGItMmQxM2M5MjVjZDkyIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiJmODEwMDJiYi1lYTVlLTQ0MzktOWEyMi1jMmE1NzM3ODM5ODYiLCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIGt2ayBic24iLCJzaWQiOiJmODEwMDJiYi1lYTVlLTQ0MzktOWEyMi1jMmE1NzM3ODM5ODYifQ.cBuveTYRN8Ic_ziO9nuvFgHAUi3EyBGiOml0zvPXgo4","token_type":"Bearer","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjExMDIsImlhdCI6MTcxNjQ2MDgwMiwiYXV0aF90aW1lIjoxNzE2NDYwODAyLCJqdGkiOiI0Njg2YTIxMS04ZDc0LTRhMmYtOTkyYi00MDhlMzJjZjdmOGYiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJ0ZXN0aWQiLCJzdWIiOiJlYzVhMWY3MC0zZDEwLTQ4YTgtYTE4Yi0yZDEzYzkyNWNkOTIiLCJ0eXAiOiJJRCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiJmODEwMDJiYi1lYTVlLTQ0MzktOWEyMi1jMmE1NzM3ODM5ODYiLCJhdF9oYXNoIjoibkx4M21sbUNuYnRKSjBoZ24xMjVrQSIsImFjciI6IjAiLCJzaWQiOiJmODEwMDJiYi1lYTVlLTQ0MzktOWEyMi1jMmE1NzM3ODM5ODYiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImdlbWFjaHRpZ2RlLmJzbiI6Ijk5OTk5OTk5OSIsImFhbnZyYWdlci5ic24iOiIwMDAwMDAwMDAiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkaWdpZC1tYWNodGlnZW4ifQ.q0jDrz6NUPvaBzoJ-Kgygo4-kW_YFau77jKtxdvjwtrrLzRXKIK7t5s_O50XrdTb4e6a_Rmf48BzlurYbEPbhyEIit2mOoXyEKr_XoQuMDfO91pmhOCwyX-YBs7SMltTgqWcVi99bdFgvskxo9iusjWlcy0pp43LRtGrJZK5_GVvN5ApAwsWGjJ6v0gXka6xYZcsoxPcVfBUffApy_Slxfd3M1XH9m0oITSUPoWsOSja5lBEmNOeMhkXU3EGNSW9-Pwit2bWr9-fAYDO5lj0oZsQwVZHcROf35-_-1X-xH6in4f2CUGgaGB3ox3z9HtklfddmapyMU6VLMgbddZLfw","not-before-policy":0,"session_state":"f81002bb-ea5e-4439-9a22-c2a573783986","scope":"openid
+        email profile kvk bsn"}'
+    headers:
+      Cache-Control:
+      - no-store
+      Content-Type:
+      - application/json
+      Pragma:
+      - no-cache
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '3553'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Authorization:
+      - Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjExMDIsImlhdCI6MTcxNjQ2MDgwMiwiYXV0aF90aW1lIjoxNzE2NDYwODAyLCJqdGkiOiI2ZmQzNTEyNS03NzQzLTRkOWEtYWNjNS0xMWVmODhkM2MxODMiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiZWM1YTFmNzAtM2QxMC00OGE4LWExOGItMmQxM2M5MjVjZDkyIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6ImY4MTAwMmJiLWVhNWUtNDQzOS05YTIyLWMyYTU3Mzc4Mzk4NiIsImFjciI6IjAiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgYnNuIiwic2lkIjoiZjgxMDAyYmItZWE1ZS00NDM5LTlhMjItYzJhNTczNzgzOTg2IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJnZW1hY2h0aWdkZS5ic24iOiI5OTk5OTk5OTkiLCJhYW52cmFnZXIuYnNuIjoiMDAwMDAwMDAwIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiZGlnaWQtbWFjaHRpZ2VuIn0.JN_G-BYrqgbyP_gxGhtlVTDEOc-cqSeLfzLQwDFDnxt2wGNKXbDGvtbscujaEQM8jr0D7Ch3JrBg-dj6vyrSVSZDS7byvq7WcprJTbEA4D6ds3S5haTRnf1HriqCX19mLJYe_F4h5i3MHc2eG2W1qUh1L5Df4ve4_j0ckpnzVAtDeJ3DIw5liyG4raxQ5cF7xgVgfTarPkoJvnP-Bu8Lc4WG1pm6yb1eROGhZF-B8Kf10yxBLpu7bNnYxVbzAem-8zthnM8ny6RccqOIbZE_pz1cOOFqdg_9fVkvB6W5PkbEDahg9mVqlfH8ff6KKPgSB0J_1f-__0kiWqBPcY0h0Q
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/userinfo
+  response:
+    body:
+      string: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJzdWIiOiJlYzVhMWY3MC0zZDEwLTQ4YTgtYTE4Yi0yZDEzYzkyNWNkOTIiLCJhdWQiOiJ0ZXN0aWQiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsImdlbWFjaHRpZ2RlLmJzbiI6Ijk5OTk5OTk5OSIsImFhbnZyYWdlci5ic24iOiIwMDAwMDAwMDAiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkaWdpZC1tYWNodGlnZW4ifQ.o49__EZYqQIn8ctrG7GKzzNx1fxyOQHbpxnIeT-swLVZNgP04xGwI-hcycw1Okb6CuRUjzsrXzI1gLzmUE2pFcpIbCkKBJuoeShH1rgiRXezcUDo8b0vDMyBrHwjrv3E8bCOJ8yI5bR4qBXR6uZDyY9ZrZLoWYyYz4f1ws6TNa3FBtVvx6j171tw14_V85jlLICOwTPFYqyQ8884n2-s4blRyVQgIl1X9fbziOsRRshsbwnh3Ldct-8wrW218Bnw_HKklxfoDj13w6xm39U0JLWb3wz9rLmfRPAuGffHEIePigCTy0NmObKWNqN7MyI2mEJf9h8cIRqgV4zVXYn_YQ
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/jwt
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '753'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: id_token_hint=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjExMDIsImlhdCI6MTcxNjQ2MDgwMiwiYXV0aF90aW1lIjoxNzE2NDYwODAyLCJqdGkiOiI0Njg2YTIxMS04ZDc0LTRhMmYtOTkyYi00MDhlMzJjZjdmOGYiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJ0ZXN0aWQiLCJzdWIiOiJlYzVhMWY3MC0zZDEwLTQ4YTgtYTE4Yi0yZDEzYzkyNWNkOTIiLCJ0eXAiOiJJRCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiJmODEwMDJiYi1lYTVlLTQ0MzktOWEyMi1jMmE1NzM3ODM5ODYiLCJhdF9oYXNoIjoibkx4M21sbUNuYnRKSjBoZ24xMjVrQSIsImFjciI6IjAiLCJzaWQiOiJmODEwMDJiYi1lYTVlLTQ0MzktOWEyMi1jMmE1NzM3ODM5ODYiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImdlbWFjaHRpZ2RlLmJzbiI6Ijk5OTk5OTk5OSIsImFhbnZyYWdlci5ic24iOiIwMDAwMDAwMDAiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkaWdpZC1tYWNodGlnZW4ifQ.q0jDrz6NUPvaBzoJ-Kgygo4-kW_YFau77jKtxdvjwtrrLzRXKIK7t5s_O50XrdTb4e6a_Rmf48BzlurYbEPbhyEIit2mOoXyEKr_XoQuMDfO91pmhOCwyX-YBs7SMltTgqWcVi99bdFgvskxo9iusjWlcy0pp43LRtGrJZK5_GVvN5ApAwsWGjJ6v0gXka6xYZcsoxPcVfBUffApy_Slxfd3M1XH9m0oITSUPoWsOSja5lBEmNOeMhkXU3EGNSW9-Pwit2bWr9-fAYDO5lj0oZsQwVZHcROf35-_-1X-xH6in4f2CUGgaGB3ox3z9HtklfddmapyMU6VLMgbddZLfw
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '1171'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      User-Agent:
+      - python-requests/2.31.0
+    method: POST
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/logout
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       You are logged out\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n    <div id=\"kc-info-message\">\n
+        \       <p class=\"instruction\">You are logged out</p>\n    </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - AUTH_SESSION_ID=019db403-873f-4e2e-82b8-41b7e6ba9477; Version=1; Path=/realms/test/;
+        SameSite=None; Secure; HttpOnly
+      - AUTH_SESSION_ID_LEGACY=019db403-873f-4e2e-82b8-41b7e6ba9477; Version=1; Path=/realms/test/;
+        HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1566'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Cookie:
+      - AUTH_SESSION_ID_LEGACY=f81002bb-ea5e-4439-9a22-c2a573783986; KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9kaWdpZC1tYWNodGlnZW4tb2lkYy9jYWxsYmFjay8iLCJhY3QiOiJBVVRIRU5USUNBVEUiLCJub3RlcyI6eyJzY29wZSI6Im9wZW5pZCBic24iLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJyZXNwb25zZV90eXBlIjoiY29kZSIsInJlZGlyZWN0X3VyaSI6Imh0dHA6Ly90ZXN0c2VydmVyL2RpZ2lkLW1hY2h0aWdlbi1vaWRjL2NhbGxiYWNrLyIsInN0YXRlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyJ9fQ.CzIO8PEo0TtC0JUUGrAD0K0eHnesrWyKb05cHrA4S4k;
+        KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0OTY4MDIsImlhdCI6MTcxNjQ2MDgwMiwianRpIjoiOTg4NDdjMDAtYjM3Ny00OTNkLWFlOWItNzU4ZTdhOTgxMThiIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiZWM1YTFmNzAtM2QxMC00OGE4LWExOGItMmQxM2M5MjVjZDkyIiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiJmODEwMDJiYi1lYTVlLTQ0MzktOWEyMi1jMmE1NzM3ODM5ODYiLCJzaWQiOiJmODEwMDJiYi1lYTVlLTQ0MzktOWEyMi1jMmE1NzM3ODM5ODYiLCJzdGF0ZV9jaGVja2VyIjoib2ZfM1dKck01UzZkU3JESHJWT2Ztall3ZHgtbHlPWDRpa0cweFRma0xYbyJ9.BXeZkKDXi8_1y5BMHBoHAv4fUROc-Bt2fvwATjjxG9A;
+        KEYCLOAK_SESSION_LEGACY=test/ec5a1f70-3d10-48a8-a18b-2d13c925cd92/f81002bb-ea5e-4439-9a22-c2a573783986
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=openid+bsn&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Fdigid-machtigen-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n        <script type=\"module\">\n            import
+        { checkCookiesAndSetTimer } from \"/resources/1rz7o/login/keycloak/js/authChecker.js\";\n\n
+        \           checkCookiesAndSetTimer(\n              \"3cf31a3a-15a7-4f19-8d23-9d318b9ab640\",\n
+        \             \"2xuKvrxd4UQ\",\n              \"/realms/test/login-actions/restart?client_id=testid&tab_id=2xuKvrxd4UQ&skip_logout=true\"\n
+        \           );\n        </script>\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       Sign in to your account\n\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-form\">\n
+        \         <div id=\"kc-form-wrapper\">\n                <form id=\"kc-form-login\"
+        onsubmit=\"login.disabled = true; return true;\" action=\"http://localhost:8080/realms/test/login-actions/authenticate?session_code=tda-QODkf1A0u3WsybEZlPDVExJ6NaYNWl7IUGAlT7E&amp;execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&amp;client_id=testid&amp;tab_id=2xuKvrxd4UQ\"
+        method=\"post\">\n                        <div class=\"form-group\">\n                            <label
+        for=\"username\" class=\"pf-c-form__label pf-c-form__label-text\">Username
+        or email</label>\n\n                            <input tabindex=\"1\" id=\"username\"
+        class=\"pf-c-form-control\" name=\"username\" value=\"\"  type=\"text\" autofocus
+        autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n\n\n                        </div>\n\n                    <div
+        class=\"form-group\">\n                        <label for=\"password\" class=\"pf-c-form__label
+        pf-c-form__label-text\">Password</label>\n\n                        <div class=\"pf-c-input-group\">\n
+        \                           <input tabindex=\"2\" id=\"password\" class=\"pf-c-form-control\"
+        name=\"password\" type=\"password\" autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n                            <button class=\"pf-c-button
+        pf-m-control\" type=\"button\" aria-label=\"Show password\"\n                                    aria-controls=\"password\"
+        \ data-password-toggle\n                                    data-icon-show=\"fa
+        fa-eye\" data-icon-hide=\"fa fa-eye-slash\"\n                                    data-label-show=\"Show
+        password\" data-label-hide=\"Hide password\">\n                                <i
+        class=\"fa fa-eye\" aria-hidden=\"true\"></i>\n                            </button>\n
+        \                       </div>\n\n\n                    </div>\n\n                    <div
+        class=\"form-group login-pf-settings\">\n                        <div id=\"kc-form-options\">\n
+        \                           </div>\n                            <div class=\"\">\n
+        \                           </div>\n\n                      </div>\n\n                      <div
+        id=\"kc-form-buttons\" class=\"form-group\">\n                          <input
+        type=\"hidden\" id=\"id-hidden-input\" name=\"credentialId\" />\n                          <input
+        tabindex=\"4\" class=\"pf-c-button pf-m-primary pf-m-block btn-lg\" name=\"login\"
+        id=\"kc-login\" type=\"submit\" value=\"Sign In\"/>\n                      </div>\n
+        \               </form>\n            </div>\n        </div>\n        <script
+        type=\"module\" src=\"/resources/1rz7o/login/keycloak/js/passwordVisibility.js\"></script>\n\n\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - KEYCLOAK_IDENTITY=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      - KEYCLOAK_IDENTITY_LEGACY=; Version=1; Comment=Expiring cookie; Expires=Thu,
+        01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      - KEYCLOAK_SESSION=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/
+      - KEYCLOAK_SESSION_LEGACY=; Version=1; Comment=Expiring cookie; Expires=Thu,
+        01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/realms/test/
+      - KEYCLOAK_IDENTITY=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test; HttpOnly
+      - KEYCLOAK_IDENTITY_LEGACY=; Version=1; Comment=Expiring cookie; Expires=Thu,
+        01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/realms/test; HttpOnly
+      - KEYCLOAK_SESSION=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test
+      - KEYCLOAK_SESSION_LEGACY=; Version=1; Comment=Expiring cookie; Expires=Thu,
+        01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/realms/test
+      - AUTH_SESSION_ID=3cf31a3a-15a7-4f19-8d23-9d318b9ab640; Version=1; Path=/realms/test/;
+        SameSite=None; Secure; HttpOnly
+      - AUTH_SESSION_ID_LEGACY=3cf31a3a-15a7-4f19-8d23-9d318b9ab640; Version=1; Path=/realms/test/;
+        HttpOnly
+      - KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9kaWdpZC1tYWNodGlnZW4tb2lkYy9jYWxsYmFjay8iLCJhY3QiOiJBVVRIRU5USUNBVEUiLCJub3RlcyI6eyJzY29wZSI6Im9wZW5pZCBic24iLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJyZXNwb25zZV90eXBlIjoiY29kZSIsInJlZGlyZWN0X3VyaSI6Imh0dHA6Ly90ZXN0c2VydmVyL2RpZ2lkLW1hY2h0aWdlbi1vaWRjL2NhbGxiYWNrLyIsInN0YXRlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyJ9fQ.CzIO8PEo0TtC0JUUGrAD0K0eHnesrWyKb05cHrA4S4k;
+        Version=1; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '4466'
+    status:
+      code: 200
+      message: OK
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningBewindvoeringCallbackTests/EHerkenningBewindvoeringCallbackTests.test_eherkenning_error_reported_for_cancelled_login_anon_django_user.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningBewindvoeringCallbackTests/EHerkenningBewindvoeringCallbackTests.test_eherkenning_error_reported_for_cancelled_login_anon_django_user.yaml
new file mode 100644
index 0000000000..2d269fb4ab
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningBewindvoeringCallbackTests/EHerkenningBewindvoeringCallbackTests.test_eherkenning_error_reported_for_cancelled_login_anon_django_user.yaml
@@ -0,0 +1,91 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=badscope&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Feherkenning-bewindvoering-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: ''
+    headers:
+      Location:
+      - http://testserver/eherkenning-bewindvoering-oidc/callback/?error=invalid_scope&error_description=Invalid+scopes%3A+badscope&state=not-a-random-string&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '0'
+    status:
+      code: 302
+      message: Found
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningBewindvoeringCallbackTests/EHerkenningBewindvoeringCallbackTests.test_eherkenning_error_reported_for_cancelled_login_with_staff_django_user.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningBewindvoeringCallbackTests/EHerkenningBewindvoeringCallbackTests.test_eherkenning_error_reported_for_cancelled_login_with_staff_django_user.yaml
new file mode 100644
index 0000000000..2d269fb4ab
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningBewindvoeringCallbackTests/EHerkenningBewindvoeringCallbackTests.test_eherkenning_error_reported_for_cancelled_login_with_staff_django_user.yaml
@@ -0,0 +1,91 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=badscope&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Feherkenning-bewindvoering-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: ''
+    headers:
+      Location:
+      - http://testserver/eherkenning-bewindvoering-oidc/callback/?error=invalid_scope&error_description=Invalid+scopes%3A+badscope&state=not-a-random-string&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '0'
+    status:
+      code: 302
+      message: Found
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningBewindvoeringCallbackTests/EHerkenningBewindvoeringCallbackTests.test_failing_claim_verification.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningBewindvoeringCallbackTests/EHerkenningBewindvoeringCallbackTests.test_failing_claim_verification.yaml
new file mode 100644
index 0000000000..535f715b14
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningBewindvoeringCallbackTests/EHerkenningBewindvoeringCallbackTests.test_failing_claim_verification.yaml
@@ -0,0 +1,371 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=openid+bsn&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Feherkenning-bewindvoering-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n        <script type=\"module\">\n            import
+        { checkCookiesAndSetTimer } from \"/resources/1rz7o/login/keycloak/js/authChecker.js\";\n\n
+        \           checkCookiesAndSetTimer(\n              \"4e0775ac-68c4-4f7d-a637-073a8b0f98fb\",\n
+        \             \"3vXx-XMXf3o\",\n              \"/realms/test/login-actions/restart?client_id=testid&tab_id=3vXx-XMXf3o&skip_logout=true\"\n
+        \           );\n        </script>\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       Sign in to your account\n\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-form\">\n
+        \         <div id=\"kc-form-wrapper\">\n                <form id=\"kc-form-login\"
+        onsubmit=\"login.disabled = true; return true;\" action=\"http://localhost:8080/realms/test/login-actions/authenticate?session_code=J_O_RmaBYKvnz269m5ssZQMpySZ8_aAobpKJd_h39fk&amp;execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&amp;client_id=testid&amp;tab_id=3vXx-XMXf3o\"
+        method=\"post\">\n                        <div class=\"form-group\">\n                            <label
+        for=\"username\" class=\"pf-c-form__label pf-c-form__label-text\">Username
+        or email</label>\n\n                            <input tabindex=\"1\" id=\"username\"
+        class=\"pf-c-form-control\" name=\"username\" value=\"\"  type=\"text\" autofocus
+        autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n\n\n                        </div>\n\n                    <div
+        class=\"form-group\">\n                        <label for=\"password\" class=\"pf-c-form__label
+        pf-c-form__label-text\">Password</label>\n\n                        <div class=\"pf-c-input-group\">\n
+        \                           <input tabindex=\"2\" id=\"password\" class=\"pf-c-form-control\"
+        name=\"password\" type=\"password\" autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n                            <button class=\"pf-c-button
+        pf-m-control\" type=\"button\" aria-label=\"Show password\"\n                                    aria-controls=\"password\"
+        \ data-password-toggle\n                                    data-icon-show=\"fa
+        fa-eye\" data-icon-hide=\"fa fa-eye-slash\"\n                                    data-label-show=\"Show
+        password\" data-label-hide=\"Hide password\">\n                                <i
+        class=\"fa fa-eye\" aria-hidden=\"true\"></i>\n                            </button>\n
+        \                       </div>\n\n\n                    </div>\n\n                    <div
+        class=\"form-group login-pf-settings\">\n                        <div id=\"kc-form-options\">\n
+        \                           </div>\n                            <div class=\"\">\n
+        \                           </div>\n\n                      </div>\n\n                      <div
+        id=\"kc-form-buttons\" class=\"form-group\">\n                          <input
+        type=\"hidden\" id=\"id-hidden-input\" name=\"credentialId\" />\n                          <input
+        tabindex=\"4\" class=\"pf-c-button pf-m-primary pf-m-block btn-lg\" name=\"login\"
+        id=\"kc-login\" type=\"submit\" value=\"Sign In\"/>\n                      </div>\n
+        \               </form>\n            </div>\n        </div>\n        <script
+        type=\"module\" src=\"/resources/1rz7o/login/keycloak/js/passwordVisibility.js\"></script>\n\n\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - AUTH_SESSION_ID=4e0775ac-68c4-4f7d-a637-073a8b0f98fb; Version=1; Path=/realms/test/;
+        SameSite=None; Secure; HttpOnly
+      - AUTH_SESSION_ID_LEGACY=4e0775ac-68c4-4f7d-a637-073a8b0f98fb; Version=1; Path=/realms/test/;
+        HttpOnly
+      - KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9laGVya2VubmluZy1iZXdpbmR2b2VyaW5nLW9pZGMvY2FsbGJhY2svIiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsic2NvcGUiOiJvcGVuaWQgYnNuIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJodHRwOi8vdGVzdHNlcnZlci9laGVya2VubmluZy1iZXdpbmR2b2VyaW5nLW9pZGMvY2FsbGJhY2svIiwic3RhdGUiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIn19.ohW_ibsZCPn53GegGr49538xdqveI5gt43AvtPXb9ro;
+        Version=1; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '4466'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: username=eherkenning-bewindvoering&password=eherkenning-bewindvoering&credentialId=&login=Sign+In
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '97'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      Cookie:
+      - AUTH_SESSION_ID_LEGACY=4e0775ac-68c4-4f7d-a637-073a8b0f98fb; KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9laGVya2VubmluZy1iZXdpbmR2b2VyaW5nLW9pZGMvY2FsbGJhY2svIiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsic2NvcGUiOiJvcGVuaWQgYnNuIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJodHRwOi8vdGVzdHNlcnZlci9laGVya2VubmluZy1iZXdpbmR2b2VyaW5nLW9pZGMvY2FsbGJhY2svIiwic3RhdGUiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIn19.ohW_ibsZCPn53GegGr49538xdqveI5gt43AvtPXb9ro
+      User-Agent:
+      - python-requests/2.31.0
+    method: POST
+    uri: http://localhost:8080/realms/test/login-actions/authenticate?session_code=J_O_RmaBYKvnz269m5ssZQMpySZ8_aAobpKJd_h39fk&execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&client_id=testid&tab_id=3vXx-XMXf3o
+  response:
+    body:
+      string: ''
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Location:
+      - http://testserver/eherkenning-bewindvoering-oidc/callback/?state=not-a-random-string&session_state=4e0775ac-68c4-4f7d-a637-073a8b0f98fb&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest&code=d5216ea5-9d20-44ca-9c8d-49a0d6472b0f.4e0775ac-68c4-4f7d-a637-073a8b0f98fb.adf4ad83-4550-4619-9231-73bd8d700f45
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - KEYCLOAK_LOCALE=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      - KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/; HttpOnly
+      - KC_AUTH_STATE=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/
+      - KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0OTY4MDAsImlhdCI6MTcxNjQ2MDgwMCwianRpIjoiNGFlMDE0NWUtNjc3ZC00ZWYzLWE3ZmYtYWU0OTFjZjMyZGI2IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiNjQ2ZTI3YzYtMWI0Mi00ZTExLWE1YzYtZDlmYWU0YzNjZWE2IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiI0ZTA3NzVhYy02OGM0LTRmN2QtYTYzNy0wNzNhOGIwZjk4ZmIiLCJzaWQiOiI0ZTA3NzVhYy02OGM0LTRmN2QtYTYzNy0wNzNhOGIwZjk4ZmIiLCJzdGF0ZV9jaGVja2VyIjoiNEJ2RjIyM2QySUVPcUNtTmozQXZiQ21QdjQ4TmloanBSMjNhUTNxQlAwcyJ9.tF06GFTWa4AIvdve747blfScBSO9qtposVDdwqCbvfs;
+        Version=1; Path=/realms/test/; SameSite=None; Secure; HttpOnly
+      - KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0OTY4MDAsImlhdCI6MTcxNjQ2MDgwMCwianRpIjoiNGFlMDE0NWUtNjc3ZC00ZWYzLWE3ZmYtYWU0OTFjZjMyZGI2IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiNjQ2ZTI3YzYtMWI0Mi00ZTExLWE1YzYtZDlmYWU0YzNjZWE2IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiI0ZTA3NzVhYy02OGM0LTRmN2QtYTYzNy0wNzNhOGIwZjk4ZmIiLCJzaWQiOiI0ZTA3NzVhYy02OGM0LTRmN2QtYTYzNy0wNzNhOGIwZjk4ZmIiLCJzdGF0ZV9jaGVja2VyIjoiNEJ2RjIyM2QySUVPcUNtTmozQXZiQ21QdjQ4TmloanBSMjNhUTNxQlAwcyJ9.tF06GFTWa4AIvdve747blfScBSO9qtposVDdwqCbvfs;
+        Version=1; Path=/realms/test/; HttpOnly
+      - KEYCLOAK_SESSION=test/646e27c6-1b42-4e11-a5c6-d9fae4c3cea6/4e0775ac-68c4-4f7d-a637-073a8b0f98fb;
+        Version=1; Expires=Thu, 23-May-2024 20:40:00 GMT; Max-Age=36000; Path=/realms/test/;
+        SameSite=None; Secure
+      - KEYCLOAK_SESSION_LEGACY=test/646e27c6-1b42-4e11-a5c6-d9fae4c3cea6/4e0775ac-68c4-4f7d-a637-073a8b0f98fb;
+        Version=1; Expires=Thu, 23-May-2024 20:40:00 GMT; Max-Age=36000; Path=/realms/test/
+      - KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '0'
+    status:
+      code: 302
+      message: Found
+- request:
+    body: client_id=testid&client_secret=7DB3KUAAizYCcmZufpHRVOcD0TOkNO3I&grant_type=authorization_code&code=d5216ea5-9d20-44ca-9c8d-49a0d6472b0f.4e0775ac-68c4-4f7d-a637-073a8b0f98fb.adf4ad83-4550-4619-9231-73bd8d700f45&redirect_uri=http%3A%2F%2Ftestserver%2Feherkenning-bewindvoering-oidc%2Fcallback%2F
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '293'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      User-Agent:
+      - python-requests/2.31.0
+    method: POST
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/token
+  response:
+    body:
+      string: '{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjExMDAsImlhdCI6MTcxNjQ2MDgwMCwiYXV0aF90aW1lIjoxNzE2NDYwODAwLCJqdGkiOiJiMGY2NDQyOS1hYWQ0LTQxMjAtYWQ4ZC1jMzAwNDU2Mzk2MGEiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNjQ2ZTI3YzYtMWI0Mi00ZTExLWE1YzYtZDlmYWU0YzNjZWE2IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6IjRlMDc3NWFjLTY4YzQtNGY3ZC1hNjM3LTA3M2E4YjBmOThmYiIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgYnNuIiwic2lkIjoiNGUwNzc1YWMtNjhjNC00ZjdkLWE2MzctMDczYThiMGY5OGZiIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJhYW52cmFnZXIua3ZrIjoiMTIzNDU2NzgiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJlaGVya2VubmluZy1iZXdpbmR2b2VyaW5nIiwiZ2VtYWNodGlnZGUucHNldWRvSUQiOiI0Qjc1QTBFQTEwN0IzRDM2In0.DBieG0ZboNo4A_42fjW6PIj1LuKnQHZdMTYTsvmMoXU0AHB4oPRDehYLcPuuts-_OIit8JKDR_-3yE7nHyQ1qqHZKQNRbzz9oZ-pt2KFQkYwy02IZNcTmYlosU3DHNiZtXo5OgsFamC0rLkHHqQOZSMiVyW0gPAggTGOeBDoe45mbaH4wi-QG_3_4aMMML0ThrR1caX_ebRr95BJwH8PMTdbpNOvw8zJmbCMr5urhexZmo_rA7YdwNwJTIzwTqLG9HLCwf_jYy2CW2IQ8s3w2OSpA1wBi7EkSFr1TpUsmEeMVIO6TkrQ9MZXPsR0KKxscLFxXKc-q3wKvTDVXP1czA","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0NjI2MDAsImlhdCI6MTcxNjQ2MDgwMCwianRpIjoiNDg1Y2Q2ZjEtMmIwMS00ZjYwLWI3YzItMDkzMmQ4MTc5OTM2IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiNjQ2ZTI3YzYtMWI0Mi00ZTExLWE1YzYtZDlmYWU0YzNjZWE2IiwidHlwIjoiUmVmcmVzaCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiI0ZTA3NzVhYy02OGM0LTRmN2QtYTYzNy0wNzNhOGIwZjk4ZmIiLCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIGt2ayBic24iLCJzaWQiOiI0ZTA3NzVhYy02OGM0LTRmN2QtYTYzNy0wNzNhOGIwZjk4ZmIifQ.pi1ytUZgBsmwEFHG_x-6FUzKRTq_D6hsFcU0OdnyINc","token_type":"Bearer","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjExMDAsImlhdCI6MTcxNjQ2MDgwMCwiYXV0aF90aW1lIjoxNzE2NDYwODAwLCJqdGkiOiI0N2JiYjBkNy1jM2Y2LTQwZjQtOTU4ZS0zNjJhMjMzZWZlZGEiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJ0ZXN0aWQiLCJzdWIiOiI2NDZlMjdjNi0xYjQyLTRlMTEtYTVjNi1kOWZhZTRjM2NlYTYiLCJ0eXAiOiJJRCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiI0ZTA3NzVhYy02OGM0LTRmN2QtYTYzNy0wNzNhOGIwZjk4ZmIiLCJhdF9oYXNoIjoic3pMNm1KQlpvOFplOHM1b3lFRmVidyIsImFjciI6IjEiLCJzaWQiOiI0ZTA3NzVhYy02OGM0LTRmN2QtYTYzNy0wNzNhOGIwZjk4ZmIiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImFhbnZyYWdlci5rdmsiOiIxMjM0NTY3OCIsInByZWZlcnJlZF91c2VybmFtZSI6ImVoZXJrZW5uaW5nLWJld2luZHZvZXJpbmciLCJnZW1hY2h0aWdkZS5wc2V1ZG9JRCI6IjRCNzVBMEVBMTA3QjNEMzYifQ.lXDLUKy6dqlk2RAWnNiCv6fcubamF9qZpNoCwSVv2erOnLsvOoyOo9ydglMhOKDlGMkGe5AbgV2yvd4UemxXuiG2EDTUaoOHCb4ztJTlZML62027SIWAJk7h69M01GePOlmPqrVutphgD6cd3VQy4fyM835hcwk9HD-fIA9yD04MKamxrdtde_biZYNbDqfhGEkUWTDd2y0uTJ5RsrJtJ2V5Tv4R3n8SOURnbLlOQt3S1SZ99QDLB7C1PiVswTnhqabw27E2oWiGcmhx2lhOK98dggVsOjGbTdScu6RQYFeZBH2qchFdrhFBsizxg9vrKqv9M69gVo7CmTUOwrcJIA","not-before-policy":0,"session_state":"4e0775ac-68c4-4f7d-a637-073a8b0f98fb","scope":"openid
+        email profile kvk bsn"}'
+    headers:
+      Cache-Control:
+      - no-store
+      Content-Type:
+      - application/json
+      Pragma:
+      - no-cache
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '3609'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Authorization:
+      - Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjExMDAsImlhdCI6MTcxNjQ2MDgwMCwiYXV0aF90aW1lIjoxNzE2NDYwODAwLCJqdGkiOiJiMGY2NDQyOS1hYWQ0LTQxMjAtYWQ4ZC1jMzAwNDU2Mzk2MGEiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNjQ2ZTI3YzYtMWI0Mi00ZTExLWE1YzYtZDlmYWU0YzNjZWE2IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6IjRlMDc3NWFjLTY4YzQtNGY3ZC1hNjM3LTA3M2E4YjBmOThmYiIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgYnNuIiwic2lkIjoiNGUwNzc1YWMtNjhjNC00ZjdkLWE2MzctMDczYThiMGY5OGZiIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJhYW52cmFnZXIua3ZrIjoiMTIzNDU2NzgiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJlaGVya2VubmluZy1iZXdpbmR2b2VyaW5nIiwiZ2VtYWNodGlnZGUucHNldWRvSUQiOiI0Qjc1QTBFQTEwN0IzRDM2In0.DBieG0ZboNo4A_42fjW6PIj1LuKnQHZdMTYTsvmMoXU0AHB4oPRDehYLcPuuts-_OIit8JKDR_-3yE7nHyQ1qqHZKQNRbzz9oZ-pt2KFQkYwy02IZNcTmYlosU3DHNiZtXo5OgsFamC0rLkHHqQOZSMiVyW0gPAggTGOeBDoe45mbaH4wi-QG_3_4aMMML0ThrR1caX_ebRr95BJwH8PMTdbpNOvw8zJmbCMr5urhexZmo_rA7YdwNwJTIzwTqLG9HLCwf_jYy2CW2IQ8s3w2OSpA1wBi7EkSFr1TpUsmEeMVIO6TkrQ9MZXPsR0KKxscLFxXKc-q3wKvTDVXP1czA
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/userinfo
+  response:
+    body:
+      string: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJzdWIiOiI2NDZlMjdjNi0xYjQyLTRlMTEtYTVjNi1kOWZhZTRjM2NlYTYiLCJhdWQiOiJ0ZXN0aWQiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImFhbnZyYWdlci5rdmsiOiIxMjM0NTY3OCIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInByZWZlcnJlZF91c2VybmFtZSI6ImVoZXJrZW5uaW5nLWJld2luZHZvZXJpbmciLCJnZW1hY2h0aWdkZS5wc2V1ZG9JRCI6IjRCNzVBMEVBMTA3QjNEMzYifQ.gMZorJmAINBiyhnEo5115UNw48hW3-17kjfMI0-5NDO4dpmNt8kRMZesq7vHO6sgqN23CgEqiiRGK6nn1FaMRoSunA8CvVa8IYMlVWq_Vgykb32nNpiyyQlFMUzpJfNycog3-Qjbpr6dhfLlABumKwaAFI5TVg355hZEDcKtn5OMuv_Vei6bI9UBWJECUfa4a5zImsla0OxAUK_6lDCSNxvC-mjtfyggLZHGkKIwSG7jt3bMLp8bNSqfe2FUM8u4nJz5f6UB1QAf35PErp2hXbW3Bu8iNB6KK5FTJuDKsU9WE0jJdUom7CQOZZWupmw5jMRVKxPht18U1l1W_jhAeA
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/jwt
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '781'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningBewindvoeringCallbackTests/EHerkenningBewindvoeringCallbackTests.test_redirects_after_successful_auth.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningBewindvoeringCallbackTests/EHerkenningBewindvoeringCallbackTests.test_redirects_after_successful_auth.yaml
new file mode 100644
index 0000000000..ff10d8982a
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningBewindvoeringCallbackTests/EHerkenningBewindvoeringCallbackTests.test_redirects_after_successful_auth.yaml
@@ -0,0 +1,371 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=openid+bsn&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Feherkenning-bewindvoering-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n        <script type=\"module\">\n            import
+        { checkCookiesAndSetTimer } from \"/resources/1rz7o/login/keycloak/js/authChecker.js\";\n\n
+        \           checkCookiesAndSetTimer(\n              \"59467342-87eb-43f5-bbd2-6058d44413fd\",\n
+        \             \"B8DLpYWeCfE\",\n              \"/realms/test/login-actions/restart?client_id=testid&tab_id=B8DLpYWeCfE&skip_logout=true\"\n
+        \           );\n        </script>\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       Sign in to your account\n\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-form\">\n
+        \         <div id=\"kc-form-wrapper\">\n                <form id=\"kc-form-login\"
+        onsubmit=\"login.disabled = true; return true;\" action=\"http://localhost:8080/realms/test/login-actions/authenticate?session_code=lxSZ4LdYPPFJdAcPYzRF6cylhp-omS1jca2ajqE7P78&amp;execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&amp;client_id=testid&amp;tab_id=B8DLpYWeCfE\"
+        method=\"post\">\n                        <div class=\"form-group\">\n                            <label
+        for=\"username\" class=\"pf-c-form__label pf-c-form__label-text\">Username
+        or email</label>\n\n                            <input tabindex=\"1\" id=\"username\"
+        class=\"pf-c-form-control\" name=\"username\" value=\"\"  type=\"text\" autofocus
+        autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n\n\n                        </div>\n\n                    <div
+        class=\"form-group\">\n                        <label for=\"password\" class=\"pf-c-form__label
+        pf-c-form__label-text\">Password</label>\n\n                        <div class=\"pf-c-input-group\">\n
+        \                           <input tabindex=\"2\" id=\"password\" class=\"pf-c-form-control\"
+        name=\"password\" type=\"password\" autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n                            <button class=\"pf-c-button
+        pf-m-control\" type=\"button\" aria-label=\"Show password\"\n                                    aria-controls=\"password\"
+        \ data-password-toggle\n                                    data-icon-show=\"fa
+        fa-eye\" data-icon-hide=\"fa fa-eye-slash\"\n                                    data-label-show=\"Show
+        password\" data-label-hide=\"Hide password\">\n                                <i
+        class=\"fa fa-eye\" aria-hidden=\"true\"></i>\n                            </button>\n
+        \                       </div>\n\n\n                    </div>\n\n                    <div
+        class=\"form-group login-pf-settings\">\n                        <div id=\"kc-form-options\">\n
+        \                           </div>\n                            <div class=\"\">\n
+        \                           </div>\n\n                      </div>\n\n                      <div
+        id=\"kc-form-buttons\" class=\"form-group\">\n                          <input
+        type=\"hidden\" id=\"id-hidden-input\" name=\"credentialId\" />\n                          <input
+        tabindex=\"4\" class=\"pf-c-button pf-m-primary pf-m-block btn-lg\" name=\"login\"
+        id=\"kc-login\" type=\"submit\" value=\"Sign In\"/>\n                      </div>\n
+        \               </form>\n            </div>\n        </div>\n        <script
+        type=\"module\" src=\"/resources/1rz7o/login/keycloak/js/passwordVisibility.js\"></script>\n\n\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - AUTH_SESSION_ID=59467342-87eb-43f5-bbd2-6058d44413fd; Version=1; Path=/realms/test/;
+        SameSite=None; Secure; HttpOnly
+      - AUTH_SESSION_ID_LEGACY=59467342-87eb-43f5-bbd2-6058d44413fd; Version=1; Path=/realms/test/;
+        HttpOnly
+      - KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9laGVya2VubmluZy1iZXdpbmR2b2VyaW5nLW9pZGMvY2FsbGJhY2svIiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsic2NvcGUiOiJvcGVuaWQgYnNuIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJodHRwOi8vdGVzdHNlcnZlci9laGVya2VubmluZy1iZXdpbmR2b2VyaW5nLW9pZGMvY2FsbGJhY2svIiwic3RhdGUiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIn19.ohW_ibsZCPn53GegGr49538xdqveI5gt43AvtPXb9ro;
+        Version=1; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '4466'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: username=eherkenning-bewindvoering&password=eherkenning-bewindvoering&credentialId=&login=Sign+In
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '97'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      Cookie:
+      - AUTH_SESSION_ID_LEGACY=59467342-87eb-43f5-bbd2-6058d44413fd; KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9laGVya2VubmluZy1iZXdpbmR2b2VyaW5nLW9pZGMvY2FsbGJhY2svIiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsic2NvcGUiOiJvcGVuaWQgYnNuIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJodHRwOi8vdGVzdHNlcnZlci9laGVya2VubmluZy1iZXdpbmR2b2VyaW5nLW9pZGMvY2FsbGJhY2svIiwic3RhdGUiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIn19.ohW_ibsZCPn53GegGr49538xdqveI5gt43AvtPXb9ro
+      User-Agent:
+      - python-requests/2.32.2
+    method: POST
+    uri: http://localhost:8080/realms/test/login-actions/authenticate?session_code=lxSZ4LdYPPFJdAcPYzRF6cylhp-omS1jca2ajqE7P78&execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&client_id=testid&tab_id=B8DLpYWeCfE
+  response:
+    body:
+      string: ''
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Location:
+      - http://testserver/eherkenning-bewindvoering-oidc/callback/?state=not-a-random-string&session_state=59467342-87eb-43f5-bbd2-6058d44413fd&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest&code=b8243d6b-a424-4789-9220-3b240309d7d9.59467342-87eb-43f5-bbd2-6058d44413fd.adf4ad83-4550-4619-9231-73bd8d700f45
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - KEYCLOAK_LOCALE=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      - KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/; HttpOnly
+      - KC_AUTH_STATE=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/
+      - KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTgyMzc0MTQsImlhdCI6MTcxODIwMTQxNCwianRpIjoiMWFmOWFlZmYtZDQ1Ny00YWQ4LWEwZDItZThkMjg1ZDAwNDYxIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiNjQ2ZTI3YzYtMWI0Mi00ZTExLWE1YzYtZDlmYWU0YzNjZWE2IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiI1OTQ2NzM0Mi04N2ViLTQzZjUtYmJkMi02MDU4ZDQ0NDEzZmQiLCJzaWQiOiI1OTQ2NzM0Mi04N2ViLTQzZjUtYmJkMi02MDU4ZDQ0NDEzZmQiLCJzdGF0ZV9jaGVja2VyIjoiMFdiWTJhWEhfekd5aTJBSGtNUUJQSzVLT0xBSG1EWmFJbmthbEhwOE1xOCJ9.hROPH_82rPRrzXitMviHZTZzLnZAaOUFJIqlk1Y7ob0;
+        Version=1; Path=/realms/test/; SameSite=None; Secure; HttpOnly
+      - KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTgyMzc0MTQsImlhdCI6MTcxODIwMTQxNCwianRpIjoiMWFmOWFlZmYtZDQ1Ny00YWQ4LWEwZDItZThkMjg1ZDAwNDYxIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiNjQ2ZTI3YzYtMWI0Mi00ZTExLWE1YzYtZDlmYWU0YzNjZWE2IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiI1OTQ2NzM0Mi04N2ViLTQzZjUtYmJkMi02MDU4ZDQ0NDEzZmQiLCJzaWQiOiI1OTQ2NzM0Mi04N2ViLTQzZjUtYmJkMi02MDU4ZDQ0NDEzZmQiLCJzdGF0ZV9jaGVja2VyIjoiMFdiWTJhWEhfekd5aTJBSGtNUUJQSzVLT0xBSG1EWmFJbmthbEhwOE1xOCJ9.hROPH_82rPRrzXitMviHZTZzLnZAaOUFJIqlk1Y7ob0;
+        Version=1; Path=/realms/test/; HttpOnly
+      - KEYCLOAK_SESSION=test/646e27c6-1b42-4e11-a5c6-d9fae4c3cea6/59467342-87eb-43f5-bbd2-6058d44413fd;
+        Version=1; Expires=Thu, 13-Jun-2024 00:10:14 GMT; Max-Age=36000; Path=/realms/test/;
+        SameSite=None; Secure
+      - KEYCLOAK_SESSION_LEGACY=test/646e27c6-1b42-4e11-a5c6-d9fae4c3cea6/59467342-87eb-43f5-bbd2-6058d44413fd;
+        Version=1; Expires=Thu, 13-Jun-2024 00:10:14 GMT; Max-Age=36000; Path=/realms/test/
+      - KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '0'
+    status:
+      code: 302
+      message: Found
+- request:
+    body: client_id=testid&client_secret=7DB3KUAAizYCcmZufpHRVOcD0TOkNO3I&grant_type=authorization_code&code=b8243d6b-a424-4789-9220-3b240309d7d9.59467342-87eb-43f5-bbd2-6058d44413fd.adf4ad83-4550-4619-9231-73bd8d700f45&redirect_uri=http%3A%2F%2Ftestserver%2Feherkenning-bewindvoering-oidc%2Fcallback%2F
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '293'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      User-Agent:
+      - python-requests/2.32.2
+    method: POST
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/token
+  response:
+    body:
+      string: '{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTgyMDE3MTQsImlhdCI6MTcxODIwMTQxNCwiYXV0aF90aW1lIjoxNzE4MjAxNDE0LCJqdGkiOiJhNmZhMzZlMS1jMjEwLTRjYjItYmRhMS03NGEwNmNiZDk5NTUiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNjQ2ZTI3YzYtMWI0Mi00ZTExLWE1YzYtZDlmYWU0YzNjZWE2IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6IjU5NDY3MzQyLTg3ZWItNDNmNS1iYmQyLTYwNThkNDQ0MTNmZCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgZ3JvdXBzIGJzbiIsInNpZCI6IjU5NDY3MzQyLTg3ZWItNDNmNS1iYmQyLTYwNThkNDQ0MTNmZCIsInNlcnZpY2VfdXVpZCI6IjgxMjE2ZmE0LTgwYTEtNDY4Ni1hOGFjLTVjOGU1YzAzMGM5MyIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicmVwcmVzZW50ZWVCU04iOiIwMDAwMDAwMDAiLCJsZWdhbFN1YmplY3RJRCI6IjEyMzQ1Njc4IiwiYWN0aW5nU3ViamVjdElEIjoiNEI3NUEwRUExMDdCM0QzNiIsInNlcnZpY2VfaWQiOiJ1cm46ZXRvZWdhbmc6RFY6MDAwMDAwMDEwMDIzMDg4MzYwMDA6c2VydmljZXM6OTExMyIsImFhbnZyYWdlci5rdmsiOiIxMjM0NTY3OCIsIm5hbWVfcXVhbGlmaWVyIjoidXJuOmV0b2VnYW5nOjEuOTpFbnRpdHlDb25jZXJuZWRJRDpLdktuciIsImdyb3VwcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl0sInByZWZlcnJlZF91c2VybmFtZSI6ImVoZXJrZW5uaW5nLWJld2luZHZvZXJpbmciLCJnZW1hY2h0aWdkZS5wc2V1ZG9JRCI6IjRCNzVBMEVBMTA3QjNEMzYifQ.uvbIm6t0O3ejJcOxZJ7TjjEMfVTMgECE43vzH-MWvTH6leGhy2fnkuPAeyLDAuirJrJRWWDGlT1mpjOCmk5KuUQUZ-TBVs3ruFs382lZdrrZsRv56i5lbi0QWEYi2BEOgWn9DXimmBn2Ll61DFk-nWw2t700CU_XnigvqFk7_kVCDmb0AU8qtQyl_ZhBf1UnM_HqMWfstyn3uzqbHmzShWd-JOizEzMXgsP2ikbrk-pOIpisUwWS5zU9EDR8qwyzjmm5qR5Ju1h64z1rf1WxndBpTpQ15rqfQQGC9jyhsu7wQV-832LDNlhiyfyyX-njJIKC8BuixGeLveU4z8G9jg","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTgyMDMyMTQsImlhdCI6MTcxODIwMTQxNCwianRpIjoiZWQ3NTA3MWItNWM5OS00MDEwLThkYmQtMDkwNzEwZTczNzJhIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiNjQ2ZTI3YzYtMWI0Mi00ZTExLWE1YzYtZDlmYWU0YzNjZWE2IiwidHlwIjoiUmVmcmVzaCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiI1OTQ2NzM0Mi04N2ViLTQzZjUtYmJkMi02MDU4ZDQ0NDEzZmQiLCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIGt2ayBncm91cHMgYnNuIiwic2lkIjoiNTk0NjczNDItODdlYi00M2Y1LWJiZDItNjA1OGQ0NDQxM2ZkIn0.uW1hp-l_9YZo22zAG1FwL1rjDTW0tn08UTDYVBx9b5g","token_type":"Bearer","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTgyMDE3MTQsImlhdCI6MTcxODIwMTQxNCwiYXV0aF90aW1lIjoxNzE4MjAxNDE0LCJqdGkiOiIyOWU4N2Y4Mi0xYzcwLTQ5NzMtODAxZi05MmRjZWRmY2UxYzEiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJ0ZXN0aWQiLCJzdWIiOiI2NDZlMjdjNi0xYjQyLTRlMTEtYTVjNi1kOWZhZTRjM2NlYTYiLCJ0eXAiOiJJRCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiI1OTQ2NzM0Mi04N2ViLTQzZjUtYmJkMi02MDU4ZDQ0NDEzZmQiLCJhdF9oYXNoIjoiOTRFQlBfNmc5NnJtc1pDeEdJRHlOZyIsImFjciI6IjEiLCJzaWQiOiI1OTQ2NzM0Mi04N2ViLTQzZjUtYmJkMi02MDU4ZDQ0NDEzZmQiLCJzZXJ2aWNlX3V1aWQiOiI4MTIxNmZhNC04MGExLTQ2ODYtYThhYy01YzhlNWMwMzBjOTMiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInJlcHJlc2VudGVlQlNOIjoiMDAwMDAwMDAwIiwibGVnYWxTdWJqZWN0SUQiOiIxMjM0NTY3OCIsImFjdGluZ1N1YmplY3RJRCI6IjRCNzVBMEVBMTA3QjNEMzYiLCJzZXJ2aWNlX2lkIjoidXJuOmV0b2VnYW5nOkRWOjAwMDAwMDAxMDAyMzA4ODM2MDAwOnNlcnZpY2VzOjkxMTMiLCJhYW52cmFnZXIua3ZrIjoiMTIzNDU2NzgiLCJuYW1lX3F1YWxpZmllciI6InVybjpldG9lZ2FuZzoxLjk6RW50aXR5Q29uY2VybmVkSUQ6S3ZLbnIiLCJncm91cHMiOlsiZGVmYXVsdC1yb2xlcy10ZXN0Iiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJlaGVya2VubmluZy1iZXdpbmR2b2VyaW5nIiwiZ2VtYWNodGlnZGUucHNldWRvSUQiOiI0Qjc1QTBFQTEwN0IzRDM2In0.wr6j_GmksqCo1mEu-Wc-viiyYWEOyBwLGt-on52gToY8A8S-mhu_3PulXJRLR92urAmSJ7jRA3FTDSlWnIm_Zer8AeYvtDMa5BgGcefauidAPLC7HqDqF8Acc1xpljCTAmVdEM1GR733LqDIRqUZDr-PqsMvp6HhsEzG2OqRLQBp8k0wEErU8DcsLdwDn4FtwaCTaY3fZpMpMpr7JoRlIqmbA-hDfDFYSy3Ad5kL21LegkH6MzRuEo7v3yGLE0iambBHjDrZTNPrwMO17b2YPbiElW0EwtALFwxhgHhRSC3-YAbOtploxAA7YZSvvEIGJobK1C6IRLGygr30k50d-g","not-before-policy":0,"session_state":"59467342-87eb-43f5-bbd2-6058d44413fd","scope":"openid
+        email profile kvk groups bsn"}'
+    headers:
+      Cache-Control:
+      - no-store
+      Content-Type:
+      - application/json
+      Pragma:
+      - no-cache
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '4549'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Authorization:
+      - Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTgyMDE3MTQsImlhdCI6MTcxODIwMTQxNCwiYXV0aF90aW1lIjoxNzE4MjAxNDE0LCJqdGkiOiJhNmZhMzZlMS1jMjEwLTRjYjItYmRhMS03NGEwNmNiZDk5NTUiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNjQ2ZTI3YzYtMWI0Mi00ZTExLWE1YzYtZDlmYWU0YzNjZWE2IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6IjU5NDY3MzQyLTg3ZWItNDNmNS1iYmQyLTYwNThkNDQ0MTNmZCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgZ3JvdXBzIGJzbiIsInNpZCI6IjU5NDY3MzQyLTg3ZWItNDNmNS1iYmQyLTYwNThkNDQ0MTNmZCIsInNlcnZpY2VfdXVpZCI6IjgxMjE2ZmE0LTgwYTEtNDY4Ni1hOGFjLTVjOGU1YzAzMGM5MyIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicmVwcmVzZW50ZWVCU04iOiIwMDAwMDAwMDAiLCJsZWdhbFN1YmplY3RJRCI6IjEyMzQ1Njc4IiwiYWN0aW5nU3ViamVjdElEIjoiNEI3NUEwRUExMDdCM0QzNiIsInNlcnZpY2VfaWQiOiJ1cm46ZXRvZWdhbmc6RFY6MDAwMDAwMDEwMDIzMDg4MzYwMDA6c2VydmljZXM6OTExMyIsImFhbnZyYWdlci5rdmsiOiIxMjM0NTY3OCIsIm5hbWVfcXVhbGlmaWVyIjoidXJuOmV0b2VnYW5nOjEuOTpFbnRpdHlDb25jZXJuZWRJRDpLdktuciIsImdyb3VwcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl0sInByZWZlcnJlZF91c2VybmFtZSI6ImVoZXJrZW5uaW5nLWJld2luZHZvZXJpbmciLCJnZW1hY2h0aWdkZS5wc2V1ZG9JRCI6IjRCNzVBMEVBMTA3QjNEMzYifQ.uvbIm6t0O3ejJcOxZJ7TjjEMfVTMgECE43vzH-MWvTH6leGhy2fnkuPAeyLDAuirJrJRWWDGlT1mpjOCmk5KuUQUZ-TBVs3ruFs382lZdrrZsRv56i5lbi0QWEYi2BEOgWn9DXimmBn2Ll61DFk-nWw2t700CU_XnigvqFk7_kVCDmb0AU8qtQyl_ZhBf1UnM_HqMWfstyn3uzqbHmzShWd-JOizEzMXgsP2ikbrk-pOIpisUwWS5zU9EDR8qwyzjmm5qR5Ju1h64z1rf1WxndBpTpQ15rqfQQGC9jyhsu7wQV-832LDNlhiyfyyX-njJIKC8BuixGeLveU4z8G9jg
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/userinfo
+  response:
+    body:
+      string: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJzdWIiOiI2NDZlMjdjNi0xYjQyLTRlMTEtYTVjNi1kOWZhZTRjM2NlYTYiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInJlcHJlc2VudGVlQlNOIjoiMDAwMDAwMDAwIiwiYWN0aW5nU3ViamVjdElEIjoiNEI3NUEwRUExMDdCM0QzNiIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsImdyb3VwcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl0sInByZWZlcnJlZF91c2VybmFtZSI6ImVoZXJrZW5uaW5nLWJld2luZHZvZXJpbmciLCJhdWQiOiJ0ZXN0aWQiLCJzZXJ2aWNlX3V1aWQiOiI4MTIxNmZhNC04MGExLTQ2ODYtYThhYy01YzhlNWMwMzBjOTMiLCJsZWdhbFN1YmplY3RJRCI6IjEyMzQ1Njc4Iiwic2VydmljZV9pZCI6InVybjpldG9lZ2FuZzpEVjowMDAwMDAwMTAwMjMwODgzNjAwMDpzZXJ2aWNlczo5MTEzIiwiYWFudnJhZ2VyLmt2ayI6IjEyMzQ1Njc4IiwibmFtZV9xdWFsaWZpZXIiOiJ1cm46ZXRvZWdhbmc6MS45OkVudGl0eUNvbmNlcm5lZElEOkt2S25yIiwiZ2VtYWNodGlnZGUucHNldWRvSUQiOiI0Qjc1QTBFQTEwN0IzRDM2In0.RhfYXFdUrTNVxjwiyAvZK936u8Riw3A5HBQhl5SPzf3RB-qkr9jdemR4myyZWsevKpDfGpvjNVYL_lfwEd9PHATNxbuZIfOUySLfoW9Qg_NQF0uw_Y02enR9x4_ujtpitwpBk4lUh35_yTOtoi3qy05uj1f5NB-cvLdxYWVXL5V_Y92Ezf5inxFwxM-BvLkRO7aJn-S5FG4Lox1caMXtsBWwFTXmq1sm8eEY6tDqd7_HP5AK9zDqYlJsmYGcJJwtcTqJqP1jUBbWsQCzv4rp-V0xGLruIlEi8-VZd5MWs_CDkD_HYQACyAw-xsJevjMCsQcsCADD6V3HfWdPNsP3Sg
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/jwt
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1238'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningBewindvoeringInitTests/EHerkenningBewindvoeringInitTests.test_idp_availability_check.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningBewindvoeringInitTests/EHerkenningBewindvoeringInitTests.test_idp_availability_check.yaml
new file mode 100644
index 0000000000..e786ba2dc4
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningBewindvoeringInitTests/EHerkenningBewindvoeringInitTests.test_idp_availability_check.yaml
@@ -0,0 +1,26 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/i-dont-exist
+  response:
+    body:
+      string: '{"error":"Unable to find matching target resource method"}'
+    headers:
+      Content-Type:
+      - application/json
+      content-length:
+      - '58'
+    status:
+      code: 404
+      message: Not Found
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningBewindvoeringInitTests/EHerkenningBewindvoeringInitTests.test_keycloak_idp_hint_is_respected.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningBewindvoeringInitTests/EHerkenningBewindvoeringInitTests.test_keycloak_idp_hint_is_respected.yaml
new file mode 100644
index 0000000000..7556222e57
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningBewindvoeringInitTests/EHerkenningBewindvoeringInitTests.test_keycloak_idp_hint_is_respected.yaml
@@ -0,0 +1,59 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningBewindvoeringInitTests/EHerkenningBewindvoeringInitTests.test_start_flow_redirects_to_oidc_provider.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningBewindvoeringInitTests/EHerkenningBewindvoeringInitTests.test_start_flow_redirects_to_oidc_provider.yaml
new file mode 100644
index 0000000000..7556222e57
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningBewindvoeringInitTests/EHerkenningBewindvoeringInitTests.test_start_flow_redirects_to_oidc_provider.yaml
@@ -0,0 +1,59 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningBewindvoeringLogoutTests/EHerkenningBewindvoeringLogoutTests.test_logout_also_logs_out_user_in_openid_provider.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningBewindvoeringLogoutTests/EHerkenningBewindvoeringLogoutTests.test_logout_also_logs_out_user_in_openid_provider.yaml
new file mode 100644
index 0000000000..29410a98c6
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningBewindvoeringLogoutTests/EHerkenningBewindvoeringLogoutTests.test_logout_also_logs_out_user_in_openid_provider.yaml
@@ -0,0 +1,727 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=openid+bsn&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Feherkenning-bewindvoering-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n        <script type=\"module\">\n            import
+        { checkCookiesAndSetTimer } from \"/resources/1rz7o/login/keycloak/js/authChecker.js\";\n\n
+        \           checkCookiesAndSetTimer(\n              \"82194c00-d9f5-4403-b1e5-2b93691a28cc\",\n
+        \             \"BYyH0vlAKIw\",\n              \"/realms/test/login-actions/restart?client_id=testid&tab_id=BYyH0vlAKIw&skip_logout=true\"\n
+        \           );\n        </script>\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       Sign in to your account\n\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-form\">\n
+        \         <div id=\"kc-form-wrapper\">\n                <form id=\"kc-form-login\"
+        onsubmit=\"login.disabled = true; return true;\" action=\"http://localhost:8080/realms/test/login-actions/authenticate?session_code=PLahQUDZj3otjq4NBFNomjVb6TsBKd7ZKCbSqmZbaBo&amp;execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&amp;client_id=testid&amp;tab_id=BYyH0vlAKIw\"
+        method=\"post\">\n                        <div class=\"form-group\">\n                            <label
+        for=\"username\" class=\"pf-c-form__label pf-c-form__label-text\">Username
+        or email</label>\n\n                            <input tabindex=\"1\" id=\"username\"
+        class=\"pf-c-form-control\" name=\"username\" value=\"\"  type=\"text\" autofocus
+        autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n\n\n                        </div>\n\n                    <div
+        class=\"form-group\">\n                        <label for=\"password\" class=\"pf-c-form__label
+        pf-c-form__label-text\">Password</label>\n\n                        <div class=\"pf-c-input-group\">\n
+        \                           <input tabindex=\"2\" id=\"password\" class=\"pf-c-form-control\"
+        name=\"password\" type=\"password\" autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n                            <button class=\"pf-c-button
+        pf-m-control\" type=\"button\" aria-label=\"Show password\"\n                                    aria-controls=\"password\"
+        \ data-password-toggle\n                                    data-icon-show=\"fa
+        fa-eye\" data-icon-hide=\"fa fa-eye-slash\"\n                                    data-label-show=\"Show
+        password\" data-label-hide=\"Hide password\">\n                                <i
+        class=\"fa fa-eye\" aria-hidden=\"true\"></i>\n                            </button>\n
+        \                       </div>\n\n\n                    </div>\n\n                    <div
+        class=\"form-group login-pf-settings\">\n                        <div id=\"kc-form-options\">\n
+        \                           </div>\n                            <div class=\"\">\n
+        \                           </div>\n\n                      </div>\n\n                      <div
+        id=\"kc-form-buttons\" class=\"form-group\">\n                          <input
+        type=\"hidden\" id=\"id-hidden-input\" name=\"credentialId\" />\n                          <input
+        tabindex=\"4\" class=\"pf-c-button pf-m-primary pf-m-block btn-lg\" name=\"login\"
+        id=\"kc-login\" type=\"submit\" value=\"Sign In\"/>\n                      </div>\n
+        \               </form>\n            </div>\n        </div>\n        <script
+        type=\"module\" src=\"/resources/1rz7o/login/keycloak/js/passwordVisibility.js\"></script>\n\n\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - AUTH_SESSION_ID=82194c00-d9f5-4403-b1e5-2b93691a28cc; Version=1; Path=/realms/test/;
+        SameSite=None; Secure; HttpOnly
+      - AUTH_SESSION_ID_LEGACY=82194c00-d9f5-4403-b1e5-2b93691a28cc; Version=1; Path=/realms/test/;
+        HttpOnly
+      - KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9laGVya2VubmluZy1iZXdpbmR2b2VyaW5nLW9pZGMvY2FsbGJhY2svIiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsic2NvcGUiOiJvcGVuaWQgYnNuIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJodHRwOi8vdGVzdHNlcnZlci9laGVya2VubmluZy1iZXdpbmR2b2VyaW5nLW9pZGMvY2FsbGJhY2svIiwic3RhdGUiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIn19.ohW_ibsZCPn53GegGr49538xdqveI5gt43AvtPXb9ro;
+        Version=1; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '4466'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: username=eherkenning-bewindvoering&password=eherkenning-bewindvoering&credentialId=&login=Sign+In
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '97'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      Cookie:
+      - AUTH_SESSION_ID_LEGACY=82194c00-d9f5-4403-b1e5-2b93691a28cc; KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9laGVya2VubmluZy1iZXdpbmR2b2VyaW5nLW9pZGMvY2FsbGJhY2svIiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsic2NvcGUiOiJvcGVuaWQgYnNuIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJodHRwOi8vdGVzdHNlcnZlci9laGVya2VubmluZy1iZXdpbmR2b2VyaW5nLW9pZGMvY2FsbGJhY2svIiwic3RhdGUiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIn19.ohW_ibsZCPn53GegGr49538xdqveI5gt43AvtPXb9ro
+      User-Agent:
+      - python-requests/2.31.0
+    method: POST
+    uri: http://localhost:8080/realms/test/login-actions/authenticate?session_code=PLahQUDZj3otjq4NBFNomjVb6TsBKd7ZKCbSqmZbaBo&execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&client_id=testid&tab_id=BYyH0vlAKIw
+  response:
+    body:
+      string: ''
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Location:
+      - http://testserver/eherkenning-bewindvoering-oidc/callback/?state=not-a-random-string&session_state=82194c00-d9f5-4403-b1e5-2b93691a28cc&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest&code=aa113bfc-7bec-4d9d-8815-b65dd677ece0.82194c00-d9f5-4403-b1e5-2b93691a28cc.adf4ad83-4550-4619-9231-73bd8d700f45
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - KEYCLOAK_LOCALE=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      - KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/; HttpOnly
+      - KC_AUTH_STATE=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/
+      - KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0OTY4MDMsImlhdCI6MTcxNjQ2MDgwMywianRpIjoiMjEyMzliMTMtZDRjMC00YjVkLWJjMTEtYWNlNjc2YzhlYzdmIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiNjQ2ZTI3YzYtMWI0Mi00ZTExLWE1YzYtZDlmYWU0YzNjZWE2IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiI4MjE5NGMwMC1kOWY1LTQ0MDMtYjFlNS0yYjkzNjkxYTI4Y2MiLCJzaWQiOiI4MjE5NGMwMC1kOWY1LTQ0MDMtYjFlNS0yYjkzNjkxYTI4Y2MiLCJzdGF0ZV9jaGVja2VyIjoiWFljb0Vod19qZ0gtdnVHdklHZ2dMRUdHWVl5VzYtczRoS1RWcEpEVXFGNCJ9.gT_heDZAUGrGUMUVEtJT3TsjgF-CcKC4wZN4GxpgLAg;
+        Version=1; Path=/realms/test/; SameSite=None; Secure; HttpOnly
+      - KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0OTY4MDMsImlhdCI6MTcxNjQ2MDgwMywianRpIjoiMjEyMzliMTMtZDRjMC00YjVkLWJjMTEtYWNlNjc2YzhlYzdmIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiNjQ2ZTI3YzYtMWI0Mi00ZTExLWE1YzYtZDlmYWU0YzNjZWE2IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiI4MjE5NGMwMC1kOWY1LTQ0MDMtYjFlNS0yYjkzNjkxYTI4Y2MiLCJzaWQiOiI4MjE5NGMwMC1kOWY1LTQ0MDMtYjFlNS0yYjkzNjkxYTI4Y2MiLCJzdGF0ZV9jaGVja2VyIjoiWFljb0Vod19qZ0gtdnVHdklHZ2dMRUdHWVl5VzYtczRoS1RWcEpEVXFGNCJ9.gT_heDZAUGrGUMUVEtJT3TsjgF-CcKC4wZN4GxpgLAg;
+        Version=1; Path=/realms/test/; HttpOnly
+      - KEYCLOAK_SESSION=test/646e27c6-1b42-4e11-a5c6-d9fae4c3cea6/82194c00-d9f5-4403-b1e5-2b93691a28cc;
+        Version=1; Expires=Thu, 23-May-2024 20:40:03 GMT; Max-Age=36000; Path=/realms/test/;
+        SameSite=None; Secure
+      - KEYCLOAK_SESSION_LEGACY=test/646e27c6-1b42-4e11-a5c6-d9fae4c3cea6/82194c00-d9f5-4403-b1e5-2b93691a28cc;
+        Version=1; Expires=Thu, 23-May-2024 20:40:03 GMT; Max-Age=36000; Path=/realms/test/
+      - KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '0'
+    status:
+      code: 302
+      message: Found
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Cookie:
+      - AUTH_SESSION_ID_LEGACY=82194c00-d9f5-4403-b1e5-2b93691a28cc; KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0OTY4MDMsImlhdCI6MTcxNjQ2MDgwMywianRpIjoiMjEyMzliMTMtZDRjMC00YjVkLWJjMTEtYWNlNjc2YzhlYzdmIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiNjQ2ZTI3YzYtMWI0Mi00ZTExLWE1YzYtZDlmYWU0YzNjZWE2IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiI4MjE5NGMwMC1kOWY1LTQ0MDMtYjFlNS0yYjkzNjkxYTI4Y2MiLCJzaWQiOiI4MjE5NGMwMC1kOWY1LTQ0MDMtYjFlNS0yYjkzNjkxYTI4Y2MiLCJzdGF0ZV9jaGVja2VyIjoiWFljb0Vod19qZ0gtdnVHdklHZ2dMRUdHWVl5VzYtczRoS1RWcEpEVXFGNCJ9.gT_heDZAUGrGUMUVEtJT3TsjgF-CcKC4wZN4GxpgLAg;
+        KEYCLOAK_SESSION_LEGACY=test/646e27c6-1b42-4e11-a5c6-d9fae4c3cea6/82194c00-d9f5-4403-b1e5-2b93691a28cc
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=openid+bsn&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Feherkenning-bewindvoering-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: ''
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Location:
+      - http://testserver/eherkenning-bewindvoering-oidc/callback/?state=not-a-random-string&session_state=82194c00-d9f5-4403-b1e5-2b93691a28cc&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest&code=b9d11f0d-b995-4849-a7f0-3e8439b618e7.82194c00-d9f5-4403-b1e5-2b93691a28cc.adf4ad83-4550-4619-9231-73bd8d700f45
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9laGVya2VubmluZy1iZXdpbmR2b2VyaW5nLW9pZGMvY2FsbGJhY2svIiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsic2NvcGUiOiJvcGVuaWQgYnNuIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJodHRwOi8vdGVzdHNlcnZlci9laGVya2VubmluZy1iZXdpbmR2b2VyaW5nLW9pZGMvY2FsbGJhY2svIiwic3RhdGUiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIn19.ohW_ibsZCPn53GegGr49538xdqveI5gt43AvtPXb9ro;
+        Version=1; Path=/realms/test/; HttpOnly
+      - KEYCLOAK_LOCALE=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      - KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/; HttpOnly
+      - KC_AUTH_STATE=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/
+      - KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0OTY4MDMsImlhdCI6MTcxNjQ2MDgwMywianRpIjoiNWYwNzYwYWUtNjUzNy00YjhmLTg3MmQtZGExYTNkYTUwOGU0IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiNjQ2ZTI3YzYtMWI0Mi00ZTExLWE1YzYtZDlmYWU0YzNjZWE2IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiI4MjE5NGMwMC1kOWY1LTQ0MDMtYjFlNS0yYjkzNjkxYTI4Y2MiLCJzaWQiOiI4MjE5NGMwMC1kOWY1LTQ0MDMtYjFlNS0yYjkzNjkxYTI4Y2MiLCJzdGF0ZV9jaGVja2VyIjoiWFljb0Vod19qZ0gtdnVHdklHZ2dMRUdHWVl5VzYtczRoS1RWcEpEVXFGNCJ9.lOmH652_tr0WEEoqH1cpuvjHY4F3oRz03N6siaSGL9o;
+        Version=1; Path=/realms/test/; SameSite=None; Secure; HttpOnly
+      - KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0OTY4MDMsImlhdCI6MTcxNjQ2MDgwMywianRpIjoiNWYwNzYwYWUtNjUzNy00YjhmLTg3MmQtZGExYTNkYTUwOGU0IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiNjQ2ZTI3YzYtMWI0Mi00ZTExLWE1YzYtZDlmYWU0YzNjZWE2IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiI4MjE5NGMwMC1kOWY1LTQ0MDMtYjFlNS0yYjkzNjkxYTI4Y2MiLCJzaWQiOiI4MjE5NGMwMC1kOWY1LTQ0MDMtYjFlNS0yYjkzNjkxYTI4Y2MiLCJzdGF0ZV9jaGVja2VyIjoiWFljb0Vod19qZ0gtdnVHdklHZ2dMRUdHWVl5VzYtczRoS1RWcEpEVXFGNCJ9.lOmH652_tr0WEEoqH1cpuvjHY4F3oRz03N6siaSGL9o;
+        Version=1; Path=/realms/test/; HttpOnly
+      - KEYCLOAK_SESSION=test/646e27c6-1b42-4e11-a5c6-d9fae4c3cea6/82194c00-d9f5-4403-b1e5-2b93691a28cc;
+        Version=1; Expires=Thu, 23-May-2024 20:40:03 GMT; Max-Age=36000; Path=/realms/test/;
+        SameSite=None; Secure
+      - KEYCLOAK_SESSION_LEGACY=test/646e27c6-1b42-4e11-a5c6-d9fae4c3cea6/82194c00-d9f5-4403-b1e5-2b93691a28cc;
+        Version=1; Expires=Thu, 23-May-2024 20:40:03 GMT; Max-Age=36000; Path=/realms/test/
+      - KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '0'
+    status:
+      code: 302
+      message: Found
+- request:
+    body: client_id=testid&client_secret=7DB3KUAAizYCcmZufpHRVOcD0TOkNO3I&grant_type=authorization_code&code=b9d11f0d-b995-4849-a7f0-3e8439b618e7.82194c00-d9f5-4403-b1e5-2b93691a28cc.adf4ad83-4550-4619-9231-73bd8d700f45&redirect_uri=http%3A%2F%2Ftestserver%2Feherkenning-bewindvoering-oidc%2Fcallback%2F
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '293'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      User-Agent:
+      - python-requests/2.31.0
+    method: POST
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/token
+  response:
+    body:
+      string: '{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjExMDMsImlhdCI6MTcxNjQ2MDgwMywiYXV0aF90aW1lIjoxNzE2NDYwODAzLCJqdGkiOiI4ZmZkYTBlZi05OGNhLTRkZmItYjg3Yy04M2U0OWMyYmU1NTkiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNjQ2ZTI3YzYtMWI0Mi00ZTExLWE1YzYtZDlmYWU0YzNjZWE2IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6IjgyMTk0YzAwLWQ5ZjUtNDQwMy1iMWU1LTJiOTM2OTFhMjhjYyIsImFjciI6IjAiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgYnNuIiwic2lkIjoiODIxOTRjMDAtZDlmNS00NDAzLWIxZTUtMmI5MzY5MWEyOGNjIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJhYW52cmFnZXIua3ZrIjoiMTIzNDU2NzgiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJlaGVya2VubmluZy1iZXdpbmR2b2VyaW5nIiwiZ2VtYWNodGlnZGUucHNldWRvSUQiOiI0Qjc1QTBFQTEwN0IzRDM2In0.BUeSbTSQGpYcyYiuWDjgSpOiWiA_S5TE-dSPcali6P2jt-kuDMvgmNJg_nk5kTyxJyQpEKHYFhqot_KipRz1-3oaeWtztTGQIf7BQ4InqXA2W5AiYRFyyn7aOqKKPDCikxP5_pYIHkgmtOQHOtABCgVShz_A0C7Qb0ASgjoOXdnJNCrjoPQJloemqP6tn2hsh7JfMM0gEoHEoCVQxcfDe4N0KRPzMnrumyZfnV7wXUjHn1uQk3gUVfRtWImK7VbUvCm0LjU1Bz5-Gtt5pWcLma4uh8DyC975s5OPTk96G_0WtGS38PpCGjktb4N9aARXACbW6PCYD0H9mO2IIxH0rQ","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0NjI2MDMsImlhdCI6MTcxNjQ2MDgwMywianRpIjoiZDcxNTdlNjEtOWU2My00OTQ3LTk0ZmMtYTEyODAwNGQyY2FkIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiNjQ2ZTI3YzYtMWI0Mi00ZTExLWE1YzYtZDlmYWU0YzNjZWE2IiwidHlwIjoiUmVmcmVzaCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiI4MjE5NGMwMC1kOWY1LTQ0MDMtYjFlNS0yYjkzNjkxYTI4Y2MiLCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIGt2ayBic24iLCJzaWQiOiI4MjE5NGMwMC1kOWY1LTQ0MDMtYjFlNS0yYjkzNjkxYTI4Y2MifQ.yTzEY-zNLccnSm12fsQSmR8q27UEkUBIXDWdHX356SY","token_type":"Bearer","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjExMDMsImlhdCI6MTcxNjQ2MDgwMywiYXV0aF90aW1lIjoxNzE2NDYwODAzLCJqdGkiOiI0MGQyMTk2Mi1lMTNmLTQzYTQtOWJiZi0wNzA0Y2RlMTg5MDMiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJ0ZXN0aWQiLCJzdWIiOiI2NDZlMjdjNi0xYjQyLTRlMTEtYTVjNi1kOWZhZTRjM2NlYTYiLCJ0eXAiOiJJRCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiI4MjE5NGMwMC1kOWY1LTQ0MDMtYjFlNS0yYjkzNjkxYTI4Y2MiLCJhdF9oYXNoIjoiMzMyTmlpNXY0dGhzR092WHB4eDNDUSIsImFjciI6IjAiLCJzaWQiOiI4MjE5NGMwMC1kOWY1LTQ0MDMtYjFlNS0yYjkzNjkxYTI4Y2MiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImFhbnZyYWdlci5rdmsiOiIxMjM0NTY3OCIsInByZWZlcnJlZF91c2VybmFtZSI6ImVoZXJrZW5uaW5nLWJld2luZHZvZXJpbmciLCJnZW1hY2h0aWdkZS5wc2V1ZG9JRCI6IjRCNzVBMEVBMTA3QjNEMzYifQ.S-2gbcTyzr25mH191wS9SgWZ_ADR7C7kSMqKL37Ku8HnVaJkrHYDftbn3aYeMDutR6cS7uRJ_Yvo17HnOSXV47B6jaBGPYJCzibxm9vDgYC-2idQskW-68EXBm9cUuwcqa324KocODFg3VZbC0JpiCWX5hNS8txGYB4zFqy-uO4GP1p0nlQKMteBeyv0hQi-j5sOhBUrxVus-ddXeTPJkM8x3TvrfH9Paie_Ya4ybAGZpcY9qJNgj25xFLeS-fOQetGNDWtbonPzWaMk6FsSgvcRZAqnI6wzpyEYGeuoffwiF63_BK56IjeiW2tCOcd5NsGeE4BwlO_n-NlVoorSzQ","not-before-policy":0,"session_state":"82194c00-d9f5-4403-b1e5-2b93691a28cc","scope":"openid
+        email profile kvk bsn"}'
+    headers:
+      Cache-Control:
+      - no-store
+      Content-Type:
+      - application/json
+      Pragma:
+      - no-cache
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '3609'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Authorization:
+      - Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjExMDMsImlhdCI6MTcxNjQ2MDgwMywiYXV0aF90aW1lIjoxNzE2NDYwODAzLCJqdGkiOiI4ZmZkYTBlZi05OGNhLTRkZmItYjg3Yy04M2U0OWMyYmU1NTkiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNjQ2ZTI3YzYtMWI0Mi00ZTExLWE1YzYtZDlmYWU0YzNjZWE2IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6IjgyMTk0YzAwLWQ5ZjUtNDQwMy1iMWU1LTJiOTM2OTFhMjhjYyIsImFjciI6IjAiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgYnNuIiwic2lkIjoiODIxOTRjMDAtZDlmNS00NDAzLWIxZTUtMmI5MzY5MWEyOGNjIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJhYW52cmFnZXIua3ZrIjoiMTIzNDU2NzgiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJlaGVya2VubmluZy1iZXdpbmR2b2VyaW5nIiwiZ2VtYWNodGlnZGUucHNldWRvSUQiOiI0Qjc1QTBFQTEwN0IzRDM2In0.BUeSbTSQGpYcyYiuWDjgSpOiWiA_S5TE-dSPcali6P2jt-kuDMvgmNJg_nk5kTyxJyQpEKHYFhqot_KipRz1-3oaeWtztTGQIf7BQ4InqXA2W5AiYRFyyn7aOqKKPDCikxP5_pYIHkgmtOQHOtABCgVShz_A0C7Qb0ASgjoOXdnJNCrjoPQJloemqP6tn2hsh7JfMM0gEoHEoCVQxcfDe4N0KRPzMnrumyZfnV7wXUjHn1uQk3gUVfRtWImK7VbUvCm0LjU1Bz5-Gtt5pWcLma4uh8DyC975s5OPTk96G_0WtGS38PpCGjktb4N9aARXACbW6PCYD0H9mO2IIxH0rQ
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/userinfo
+  response:
+    body:
+      string: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJzdWIiOiI2NDZlMjdjNi0xYjQyLTRlMTEtYTVjNi1kOWZhZTRjM2NlYTYiLCJhdWQiOiJ0ZXN0aWQiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImFhbnZyYWdlci5rdmsiOiIxMjM0NTY3OCIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInByZWZlcnJlZF91c2VybmFtZSI6ImVoZXJrZW5uaW5nLWJld2luZHZvZXJpbmciLCJnZW1hY2h0aWdkZS5wc2V1ZG9JRCI6IjRCNzVBMEVBMTA3QjNEMzYifQ.gMZorJmAINBiyhnEo5115UNw48hW3-17kjfMI0-5NDO4dpmNt8kRMZesq7vHO6sgqN23CgEqiiRGK6nn1FaMRoSunA8CvVa8IYMlVWq_Vgykb32nNpiyyQlFMUzpJfNycog3-Qjbpr6dhfLlABumKwaAFI5TVg355hZEDcKtn5OMuv_Vei6bI9UBWJECUfa4a5zImsla0OxAUK_6lDCSNxvC-mjtfyggLZHGkKIwSG7jt3bMLp8bNSqfe2FUM8u4nJz5f6UB1QAf35PErp2hXbW3Bu8iNB6KK5FTJuDKsU9WE0jJdUom7CQOZZWupmw5jMRVKxPht18U1l1W_jhAeA
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/jwt
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '781'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: id_token_hint=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjExMDMsImlhdCI6MTcxNjQ2MDgwMywiYXV0aF90aW1lIjoxNzE2NDYwODAzLCJqdGkiOiI0MGQyMTk2Mi1lMTNmLTQzYTQtOWJiZi0wNzA0Y2RlMTg5MDMiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJ0ZXN0aWQiLCJzdWIiOiI2NDZlMjdjNi0xYjQyLTRlMTEtYTVjNi1kOWZhZTRjM2NlYTYiLCJ0eXAiOiJJRCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiI4MjE5NGMwMC1kOWY1LTQ0MDMtYjFlNS0yYjkzNjkxYTI4Y2MiLCJhdF9oYXNoIjoiMzMyTmlpNXY0dGhzR092WHB4eDNDUSIsImFjciI6IjAiLCJzaWQiOiI4MjE5NGMwMC1kOWY1LTQ0MDMtYjFlNS0yYjkzNjkxYTI4Y2MiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImFhbnZyYWdlci5rdmsiOiIxMjM0NTY3OCIsInByZWZlcnJlZF91c2VybmFtZSI6ImVoZXJrZW5uaW5nLWJld2luZHZvZXJpbmciLCJnZW1hY2h0aWdkZS5wc2V1ZG9JRCI6IjRCNzVBMEVBMTA3QjNEMzYifQ.S-2gbcTyzr25mH191wS9SgWZ_ADR7C7kSMqKL37Ku8HnVaJkrHYDftbn3aYeMDutR6cS7uRJ_Yvo17HnOSXV47B6jaBGPYJCzibxm9vDgYC-2idQskW-68EXBm9cUuwcqa324KocODFg3VZbC0JpiCWX5hNS8txGYB4zFqy-uO4GP1p0nlQKMteBeyv0hQi-j5sOhBUrxVus-ddXeTPJkM8x3TvrfH9Paie_Ya4ybAGZpcY9qJNgj25xFLeS-fOQetGNDWtbonPzWaMk6FsSgvcRZAqnI6wzpyEYGeuoffwiF63_BK56IjeiW2tCOcd5NsGeE4BwlO_n-NlVoorSzQ
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '1199'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      User-Agent:
+      - python-requests/2.31.0
+    method: POST
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/logout
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       You are logged out\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n    <div id=\"kc-info-message\">\n
+        \       <p class=\"instruction\">You are logged out</p>\n    </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - AUTH_SESSION_ID=c263549d-b336-4fae-8e9b-8c5701778632; Version=1; Path=/realms/test/;
+        SameSite=None; Secure; HttpOnly
+      - AUTH_SESSION_ID_LEGACY=c263549d-b336-4fae-8e9b-8c5701778632; Version=1; Path=/realms/test/;
+        HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1566'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Cookie:
+      - AUTH_SESSION_ID_LEGACY=82194c00-d9f5-4403-b1e5-2b93691a28cc; KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9laGVya2VubmluZy1iZXdpbmR2b2VyaW5nLW9pZGMvY2FsbGJhY2svIiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsic2NvcGUiOiJvcGVuaWQgYnNuIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJodHRwOi8vdGVzdHNlcnZlci9laGVya2VubmluZy1iZXdpbmR2b2VyaW5nLW9pZGMvY2FsbGJhY2svIiwic3RhdGUiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIn19.ohW_ibsZCPn53GegGr49538xdqveI5gt43AvtPXb9ro;
+        KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0OTY4MDMsImlhdCI6MTcxNjQ2MDgwMywianRpIjoiNWYwNzYwYWUtNjUzNy00YjhmLTg3MmQtZGExYTNkYTUwOGU0IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiNjQ2ZTI3YzYtMWI0Mi00ZTExLWE1YzYtZDlmYWU0YzNjZWE2IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiI4MjE5NGMwMC1kOWY1LTQ0MDMtYjFlNS0yYjkzNjkxYTI4Y2MiLCJzaWQiOiI4MjE5NGMwMC1kOWY1LTQ0MDMtYjFlNS0yYjkzNjkxYTI4Y2MiLCJzdGF0ZV9jaGVja2VyIjoiWFljb0Vod19qZ0gtdnVHdklHZ2dMRUdHWVl5VzYtczRoS1RWcEpEVXFGNCJ9.lOmH652_tr0WEEoqH1cpuvjHY4F3oRz03N6siaSGL9o;
+        KEYCLOAK_SESSION_LEGACY=test/646e27c6-1b42-4e11-a5c6-d9fae4c3cea6/82194c00-d9f5-4403-b1e5-2b93691a28cc
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=openid+bsn&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Feherkenning-bewindvoering-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n        <script type=\"module\">\n            import
+        { checkCookiesAndSetTimer } from \"/resources/1rz7o/login/keycloak/js/authChecker.js\";\n\n
+        \           checkCookiesAndSetTimer(\n              \"c82c23c7-c341-4585-b4f2-605223c9e6cf\",\n
+        \             \"iKuKP0OF3XA\",\n              \"/realms/test/login-actions/restart?client_id=testid&tab_id=iKuKP0OF3XA&skip_logout=true\"\n
+        \           );\n        </script>\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       Sign in to your account\n\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-form\">\n
+        \         <div id=\"kc-form-wrapper\">\n                <form id=\"kc-form-login\"
+        onsubmit=\"login.disabled = true; return true;\" action=\"http://localhost:8080/realms/test/login-actions/authenticate?session_code=EGDAGo2eynAzzr2_S7r9jHc-lq8A2iayMh0-WyCIrS8&amp;execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&amp;client_id=testid&amp;tab_id=iKuKP0OF3XA\"
+        method=\"post\">\n                        <div class=\"form-group\">\n                            <label
+        for=\"username\" class=\"pf-c-form__label pf-c-form__label-text\">Username
+        or email</label>\n\n                            <input tabindex=\"1\" id=\"username\"
+        class=\"pf-c-form-control\" name=\"username\" value=\"\"  type=\"text\" autofocus
+        autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n\n\n                        </div>\n\n                    <div
+        class=\"form-group\">\n                        <label for=\"password\" class=\"pf-c-form__label
+        pf-c-form__label-text\">Password</label>\n\n                        <div class=\"pf-c-input-group\">\n
+        \                           <input tabindex=\"2\" id=\"password\" class=\"pf-c-form-control\"
+        name=\"password\" type=\"password\" autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n                            <button class=\"pf-c-button
+        pf-m-control\" type=\"button\" aria-label=\"Show password\"\n                                    aria-controls=\"password\"
+        \ data-password-toggle\n                                    data-icon-show=\"fa
+        fa-eye\" data-icon-hide=\"fa fa-eye-slash\"\n                                    data-label-show=\"Show
+        password\" data-label-hide=\"Hide password\">\n                                <i
+        class=\"fa fa-eye\" aria-hidden=\"true\"></i>\n                            </button>\n
+        \                       </div>\n\n\n                    </div>\n\n                    <div
+        class=\"form-group login-pf-settings\">\n                        <div id=\"kc-form-options\">\n
+        \                           </div>\n                            <div class=\"\">\n
+        \                           </div>\n\n                      </div>\n\n                      <div
+        id=\"kc-form-buttons\" class=\"form-group\">\n                          <input
+        type=\"hidden\" id=\"id-hidden-input\" name=\"credentialId\" />\n                          <input
+        tabindex=\"4\" class=\"pf-c-button pf-m-primary pf-m-block btn-lg\" name=\"login\"
+        id=\"kc-login\" type=\"submit\" value=\"Sign In\"/>\n                      </div>\n
+        \               </form>\n            </div>\n        </div>\n        <script
+        type=\"module\" src=\"/resources/1rz7o/login/keycloak/js/passwordVisibility.js\"></script>\n\n\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - KEYCLOAK_IDENTITY=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      - KEYCLOAK_IDENTITY_LEGACY=; Version=1; Comment=Expiring cookie; Expires=Thu,
+        01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      - KEYCLOAK_SESSION=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/
+      - KEYCLOAK_SESSION_LEGACY=; Version=1; Comment=Expiring cookie; Expires=Thu,
+        01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/realms/test/
+      - KEYCLOAK_IDENTITY=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test; HttpOnly
+      - KEYCLOAK_IDENTITY_LEGACY=; Version=1; Comment=Expiring cookie; Expires=Thu,
+        01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/realms/test; HttpOnly
+      - KEYCLOAK_SESSION=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test
+      - KEYCLOAK_SESSION_LEGACY=; Version=1; Comment=Expiring cookie; Expires=Thu,
+        01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/realms/test
+      - AUTH_SESSION_ID=c82c23c7-c341-4585-b4f2-605223c9e6cf; Version=1; Path=/realms/test/;
+        SameSite=None; Secure; HttpOnly
+      - AUTH_SESSION_ID_LEGACY=c82c23c7-c341-4585-b4f2-605223c9e6cf; Version=1; Path=/realms/test/;
+        HttpOnly
+      - KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9laGVya2VubmluZy1iZXdpbmR2b2VyaW5nLW9pZGMvY2FsbGJhY2svIiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsic2NvcGUiOiJvcGVuaWQgYnNuIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJodHRwOi8vdGVzdHNlcnZlci9laGVya2VubmluZy1iZXdpbmR2b2VyaW5nLW9pZGMvY2FsbGJhY2svIiwic3RhdGUiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIn19.ohW_ibsZCPn53GegGr49538xdqveI5gt43AvtPXb9ro;
+        Version=1; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '4466'
+    status:
+      code: 200
+      message: OK
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningCallbackTests/EHerkenningCallbackTests.test_eherkenning_error_reported_for_cancelled_login_anon_django_user.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningCallbackTests/EHerkenningCallbackTests.test_eherkenning_error_reported_for_cancelled_login_anon_django_user.yaml
new file mode 100644
index 0000000000..6586377386
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningCallbackTests/EHerkenningCallbackTests.test_eherkenning_error_reported_for_cancelled_login_anon_django_user.yaml
@@ -0,0 +1,91 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=badscope&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Feherkenning-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: ''
+    headers:
+      Location:
+      - http://testserver/eherkenning-oidc/callback/?error=invalid_scope&error_description=Invalid+scopes%3A+badscope&state=not-a-random-string&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '0'
+    status:
+      code: 302
+      message: Found
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningCallbackTests/EHerkenningCallbackTests.test_eherkenning_error_reported_for_cancelled_login_with_staff_django_user.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningCallbackTests/EHerkenningCallbackTests.test_eherkenning_error_reported_for_cancelled_login_with_staff_django_user.yaml
new file mode 100644
index 0000000000..6586377386
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningCallbackTests/EHerkenningCallbackTests.test_eherkenning_error_reported_for_cancelled_login_with_staff_django_user.yaml
@@ -0,0 +1,91 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=badscope&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Feherkenning-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: ''
+    headers:
+      Location:
+      - http://testserver/eherkenning-oidc/callback/?error=invalid_scope&error_description=Invalid+scopes%3A+badscope&state=not-a-random-string&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '0'
+    status:
+      code: 302
+      message: Found
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningCallbackTests/EHerkenningCallbackTests.test_failing_claim_verification.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningCallbackTests/EHerkenningCallbackTests.test_failing_claim_verification.yaml
new file mode 100644
index 0000000000..a5998de045
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningCallbackTests/EHerkenningCallbackTests.test_failing_claim_verification.yaml
@@ -0,0 +1,371 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=openid+kvk&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Feherkenning-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n        <script type=\"module\">\n            import
+        { checkCookiesAndSetTimer } from \"/resources/1rz7o/login/keycloak/js/authChecker.js\";\n\n
+        \           checkCookiesAndSetTimer(\n              \"cb331168-f20c-4c49-8998-0745bac76694\",\n
+        \             \"sG9HWUiDd7c\",\n              \"/realms/test/login-actions/restart?client_id=testid&tab_id=sG9HWUiDd7c&skip_logout=true\"\n
+        \           );\n        </script>\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       Sign in to your account\n\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-form\">\n
+        \         <div id=\"kc-form-wrapper\">\n                <form id=\"kc-form-login\"
+        onsubmit=\"login.disabled = true; return true;\" action=\"http://localhost:8080/realms/test/login-actions/authenticate?session_code=41NnhVsOge7Su4r0LPtUrLN8vCvK1YmYiJCfKxWy9hQ&amp;execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&amp;client_id=testid&amp;tab_id=sG9HWUiDd7c\"
+        method=\"post\">\n                        <div class=\"form-group\">\n                            <label
+        for=\"username\" class=\"pf-c-form__label pf-c-form__label-text\">Username
+        or email</label>\n\n                            <input tabindex=\"1\" id=\"username\"
+        class=\"pf-c-form-control\" name=\"username\" value=\"\"  type=\"text\" autofocus
+        autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n\n\n                        </div>\n\n                    <div
+        class=\"form-group\">\n                        <label for=\"password\" class=\"pf-c-form__label
+        pf-c-form__label-text\">Password</label>\n\n                        <div class=\"pf-c-input-group\">\n
+        \                           <input tabindex=\"2\" id=\"password\" class=\"pf-c-form-control\"
+        name=\"password\" type=\"password\" autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n                            <button class=\"pf-c-button
+        pf-m-control\" type=\"button\" aria-label=\"Show password\"\n                                    aria-controls=\"password\"
+        \ data-password-toggle\n                                    data-icon-show=\"fa
+        fa-eye\" data-icon-hide=\"fa fa-eye-slash\"\n                                    data-label-show=\"Show
+        password\" data-label-hide=\"Hide password\">\n                                <i
+        class=\"fa fa-eye\" aria-hidden=\"true\"></i>\n                            </button>\n
+        \                       </div>\n\n\n                    </div>\n\n                    <div
+        class=\"form-group login-pf-settings\">\n                        <div id=\"kc-form-options\">\n
+        \                           </div>\n                            <div class=\"\">\n
+        \                           </div>\n\n                      </div>\n\n                      <div
+        id=\"kc-form-buttons\" class=\"form-group\">\n                          <input
+        type=\"hidden\" id=\"id-hidden-input\" name=\"credentialId\" />\n                          <input
+        tabindex=\"4\" class=\"pf-c-button pf-m-primary pf-m-block btn-lg\" name=\"login\"
+        id=\"kc-login\" type=\"submit\" value=\"Sign In\"/>\n                      </div>\n
+        \               </form>\n            </div>\n        </div>\n        <script
+        type=\"module\" src=\"/resources/1rz7o/login/keycloak/js/passwordVisibility.js\"></script>\n\n\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - AUTH_SESSION_ID=cb331168-f20c-4c49-8998-0745bac76694; Version=1; Path=/realms/test/;
+        SameSite=None; Secure; HttpOnly
+      - AUTH_SESSION_ID_LEGACY=cb331168-f20c-4c49-8998-0745bac76694; Version=1; Path=/realms/test/;
+        HttpOnly
+      - KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9laGVya2VubmluZy1vaWRjL2NhbGxiYWNrLyIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIGt2ayIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovL3Rlc3RzZXJ2ZXIvZWhlcmtlbm5pbmctb2lkYy9jYWxsYmFjay8iLCJzdGF0ZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmciLCJub25jZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmcifX0.SpI7JvuDjU8Dn4CR3RD56sJAxNizNRciRym82v57Ylo;
+        Version=1; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '4466'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: username=testuser&password=testuser&credentialId=&login=Sign+In
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '63'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      Cookie:
+      - AUTH_SESSION_ID_LEGACY=cb331168-f20c-4c49-8998-0745bac76694; KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9laGVya2VubmluZy1vaWRjL2NhbGxiYWNrLyIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIGt2ayIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovL3Rlc3RzZXJ2ZXIvZWhlcmtlbm5pbmctb2lkYy9jYWxsYmFjay8iLCJzdGF0ZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmciLCJub25jZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmcifX0.SpI7JvuDjU8Dn4CR3RD56sJAxNizNRciRym82v57Ylo
+      User-Agent:
+      - python-requests/2.31.0
+    method: POST
+    uri: http://localhost:8080/realms/test/login-actions/authenticate?session_code=41NnhVsOge7Su4r0LPtUrLN8vCvK1YmYiJCfKxWy9hQ&execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&client_id=testid&tab_id=sG9HWUiDd7c
+  response:
+    body:
+      string: ''
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Location:
+      - http://testserver/eherkenning-oidc/callback/?state=not-a-random-string&session_state=cb331168-f20c-4c49-8998-0745bac76694&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest&code=3c5a34e2-4cdf-473d-b6a6-eb830b070646.cb331168-f20c-4c49-8998-0745bac76694.adf4ad83-4550-4619-9231-73bd8d700f45
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - KEYCLOAK_LOCALE=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      - KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/; HttpOnly
+      - KC_AUTH_STATE=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/
+      - KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0OTY4MDEsImlhdCI6MTcxNjQ2MDgwMSwianRpIjoiYWE5MGZiNmItNjIzYS00MzhhLWEyOGMtMjE1YTkxYTQ1MjVkIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiJjYjMzMTE2OC1mMjBjLTRjNDktODk5OC0wNzQ1YmFjNzY2OTQiLCJzaWQiOiJjYjMzMTE2OC1mMjBjLTRjNDktODk5OC0wNzQ1YmFjNzY2OTQiLCJzdGF0ZV9jaGVja2VyIjoiX1JqcXZkSWZqUGI1RHFXSlFGRUw5T2UtMndHMGpYank4bWEwNFR4RjZMVSJ9.O64rEsp4g6PUrTaf6aVeIYE06Db0pTqhFRQE4JJJlGA;
+        Version=1; Path=/realms/test/; SameSite=None; Secure; HttpOnly
+      - KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0OTY4MDEsImlhdCI6MTcxNjQ2MDgwMSwianRpIjoiYWE5MGZiNmItNjIzYS00MzhhLWEyOGMtMjE1YTkxYTQ1MjVkIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiJjYjMzMTE2OC1mMjBjLTRjNDktODk5OC0wNzQ1YmFjNzY2OTQiLCJzaWQiOiJjYjMzMTE2OC1mMjBjLTRjNDktODk5OC0wNzQ1YmFjNzY2OTQiLCJzdGF0ZV9jaGVja2VyIjoiX1JqcXZkSWZqUGI1RHFXSlFGRUw5T2UtMndHMGpYank4bWEwNFR4RjZMVSJ9.O64rEsp4g6PUrTaf6aVeIYE06Db0pTqhFRQE4JJJlGA;
+        Version=1; Path=/realms/test/; HttpOnly
+      - KEYCLOAK_SESSION=test/aa10cfc7-2c4d-41f6-8fac-7bf405c572c4/cb331168-f20c-4c49-8998-0745bac76694;
+        Version=1; Expires=Thu, 23-May-2024 20:40:01 GMT; Max-Age=36000; Path=/realms/test/;
+        SameSite=None; Secure
+      - KEYCLOAK_SESSION_LEGACY=test/aa10cfc7-2c4d-41f6-8fac-7bf405c572c4/cb331168-f20c-4c49-8998-0745bac76694;
+        Version=1; Expires=Thu, 23-May-2024 20:40:01 GMT; Max-Age=36000; Path=/realms/test/
+      - KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '0'
+    status:
+      code: 302
+      message: Found
+- request:
+    body: client_id=testid&client_secret=7DB3KUAAizYCcmZufpHRVOcD0TOkNO3I&grant_type=authorization_code&code=3c5a34e2-4cdf-473d-b6a6-eb830b070646.cb331168-f20c-4c49-8998-0745bac76694.adf4ad83-4550-4619-9231-73bd8d700f45&redirect_uri=http%3A%2F%2Ftestserver%2Feherkenning-oidc%2Fcallback%2F
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '279'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      User-Agent:
+      - python-requests/2.31.0
+    method: POST
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/token
+  response:
+    body:
+      string: '{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjExMDEsImlhdCI6MTcxNjQ2MDgwMSwiYXV0aF90aW1lIjoxNzE2NDYwODAxLCJqdGkiOiJhMmU0Zjk2Mi1hYjljLTQ4NzMtYTViZS04NjJiYWU0ODdhOTkiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6ImNiMzMxMTY4LWYyMGMtNGM0OS04OTk4LTA3NDViYWM3NjY5NCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgYnNuIiwic2lkIjoiY2IzMzExNjgtZjIwYy00YzQ5LTg5OTgtMDc0NWJhYzc2Njk0Iiwia3ZrIjoiMDEyMzQ1Njc4IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0dXNlciIsImJzbiI6IjAwMDAwMDAwMCJ9.eZdaiBbxALxGbSgqsyKlLIzDmH6ZEZXrSU9IQ0hXGa4m5TIwwJCFWlirO_qYL2vmQzO3NWDJLuv8QKR34QXMwH594sz5u1eMnhKHvMCVVTuv_x7SSApJ8DShnmPxHBFgdw06bQawgqX31lzo48wYgUiwumYqtgp_9WZqYK-vjkRUFuGV_Qi98qrEwRhRQy37GhXNmLxQf73IUxpEtbpkLIKnllMrwDa7Vsr3sq3u46LsHBynBGYf4fsLGlmC6xHdRWin9jmR57f0ZN9fD4qVSmLSrPQg-jJn5C_rcdKIV5wcjF1ZgxrvfXgvq9UCwYaNXB9RXljX55U_tWLapkKM_A","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0NjI2MDEsImlhdCI6MTcxNjQ2MDgwMSwianRpIjoiZmE2OWMwZDMtNzE0Mi00YTAyLTg3YzItZjI1MTA1NDM0MmUwIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiUmVmcmVzaCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiJjYjMzMTE2OC1mMjBjLTRjNDktODk5OC0wNzQ1YmFjNzY2OTQiLCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIGt2ayBic24iLCJzaWQiOiJjYjMzMTE2OC1mMjBjLTRjNDktODk5OC0wNzQ1YmFjNzY2OTQifQ.43LRNf5eVaIiqoKr6EfqLEN0hxNUiwnl_J2TjwqIulg","token_type":"Bearer","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjExMDEsImlhdCI6MTcxNjQ2MDgwMSwiYXV0aF90aW1lIjoxNzE2NDYwODAxLCJqdGkiOiIxYjI0MDQxNC00NzhlLTQwNTgtOTJiNy04NDMyODIxMWEwMzQiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJ0ZXN0aWQiLCJzdWIiOiJhYTEwY2ZjNy0yYzRkLTQxZjYtOGZhYy03YmY0MDVjNTcyYzQiLCJ0eXAiOiJJRCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiJjYjMzMTE2OC1mMjBjLTRjNDktODk5OC0wNzQ1YmFjNzY2OTQiLCJhdF9oYXNoIjoidmVCZThrUWNiSWpPU1BqemxzcmJSdyIsImFjciI6IjEiLCJzaWQiOiJjYjMzMTE2OC1mMjBjLTRjNDktODk5OC0wNzQ1YmFjNzY2OTQiLCJrdmsiOiIwMTIzNDU2NzgiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3R1c2VyIiwiYnNuIjoiMDAwMDAwMDAwIn0.SQd-EW1CDHHxZ3xU847Gze1Wk1sWN8PTLF71UYYsK5pfY4o9foaPh8wKG6qKalyQ-2WC3JTsqAZ5PKN9fGhkkVOGV-57RNrqZ3G3qsBS7BhtaaZRv0NcqH1cJtU9jWmlvZ6hcbovZem5YkYtvAvec-gOtY-M2rujClAOKfEKJJXHXLGG7tirdgIbn7KM7c32XbhpELzNqdGN9WLR0BXx-cB7Rb4d2BxWonubZjjHsT2Bp77cS92pW2zF9OMVgVJA0ZCLAFLRivGChJMN1N4zLu2Tg-EcE4zBpW9zsKL4fEgoTMZjB4DKIVpz1jiVv0O3lyPCuQTg-ZrrnoNeYvoY0g","not-before-policy":0,"session_state":"cb331168-f20c-4c49-8998-0745bac76694","scope":"openid
+        email profile kvk bsn"}'
+    headers:
+      Cache-Control:
+      - no-store
+      Content-Type:
+      - application/json
+      Pragma:
+      - no-cache
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '3475'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Authorization:
+      - Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjExMDEsImlhdCI6MTcxNjQ2MDgwMSwiYXV0aF90aW1lIjoxNzE2NDYwODAxLCJqdGkiOiJhMmU0Zjk2Mi1hYjljLTQ4NzMtYTViZS04NjJiYWU0ODdhOTkiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6ImNiMzMxMTY4LWYyMGMtNGM0OS04OTk4LTA3NDViYWM3NjY5NCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgYnNuIiwic2lkIjoiY2IzMzExNjgtZjIwYy00YzQ5LTg5OTgtMDc0NWJhYzc2Njk0Iiwia3ZrIjoiMDEyMzQ1Njc4IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0dXNlciIsImJzbiI6IjAwMDAwMDAwMCJ9.eZdaiBbxALxGbSgqsyKlLIzDmH6ZEZXrSU9IQ0hXGa4m5TIwwJCFWlirO_qYL2vmQzO3NWDJLuv8QKR34QXMwH594sz5u1eMnhKHvMCVVTuv_x7SSApJ8DShnmPxHBFgdw06bQawgqX31lzo48wYgUiwumYqtgp_9WZqYK-vjkRUFuGV_Qi98qrEwRhRQy37GhXNmLxQf73IUxpEtbpkLIKnllMrwDa7Vsr3sq3u46LsHBynBGYf4fsLGlmC6xHdRWin9jmR57f0ZN9fD4qVSmLSrPQg-jJn5C_rcdKIV5wcjF1ZgxrvfXgvq9UCwYaNXB9RXljX55U_tWLapkKM_A
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/userinfo
+  response:
+    body:
+      string: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJzdWIiOiJhYTEwY2ZjNy0yYzRkLTQxZjYtOGZhYy03YmY0MDVjNTcyYzQiLCJrdmsiOiIwMTIzNDU2NzgiLCJhdWQiOiJ0ZXN0aWQiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3R1c2VyIiwiYnNuIjoiMDAwMDAwMDAwIn0.CKub7h5He-7acsX5pli41jZiatfM3eM-f5bl6M9GaSSVJLy-NHH5RDSIvpNu4K3PA5uO1nn2sfiDWvfBgsqPxvssiqcmkenf1RpgaEdn7fS_bRn1ziAkYFq5tVEICluPeYELR8FNt7XGVGPakhezPnUwsdaUOBWf7ELTgbxVdBBy3Nkjg2op456glHO4C84zjABNK5grWfLCDDEwKnw4o1gz-QWAS1TPa7yQaPOJr71zjFT-o3P7EBBkASN_CiELOpno3bBxIeTa631m9BHZ8dECiffp_GQhxMqPS9bTwqTlffc-EkIamZr_90uHs3Dw8gVySYL7YTGoGDeq6w6jEw
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/jwt
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '714'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningCallbackTests/EHerkenningCallbackTests.test_redirects_after_successful_auth.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningCallbackTests/EHerkenningCallbackTests.test_redirects_after_successful_auth.yaml
new file mode 100644
index 0000000000..d29464f017
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningCallbackTests/EHerkenningCallbackTests.test_redirects_after_successful_auth.yaml
@@ -0,0 +1,371 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=openid+kvk&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Feherkenning-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n        <script type=\"module\">\n            import
+        { checkCookiesAndSetTimer } from \"/resources/1rz7o/login/keycloak/js/authChecker.js\";\n\n
+        \           checkCookiesAndSetTimer(\n              \"df5757ac-89bc-4e64-89b3-53e82b13d607\",\n
+        \             \"xYdHuUjni-0\",\n              \"/realms/test/login-actions/restart?client_id=testid&tab_id=xYdHuUjni-0&skip_logout=true\"\n
+        \           );\n        </script>\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       Sign in to your account\n\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-form\">\n
+        \         <div id=\"kc-form-wrapper\">\n                <form id=\"kc-form-login\"
+        onsubmit=\"login.disabled = true; return true;\" action=\"http://localhost:8080/realms/test/login-actions/authenticate?session_code=-NCKpg9ydyaj8FgYCAMb4brTpMKx5GWWF6af5B6yb5Y&amp;execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&amp;client_id=testid&amp;tab_id=xYdHuUjni-0\"
+        method=\"post\">\n                        <div class=\"form-group\">\n                            <label
+        for=\"username\" class=\"pf-c-form__label pf-c-form__label-text\">Username
+        or email</label>\n\n                            <input tabindex=\"1\" id=\"username\"
+        class=\"pf-c-form-control\" name=\"username\" value=\"\"  type=\"text\" autofocus
+        autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n\n\n                        </div>\n\n                    <div
+        class=\"form-group\">\n                        <label for=\"password\" class=\"pf-c-form__label
+        pf-c-form__label-text\">Password</label>\n\n                        <div class=\"pf-c-input-group\">\n
+        \                           <input tabindex=\"2\" id=\"password\" class=\"pf-c-form-control\"
+        name=\"password\" type=\"password\" autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n                            <button class=\"pf-c-button
+        pf-m-control\" type=\"button\" aria-label=\"Show password\"\n                                    aria-controls=\"password\"
+        \ data-password-toggle\n                                    data-icon-show=\"fa
+        fa-eye\" data-icon-hide=\"fa fa-eye-slash\"\n                                    data-label-show=\"Show
+        password\" data-label-hide=\"Hide password\">\n                                <i
+        class=\"fa fa-eye\" aria-hidden=\"true\"></i>\n                            </button>\n
+        \                       </div>\n\n\n                    </div>\n\n                    <div
+        class=\"form-group login-pf-settings\">\n                        <div id=\"kc-form-options\">\n
+        \                           </div>\n                            <div class=\"\">\n
+        \                           </div>\n\n                      </div>\n\n                      <div
+        id=\"kc-form-buttons\" class=\"form-group\">\n                          <input
+        type=\"hidden\" id=\"id-hidden-input\" name=\"credentialId\" />\n                          <input
+        tabindex=\"4\" class=\"pf-c-button pf-m-primary pf-m-block btn-lg\" name=\"login\"
+        id=\"kc-login\" type=\"submit\" value=\"Sign In\"/>\n                      </div>\n
+        \               </form>\n            </div>\n        </div>\n        <script
+        type=\"module\" src=\"/resources/1rz7o/login/keycloak/js/passwordVisibility.js\"></script>\n\n\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - AUTH_SESSION_ID=df5757ac-89bc-4e64-89b3-53e82b13d607; Version=1; Path=/realms/test/;
+        SameSite=None; Secure; HttpOnly
+      - AUTH_SESSION_ID_LEGACY=df5757ac-89bc-4e64-89b3-53e82b13d607; Version=1; Path=/realms/test/;
+        HttpOnly
+      - KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9laGVya2VubmluZy1vaWRjL2NhbGxiYWNrLyIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIGt2ayIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovL3Rlc3RzZXJ2ZXIvZWhlcmtlbm5pbmctb2lkYy9jYWxsYmFjay8iLCJzdGF0ZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmciLCJub25jZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmcifX0.SpI7JvuDjU8Dn4CR3RD56sJAxNizNRciRym82v57Ylo;
+        Version=1; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '4466'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: username=testuser&password=testuser&credentialId=&login=Sign+In
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '63'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      Cookie:
+      - AUTH_SESSION_ID_LEGACY=df5757ac-89bc-4e64-89b3-53e82b13d607; KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9laGVya2VubmluZy1vaWRjL2NhbGxiYWNrLyIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIGt2ayIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovL3Rlc3RzZXJ2ZXIvZWhlcmtlbm5pbmctb2lkYy9jYWxsYmFjay8iLCJzdGF0ZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmciLCJub25jZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmcifX0.SpI7JvuDjU8Dn4CR3RD56sJAxNizNRciRym82v57Ylo
+      User-Agent:
+      - python-requests/2.32.2
+    method: POST
+    uri: http://localhost:8080/realms/test/login-actions/authenticate?session_code=-NCKpg9ydyaj8FgYCAMb4brTpMKx5GWWF6af5B6yb5Y&execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&client_id=testid&tab_id=xYdHuUjni-0
+  response:
+    body:
+      string: ''
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Location:
+      - http://testserver/eherkenning-oidc/callback/?state=not-a-random-string&session_state=df5757ac-89bc-4e64-89b3-53e82b13d607&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest&code=dd18b664-ae97-41de-9e46-4ae518855522.df5757ac-89bc-4e64-89b3-53e82b13d607.adf4ad83-4550-4619-9231-73bd8d700f45
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - KEYCLOAK_LOCALE=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      - KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/; HttpOnly
+      - KC_AUTH_STATE=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/
+      - KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTgyMzgwMDYsImlhdCI6MTcxODIwMjAwNiwianRpIjoiNWQyOTdhODYtMTEzOC00ZjVhLWIwZmMtYjIxMzg3MzNhOTM1IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiJkZjU3NTdhYy04OWJjLTRlNjQtODliMy01M2U4MmIxM2Q2MDciLCJzaWQiOiJkZjU3NTdhYy04OWJjLTRlNjQtODliMy01M2U4MmIxM2Q2MDciLCJzdGF0ZV9jaGVja2VyIjoidnI0NGxzZmd5eDNuanFBM3V3RkhEa3QzYTNYdGVhdDlMemE0TDhpdVZUTSJ9.Ls4Cuy_O0cwrFN4TjENNFmPPSFAJxCCSTY2mhL1fzIQ;
+        Version=1; Path=/realms/test/; SameSite=None; Secure; HttpOnly
+      - KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTgyMzgwMDYsImlhdCI6MTcxODIwMjAwNiwianRpIjoiNWQyOTdhODYtMTEzOC00ZjVhLWIwZmMtYjIxMzg3MzNhOTM1IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiJkZjU3NTdhYy04OWJjLTRlNjQtODliMy01M2U4MmIxM2Q2MDciLCJzaWQiOiJkZjU3NTdhYy04OWJjLTRlNjQtODliMy01M2U4MmIxM2Q2MDciLCJzdGF0ZV9jaGVja2VyIjoidnI0NGxzZmd5eDNuanFBM3V3RkhEa3QzYTNYdGVhdDlMemE0TDhpdVZUTSJ9.Ls4Cuy_O0cwrFN4TjENNFmPPSFAJxCCSTY2mhL1fzIQ;
+        Version=1; Path=/realms/test/; HttpOnly
+      - KEYCLOAK_SESSION=test/aa10cfc7-2c4d-41f6-8fac-7bf405c572c4/df5757ac-89bc-4e64-89b3-53e82b13d607;
+        Version=1; Expires=Thu, 13-Jun-2024 00:20:06 GMT; Max-Age=36000; Path=/realms/test/;
+        SameSite=None; Secure
+      - KEYCLOAK_SESSION_LEGACY=test/aa10cfc7-2c4d-41f6-8fac-7bf405c572c4/df5757ac-89bc-4e64-89b3-53e82b13d607;
+        Version=1; Expires=Thu, 13-Jun-2024 00:20:06 GMT; Max-Age=36000; Path=/realms/test/
+      - KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '0'
+    status:
+      code: 302
+      message: Found
+- request:
+    body: client_id=testid&client_secret=7DB3KUAAizYCcmZufpHRVOcD0TOkNO3I&grant_type=authorization_code&code=dd18b664-ae97-41de-9e46-4ae518855522.df5757ac-89bc-4e64-89b3-53e82b13d607.adf4ad83-4550-4619-9231-73bd8d700f45&redirect_uri=http%3A%2F%2Ftestserver%2Feherkenning-oidc%2Fcallback%2F
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '279'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      User-Agent:
+      - python-requests/2.32.2
+    method: POST
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/token
+  response:
+    body:
+      string: '{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTgyMDIzMDYsImlhdCI6MTcxODIwMjAwNiwiYXV0aF90aW1lIjoxNzE4MjAyMDA2LCJqdGkiOiI3YjZlODBkNS1lNjVkLTQwNDAtYjAxMi1hN2ViMmE0YWY2MzEiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6ImRmNTc1N2FjLTg5YmMtNGU2NC04OWIzLTUzZTgyYjEzZDYwNyIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgZ3JvdXBzIGJzbiIsInNpZCI6ImRmNTc1N2FjLTg5YmMtNGU2NC04OWIzLTUzZTgyYjEzZDYwNyIsImt2ayI6IjAxMjM0NTY3OCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibGVnYWxTdWJqZWN0SUQiOiIxMjM0NTY3OCIsImFjdGluZ1N1YmplY3RJRCI6IjRCNzVBMEVBMTA3QjNEMzYiLCJuYW1lX3F1YWxpZmllciI6InVybjpldG9lZ2FuZzoxLjk6RW50aXR5Q29uY2VybmVkSUQ6S3ZLbnIiLCJncm91cHMiOlsiZGVmYXVsdC1yb2xlcy10ZXN0Iiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0dXNlciIsImJzbiI6IjAwMDAwMDAwMCJ9.MAPWPFIBe_IFKW8eKowhGj07Kck9j1p8W41p9j5JeF5RigIwVuYbvBVvD2oX1I_kAc_z-QP3lvjAXF3jys0qaghKR_3ZC4YFagke5tjM3aLIO_NlfpYYPrhkXRcLF4BJnQbX1wwSJCmKzhUY_FYxO9VsEbWvLXpd0yKwk6H8MYuvuWjzXuzBnie8P7sCkhxWOB0NsslCJGJaTl2XRxNWGwkl2HYbAghkYWFQceVcL0q2T9yapKGFkGV9QqbhShQXeFY6gSmQPAJwxhxGd3i1r67kQbkdgqIQeXFecyOSr0NYeEFCl1eHIxL2mSPWW0LcJ9SQlvYnWAXpeHPpN_wJ0g","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTgyMDM4MDYsImlhdCI6MTcxODIwMjAwNiwianRpIjoiMzlhMzg2ZTEtOTQ0Yy00ZjA2LWEyZGYtNzZhYmU3Y2Y1YWI3IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiUmVmcmVzaCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiJkZjU3NTdhYy04OWJjLTRlNjQtODliMy01M2U4MmIxM2Q2MDciLCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIGt2ayBncm91cHMgYnNuIiwic2lkIjoiZGY1NzU3YWMtODliYy00ZTY0LTg5YjMtNTNlODJiMTNkNjA3In0.r2yy7bxF7bD82iurT70DuE5BIPHpQj_cuPJJZj0Nlko","token_type":"Bearer","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTgyMDIzMDYsImlhdCI6MTcxODIwMjAwNiwiYXV0aF90aW1lIjoxNzE4MjAyMDA2LCJqdGkiOiI1N2NmNWRkMS1kN2NiLTRhYjEtOGY2Zi1kYjgyZDAzNWVmMGQiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJ0ZXN0aWQiLCJzdWIiOiJhYTEwY2ZjNy0yYzRkLTQxZjYtOGZhYy03YmY0MDVjNTcyYzQiLCJ0eXAiOiJJRCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiJkZjU3NTdhYy04OWJjLTRlNjQtODliMy01M2U4MmIxM2Q2MDciLCJhdF9oYXNoIjoiNk9MZFBaaTl5RnJ6b2N3OU5lUGE0ZyIsImFjciI6IjEiLCJzaWQiOiJkZjU3NTdhYy04OWJjLTRlNjQtODliMy01M2U4MmIxM2Q2MDciLCJrdmsiOiIwMTIzNDU2NzgiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImxlZ2FsU3ViamVjdElEIjoiMTIzNDU2NzgiLCJhY3RpbmdTdWJqZWN0SUQiOiI0Qjc1QTBFQTEwN0IzRDM2IiwibmFtZV9xdWFsaWZpZXIiOiJ1cm46ZXRvZWdhbmc6MS45OkVudGl0eUNvbmNlcm5lZElEOkt2S25yIiwiZ3JvdXBzIjpbImRlZmF1bHQtcm9sZXMtdGVzdCIsIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXSwicHJlZmVycmVkX3VzZXJuYW1lIjoidGVzdHVzZXIiLCJic24iOiIwMDAwMDAwMDAifQ.fjsNPgfxXjbh-4Cv5sRQWF0Af5FCiLi4xhmMk2NGM0N9iw80i22wGuqd3zrscXYtuV7AUJ90jMVN_WCmjwsetDiLmHHhYouoPQYsJ3TMYQNSGHWwk-az3FWJKAcQ5GWDA6CvYxZhdapIb9SsdWpbdCizHjj5u1cbXUUb6GCb6VvXJaeXYeFgWAnBXbdz30m22fvlSDePpFdeJrXnGoZQX2cxjzoB3kjHGxOfCZ8w5FnvVX6dlkUzlini2qYWlSdEy8ceKuB3D-ikLw7-9D8yB_e310zAnR8RuFCC7tJhfOAOAF5VGf29DNSZjDAmuIxdqhNImzqz-oQXZrG7Bv43Yg","not-before-policy":0,"session_state":"df5757ac-89bc-4e64-89b3-53e82b13d607","scope":"openid
+        email profile kvk groups bsn"}'
+    headers:
+      Cache-Control:
+      - no-store
+      Content-Type:
+      - application/json
+      Pragma:
+      - no-cache
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '4018'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Authorization:
+      - Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTgyMDIzMDYsImlhdCI6MTcxODIwMjAwNiwiYXV0aF90aW1lIjoxNzE4MjAyMDA2LCJqdGkiOiI3YjZlODBkNS1lNjVkLTQwNDAtYjAxMi1hN2ViMmE0YWY2MzEiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6ImRmNTc1N2FjLTg5YmMtNGU2NC04OWIzLTUzZTgyYjEzZDYwNyIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgZ3JvdXBzIGJzbiIsInNpZCI6ImRmNTc1N2FjLTg5YmMtNGU2NC04OWIzLTUzZTgyYjEzZDYwNyIsImt2ayI6IjAxMjM0NTY3OCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibGVnYWxTdWJqZWN0SUQiOiIxMjM0NTY3OCIsImFjdGluZ1N1YmplY3RJRCI6IjRCNzVBMEVBMTA3QjNEMzYiLCJuYW1lX3F1YWxpZmllciI6InVybjpldG9lZ2FuZzoxLjk6RW50aXR5Q29uY2VybmVkSUQ6S3ZLbnIiLCJncm91cHMiOlsiZGVmYXVsdC1yb2xlcy10ZXN0Iiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0dXNlciIsImJzbiI6IjAwMDAwMDAwMCJ9.MAPWPFIBe_IFKW8eKowhGj07Kck9j1p8W41p9j5JeF5RigIwVuYbvBVvD2oX1I_kAc_z-QP3lvjAXF3jys0qaghKR_3ZC4YFagke5tjM3aLIO_NlfpYYPrhkXRcLF4BJnQbX1wwSJCmKzhUY_FYxO9VsEbWvLXpd0yKwk6H8MYuvuWjzXuzBnie8P7sCkhxWOB0NsslCJGJaTl2XRxNWGwkl2HYbAghkYWFQceVcL0q2T9yapKGFkGV9QqbhShQXeFY6gSmQPAJwxhxGd3i1r67kQbkdgqIQeXFecyOSr0NYeEFCl1eHIxL2mSPWW0LcJ9SQlvYnWAXpeHPpN_wJ0g
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/userinfo
+  response:
+    body:
+      string: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJzdWIiOiJhYTEwY2ZjNy0yYzRkLTQxZjYtOGZhYy03YmY0MDVjNTcyYzQiLCJrdmsiOiIwMTIzNDU2NzgiLCJhdWQiOiJ0ZXN0aWQiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImxlZ2FsU3ViamVjdElEIjoiMTIzNDU2NzgiLCJhY3RpbmdTdWJqZWN0SUQiOiI0Qjc1QTBFQTEwN0IzRDM2IiwibmFtZV9xdWFsaWZpZXIiOiJ1cm46ZXRvZWdhbmc6MS45OkVudGl0eUNvbmNlcm5lZElEOkt2S25yIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwiZ3JvdXBzIjpbImRlZmF1bHQtcm9sZXMtdGVzdCIsIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXSwicHJlZmVycmVkX3VzZXJuYW1lIjoidGVzdHVzZXIiLCJic24iOiIwMDAwMDAwMDAifQ.J2Bfcd1F9wUCureqh3JXo8oHFr7Aol2gumeh0Lzvwm2Cxc9f-c8ZXChJykDV50mvTs6fz6D8m3S4rHIdz27SMdGSGYLtMfmAdxYnKnY5zUmpmqcRqBELV8-jfEewSNtaBD-nM8TOK-qoDropCwEf0100n_Daf5tk3gYliBia-EZQ_YnC19w_ynLy4F2UvJB0HkZP431BOD6AaUpL--e14orHsAVApoFFwilkMzZv7oG9Qgns0DQPQLZz82DnU33WzzbC3MkGINRCj9-5VcY5HCRTDW_GF4WHUBwpJyMZR1an6-SrbdJ3kjlfSQ-Nqn0ax16Je54-ijafnCECj8wooQ
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/jwt
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '973'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningInitTests/EHerkenningInitTests.test_idp_availability_check.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningInitTests/EHerkenningInitTests.test_idp_availability_check.yaml
new file mode 100644
index 0000000000..e786ba2dc4
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningInitTests/EHerkenningInitTests.test_idp_availability_check.yaml
@@ -0,0 +1,26 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/i-dont-exist
+  response:
+    body:
+      string: '{"error":"Unable to find matching target resource method"}'
+    headers:
+      Content-Type:
+      - application/json
+      content-length:
+      - '58'
+    status:
+      code: 404
+      message: Not Found
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningInitTests/EHerkenningInitTests.test_keycloak_idp_hint_is_respected.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningInitTests/EHerkenningInitTests.test_keycloak_idp_hint_is_respected.yaml
new file mode 100644
index 0000000000..7556222e57
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningInitTests/EHerkenningInitTests.test_keycloak_idp_hint_is_respected.yaml
@@ -0,0 +1,59 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningInitTests/EHerkenningInitTests.test_start_flow_redirects_to_oidc_provider.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningInitTests/EHerkenningInitTests.test_start_flow_redirects_to_oidc_provider.yaml
new file mode 100644
index 0000000000..7556222e57
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningInitTests/EHerkenningInitTests.test_start_flow_redirects_to_oidc_provider.yaml
@@ -0,0 +1,59 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningLogoutTests/EHerkenningLogoutTests.test_logout_also_logs_out_user_in_openid_provider.yaml b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningLogoutTests/EHerkenningLogoutTests.test_logout_also_logs_out_user_in_openid_provider.yaml
new file mode 100644
index 0000000000..9ad7746ac4
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/data/vcr_cassettes/EHerkenningLogoutTests/EHerkenningLogoutTests.test_logout_also_logs_out_user_in_openid_provider.yaml
@@ -0,0 +1,727 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=openid+kvk&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Feherkenning-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n        <script type=\"module\">\n            import
+        { checkCookiesAndSetTimer } from \"/resources/1rz7o/login/keycloak/js/authChecker.js\";\n\n
+        \           checkCookiesAndSetTimer(\n              \"b99f3ad2-4108-4e72-9a5b-685d1de56520\",\n
+        \             \"D8rsSG_R_Fw\",\n              \"/realms/test/login-actions/restart?client_id=testid&tab_id=D8rsSG_R_Fw&skip_logout=true\"\n
+        \           );\n        </script>\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       Sign in to your account\n\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-form\">\n
+        \         <div id=\"kc-form-wrapper\">\n                <form id=\"kc-form-login\"
+        onsubmit=\"login.disabled = true; return true;\" action=\"http://localhost:8080/realms/test/login-actions/authenticate?session_code=vx1PeLlJU7BNDFB0abY8KOsWaNRilGNfGtn9kj_axC8&amp;execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&amp;client_id=testid&amp;tab_id=D8rsSG_R_Fw\"
+        method=\"post\">\n                        <div class=\"form-group\">\n                            <label
+        for=\"username\" class=\"pf-c-form__label pf-c-form__label-text\">Username
+        or email</label>\n\n                            <input tabindex=\"1\" id=\"username\"
+        class=\"pf-c-form-control\" name=\"username\" value=\"\"  type=\"text\" autofocus
+        autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n\n\n                        </div>\n\n                    <div
+        class=\"form-group\">\n                        <label for=\"password\" class=\"pf-c-form__label
+        pf-c-form__label-text\">Password</label>\n\n                        <div class=\"pf-c-input-group\">\n
+        \                           <input tabindex=\"2\" id=\"password\" class=\"pf-c-form-control\"
+        name=\"password\" type=\"password\" autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n                            <button class=\"pf-c-button
+        pf-m-control\" type=\"button\" aria-label=\"Show password\"\n                                    aria-controls=\"password\"
+        \ data-password-toggle\n                                    data-icon-show=\"fa
+        fa-eye\" data-icon-hide=\"fa fa-eye-slash\"\n                                    data-label-show=\"Show
+        password\" data-label-hide=\"Hide password\">\n                                <i
+        class=\"fa fa-eye\" aria-hidden=\"true\"></i>\n                            </button>\n
+        \                       </div>\n\n\n                    </div>\n\n                    <div
+        class=\"form-group login-pf-settings\">\n                        <div id=\"kc-form-options\">\n
+        \                           </div>\n                            <div class=\"\">\n
+        \                           </div>\n\n                      </div>\n\n                      <div
+        id=\"kc-form-buttons\" class=\"form-group\">\n                          <input
+        type=\"hidden\" id=\"id-hidden-input\" name=\"credentialId\" />\n                          <input
+        tabindex=\"4\" class=\"pf-c-button pf-m-primary pf-m-block btn-lg\" name=\"login\"
+        id=\"kc-login\" type=\"submit\" value=\"Sign In\"/>\n                      </div>\n
+        \               </form>\n            </div>\n        </div>\n        <script
+        type=\"module\" src=\"/resources/1rz7o/login/keycloak/js/passwordVisibility.js\"></script>\n\n\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - AUTH_SESSION_ID=b99f3ad2-4108-4e72-9a5b-685d1de56520; Version=1; Path=/realms/test/;
+        SameSite=None; Secure; HttpOnly
+      - AUTH_SESSION_ID_LEGACY=b99f3ad2-4108-4e72-9a5b-685d1de56520; Version=1; Path=/realms/test/;
+        HttpOnly
+      - KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9laGVya2VubmluZy1vaWRjL2NhbGxiYWNrLyIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIGt2ayIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovL3Rlc3RzZXJ2ZXIvZWhlcmtlbm5pbmctb2lkYy9jYWxsYmFjay8iLCJzdGF0ZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmciLCJub25jZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmcifX0.SpI7JvuDjU8Dn4CR3RD56sJAxNizNRciRym82v57Ylo;
+        Version=1; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '4466'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: username=testuser&password=testuser&credentialId=&login=Sign+In
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '63'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      Cookie:
+      - AUTH_SESSION_ID_LEGACY=b99f3ad2-4108-4e72-9a5b-685d1de56520; KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9laGVya2VubmluZy1vaWRjL2NhbGxiYWNrLyIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIGt2ayIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovL3Rlc3RzZXJ2ZXIvZWhlcmtlbm5pbmctb2lkYy9jYWxsYmFjay8iLCJzdGF0ZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmciLCJub25jZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmcifX0.SpI7JvuDjU8Dn4CR3RD56sJAxNizNRciRym82v57Ylo
+      User-Agent:
+      - python-requests/2.31.0
+    method: POST
+    uri: http://localhost:8080/realms/test/login-actions/authenticate?session_code=vx1PeLlJU7BNDFB0abY8KOsWaNRilGNfGtn9kj_axC8&execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&client_id=testid&tab_id=D8rsSG_R_Fw
+  response:
+    body:
+      string: ''
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Location:
+      - http://testserver/eherkenning-oidc/callback/?state=not-a-random-string&session_state=b99f3ad2-4108-4e72-9a5b-685d1de56520&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest&code=fe685f95-24c6-4bd6-835a-4ec3713b98c0.b99f3ad2-4108-4e72-9a5b-685d1de56520.adf4ad83-4550-4619-9231-73bd8d700f45
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - KEYCLOAK_LOCALE=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      - KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/; HttpOnly
+      - KC_AUTH_STATE=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/
+      - KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0OTY4MDMsImlhdCI6MTcxNjQ2MDgwMywianRpIjoiNWYwMGI1ODUtYWNmNi00ZmMzLWI2YjAtOWM3MzhlMWY4MGYyIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiJiOTlmM2FkMi00MTA4LTRlNzItOWE1Yi02ODVkMWRlNTY1MjAiLCJzaWQiOiJiOTlmM2FkMi00MTA4LTRlNzItOWE1Yi02ODVkMWRlNTY1MjAiLCJzdGF0ZV9jaGVja2VyIjoiZ2xlbnBIa3NBU0pxOUh3Z2tPTE1zUFVpLWxqcjNsbFBDYUpEdWRTTUx5SSJ9.Mqxd9PHAJhkI4CveL9qzcV33Og-ETgVA2zQgojKV9SE;
+        Version=1; Path=/realms/test/; SameSite=None; Secure; HttpOnly
+      - KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0OTY4MDMsImlhdCI6MTcxNjQ2MDgwMywianRpIjoiNWYwMGI1ODUtYWNmNi00ZmMzLWI2YjAtOWM3MzhlMWY4MGYyIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiJiOTlmM2FkMi00MTA4LTRlNzItOWE1Yi02ODVkMWRlNTY1MjAiLCJzaWQiOiJiOTlmM2FkMi00MTA4LTRlNzItOWE1Yi02ODVkMWRlNTY1MjAiLCJzdGF0ZV9jaGVja2VyIjoiZ2xlbnBIa3NBU0pxOUh3Z2tPTE1zUFVpLWxqcjNsbFBDYUpEdWRTTUx5SSJ9.Mqxd9PHAJhkI4CveL9qzcV33Og-ETgVA2zQgojKV9SE;
+        Version=1; Path=/realms/test/; HttpOnly
+      - KEYCLOAK_SESSION=test/aa10cfc7-2c4d-41f6-8fac-7bf405c572c4/b99f3ad2-4108-4e72-9a5b-685d1de56520;
+        Version=1; Expires=Thu, 23-May-2024 20:40:03 GMT; Max-Age=36000; Path=/realms/test/;
+        SameSite=None; Secure
+      - KEYCLOAK_SESSION_LEGACY=test/aa10cfc7-2c4d-41f6-8fac-7bf405c572c4/b99f3ad2-4108-4e72-9a5b-685d1de56520;
+        Version=1; Expires=Thu, 23-May-2024 20:40:03 GMT; Max-Age=36000; Path=/realms/test/
+      - KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '0'
+    status:
+      code: 302
+      message: Found
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Cookie:
+      - AUTH_SESSION_ID_LEGACY=b99f3ad2-4108-4e72-9a5b-685d1de56520; KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0OTY4MDMsImlhdCI6MTcxNjQ2MDgwMywianRpIjoiNWYwMGI1ODUtYWNmNi00ZmMzLWI2YjAtOWM3MzhlMWY4MGYyIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiJiOTlmM2FkMi00MTA4LTRlNzItOWE1Yi02ODVkMWRlNTY1MjAiLCJzaWQiOiJiOTlmM2FkMi00MTA4LTRlNzItOWE1Yi02ODVkMWRlNTY1MjAiLCJzdGF0ZV9jaGVja2VyIjoiZ2xlbnBIa3NBU0pxOUh3Z2tPTE1zUFVpLWxqcjNsbFBDYUpEdWRTTUx5SSJ9.Mqxd9PHAJhkI4CveL9qzcV33Og-ETgVA2zQgojKV9SE;
+        KEYCLOAK_SESSION_LEGACY=test/aa10cfc7-2c4d-41f6-8fac-7bf405c572c4/b99f3ad2-4108-4e72-9a5b-685d1de56520
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=openid+kvk&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Feherkenning-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: ''
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Location:
+      - http://testserver/eherkenning-oidc/callback/?state=not-a-random-string&session_state=b99f3ad2-4108-4e72-9a5b-685d1de56520&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest&code=d6b3b964-fac5-4e8e-bd1c-8ad517c6444b.b99f3ad2-4108-4e72-9a5b-685d1de56520.adf4ad83-4550-4619-9231-73bd8d700f45
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9laGVya2VubmluZy1vaWRjL2NhbGxiYWNrLyIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIGt2ayIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovL3Rlc3RzZXJ2ZXIvZWhlcmtlbm5pbmctb2lkYy9jYWxsYmFjay8iLCJzdGF0ZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmciLCJub25jZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmcifX0.SpI7JvuDjU8Dn4CR3RD56sJAxNizNRciRym82v57Ylo;
+        Version=1; Path=/realms/test/; HttpOnly
+      - KEYCLOAK_LOCALE=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      - KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/; HttpOnly
+      - KC_AUTH_STATE=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/
+      - KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0OTY4MDMsImlhdCI6MTcxNjQ2MDgwMywianRpIjoiZTkxYmRkN2UtZTUwNi00NjViLWFhZjQtMDIyZTY0MzM0NjFjIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiJiOTlmM2FkMi00MTA4LTRlNzItOWE1Yi02ODVkMWRlNTY1MjAiLCJzaWQiOiJiOTlmM2FkMi00MTA4LTRlNzItOWE1Yi02ODVkMWRlNTY1MjAiLCJzdGF0ZV9jaGVja2VyIjoiZ2xlbnBIa3NBU0pxOUh3Z2tPTE1zUFVpLWxqcjNsbFBDYUpEdWRTTUx5SSJ9.YyIoob_v_bdeEpwl7BNB74nD6aRrkI1bol_Sa0Wktvg;
+        Version=1; Path=/realms/test/; SameSite=None; Secure; HttpOnly
+      - KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0OTY4MDMsImlhdCI6MTcxNjQ2MDgwMywianRpIjoiZTkxYmRkN2UtZTUwNi00NjViLWFhZjQtMDIyZTY0MzM0NjFjIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiJiOTlmM2FkMi00MTA4LTRlNzItOWE1Yi02ODVkMWRlNTY1MjAiLCJzaWQiOiJiOTlmM2FkMi00MTA4LTRlNzItOWE1Yi02ODVkMWRlNTY1MjAiLCJzdGF0ZV9jaGVja2VyIjoiZ2xlbnBIa3NBU0pxOUh3Z2tPTE1zUFVpLWxqcjNsbFBDYUpEdWRTTUx5SSJ9.YyIoob_v_bdeEpwl7BNB74nD6aRrkI1bol_Sa0Wktvg;
+        Version=1; Path=/realms/test/; HttpOnly
+      - KEYCLOAK_SESSION=test/aa10cfc7-2c4d-41f6-8fac-7bf405c572c4/b99f3ad2-4108-4e72-9a5b-685d1de56520;
+        Version=1; Expires=Thu, 23-May-2024 20:40:03 GMT; Max-Age=36000; Path=/realms/test/;
+        SameSite=None; Secure
+      - KEYCLOAK_SESSION_LEGACY=test/aa10cfc7-2c4d-41f6-8fac-7bf405c572c4/b99f3ad2-4108-4e72-9a5b-685d1de56520;
+        Version=1; Expires=Thu, 23-May-2024 20:40:03 GMT; Max-Age=36000; Path=/realms/test/
+      - KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '0'
+    status:
+      code: 302
+      message: Found
+- request:
+    body: client_id=testid&client_secret=7DB3KUAAizYCcmZufpHRVOcD0TOkNO3I&grant_type=authorization_code&code=d6b3b964-fac5-4e8e-bd1c-8ad517c6444b.b99f3ad2-4108-4e72-9a5b-685d1de56520.adf4ad83-4550-4619-9231-73bd8d700f45&redirect_uri=http%3A%2F%2Ftestserver%2Feherkenning-oidc%2Fcallback%2F
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '279'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      User-Agent:
+      - python-requests/2.31.0
+    method: POST
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/token
+  response:
+    body:
+      string: '{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjExMDMsImlhdCI6MTcxNjQ2MDgwMywiYXV0aF90aW1lIjoxNzE2NDYwODAzLCJqdGkiOiI3OGYwNWZjMC1mNDQ0LTQ2M2MtYTVjMi01MWQ2ZmFiMDU2ZDgiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6ImI5OWYzYWQyLTQxMDgtNGU3Mi05YTViLTY4NWQxZGU1NjUyMCIsImFjciI6IjAiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgYnNuIiwic2lkIjoiYjk5ZjNhZDItNDEwOC00ZTcyLTlhNWItNjg1ZDFkZTU2NTIwIiwia3ZrIjoiMDEyMzQ1Njc4IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0dXNlciIsImJzbiI6IjAwMDAwMDAwMCJ9.i6A-hbQxOC4ZaoeInW6gA5IJntGxcaW632cCpYQfnyfhbpyIRmrfQ4s175o50pUEzZQLItczX4Uy4P1TsROhJSSBLdILomJV6mcoY27pQEEb6ylDxypqwoG03bCte5B7iCitg_v7nsJVDMTv6yXKEzSJJIW6XX_cWn_WzaKPJo8O8-3CW5tUYqrGJgAyKj2gj2bXH-nypGGsB-vxo7DKubfI9VAplxpBoy07b1O-As6VscqF_nUy_FMAifx_Ppwn6WjkeYwa0NBboZEGnrB4VnD2GFb3zaAHWVr5nM_VIhCvEaDVuJThZJN5Xk96WRd0W-QdWyxXObDPudWgQMRWRA","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0NjI2MDMsImlhdCI6MTcxNjQ2MDgwMywianRpIjoiMTA4N2RmYTItYjBjYS00ZjA2LTgzNmEtNWQ1Y2ZjNTU4ZWZmIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiUmVmcmVzaCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiJiOTlmM2FkMi00MTA4LTRlNzItOWE1Yi02ODVkMWRlNTY1MjAiLCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIGt2ayBic24iLCJzaWQiOiJiOTlmM2FkMi00MTA4LTRlNzItOWE1Yi02ODVkMWRlNTY1MjAifQ.opB6N6okncOEcMwRKbR20mQc-u-iUsqkkQfOfFFhAhA","token_type":"Bearer","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjExMDMsImlhdCI6MTcxNjQ2MDgwMywiYXV0aF90aW1lIjoxNzE2NDYwODAzLCJqdGkiOiI4MjgzMjk2OC05NmZjLTQ1ZWItOGYzOS1iZGM3YmQ0ZDM4MDciLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJ0ZXN0aWQiLCJzdWIiOiJhYTEwY2ZjNy0yYzRkLTQxZjYtOGZhYy03YmY0MDVjNTcyYzQiLCJ0eXAiOiJJRCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiJiOTlmM2FkMi00MTA4LTRlNzItOWE1Yi02ODVkMWRlNTY1MjAiLCJhdF9oYXNoIjoiczQteVhnWEtzc1gxSEp1dnRGMW9tZyIsImFjciI6IjAiLCJzaWQiOiJiOTlmM2FkMi00MTA4LTRlNzItOWE1Yi02ODVkMWRlNTY1MjAiLCJrdmsiOiIwMTIzNDU2NzgiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3R1c2VyIiwiYnNuIjoiMDAwMDAwMDAwIn0.yUDqG7BxSJPlr6Y6gVfd_x2gvAnmO9qN3k1z-HrPnNypN41UEpVux8pJW43F3sQWcRRLB6YriNuXrgTuwvFshfkTmeaMiy8ssylrp-DyUmmUXc_yyN0Avaj5xCLt1GRf-f75Fh9ft2B8eh-H3qf7A-eQ827EfBBF6vVLQZQW70QrxetQ6afE18E2NJ_MFNvV_MQgyxiXFdwJBXoUAHuY6HRgruOmU0egklXqDUUEARjrEc7XnuyqNiD6bfOJSuyUF1Z0HtvyAFckvorhzkAZiqFoBUCDMBuC-TBRneyeWiMBsmW_RFSTqTPVnZ6HG7ADhm6GdaMCzBH3Et2ab1sY5Q","not-before-policy":0,"session_state":"b99f3ad2-4108-4e72-9a5b-685d1de56520","scope":"openid
+        email profile kvk bsn"}'
+    headers:
+      Cache-Control:
+      - no-store
+      Content-Type:
+      - application/json
+      Pragma:
+      - no-cache
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '3475'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Authorization:
+      - Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjExMDMsImlhdCI6MTcxNjQ2MDgwMywiYXV0aF90aW1lIjoxNzE2NDYwODAzLCJqdGkiOiI3OGYwNWZjMC1mNDQ0LTQ2M2MtYTVjMi01MWQ2ZmFiMDU2ZDgiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6ImI5OWYzYWQyLTQxMDgtNGU3Mi05YTViLTY4NWQxZGU1NjUyMCIsImFjciI6IjAiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgYnNuIiwic2lkIjoiYjk5ZjNhZDItNDEwOC00ZTcyLTlhNWItNjg1ZDFkZTU2NTIwIiwia3ZrIjoiMDEyMzQ1Njc4IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0dXNlciIsImJzbiI6IjAwMDAwMDAwMCJ9.i6A-hbQxOC4ZaoeInW6gA5IJntGxcaW632cCpYQfnyfhbpyIRmrfQ4s175o50pUEzZQLItczX4Uy4P1TsROhJSSBLdILomJV6mcoY27pQEEb6ylDxypqwoG03bCte5B7iCitg_v7nsJVDMTv6yXKEzSJJIW6XX_cWn_WzaKPJo8O8-3CW5tUYqrGJgAyKj2gj2bXH-nypGGsB-vxo7DKubfI9VAplxpBoy07b1O-As6VscqF_nUy_FMAifx_Ppwn6WjkeYwa0NBboZEGnrB4VnD2GFb3zaAHWVr5nM_VIhCvEaDVuJThZJN5Xk96WRd0W-QdWyxXObDPudWgQMRWRA
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/userinfo
+  response:
+    body:
+      string: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJzdWIiOiJhYTEwY2ZjNy0yYzRkLTQxZjYtOGZhYy03YmY0MDVjNTcyYzQiLCJrdmsiOiIwMTIzNDU2NzgiLCJhdWQiOiJ0ZXN0aWQiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3R1c2VyIiwiYnNuIjoiMDAwMDAwMDAwIn0.CKub7h5He-7acsX5pli41jZiatfM3eM-f5bl6M9GaSSVJLy-NHH5RDSIvpNu4K3PA5uO1nn2sfiDWvfBgsqPxvssiqcmkenf1RpgaEdn7fS_bRn1ziAkYFq5tVEICluPeYELR8FNt7XGVGPakhezPnUwsdaUOBWf7ELTgbxVdBBy3Nkjg2op456glHO4C84zjABNK5grWfLCDDEwKnw4o1gz-QWAS1TPa7yQaPOJr71zjFT-o3P7EBBkASN_CiELOpno3bBxIeTa631m9BHZ8dECiffp_GQhxMqPS9bTwqTlffc-EkIamZr_90uHs3Dw8gVySYL7YTGoGDeq6w6jEw
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/jwt
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '714'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: id_token_hint=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTY0NjExMDMsImlhdCI6MTcxNjQ2MDgwMywiYXV0aF90aW1lIjoxNzE2NDYwODAzLCJqdGkiOiI4MjgzMjk2OC05NmZjLTQ1ZWItOGYzOS1iZGM3YmQ0ZDM4MDciLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJ0ZXN0aWQiLCJzdWIiOiJhYTEwY2ZjNy0yYzRkLTQxZjYtOGZhYy03YmY0MDVjNTcyYzQiLCJ0eXAiOiJJRCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiJiOTlmM2FkMi00MTA4LTRlNzItOWE1Yi02ODVkMWRlNTY1MjAiLCJhdF9oYXNoIjoiczQteVhnWEtzc1gxSEp1dnRGMW9tZyIsImFjciI6IjAiLCJzaWQiOiJiOTlmM2FkMi00MTA4LTRlNzItOWE1Yi02ODVkMWRlNTY1MjAiLCJrdmsiOiIwMTIzNDU2NzgiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3R1c2VyIiwiYnNuIjoiMDAwMDAwMDAwIn0.yUDqG7BxSJPlr6Y6gVfd_x2gvAnmO9qN3k1z-HrPnNypN41UEpVux8pJW43F3sQWcRRLB6YriNuXrgTuwvFshfkTmeaMiy8ssylrp-DyUmmUXc_yyN0Avaj5xCLt1GRf-f75Fh9ft2B8eh-H3qf7A-eQ827EfBBF6vVLQZQW70QrxetQ6afE18E2NJ_MFNvV_MQgyxiXFdwJBXoUAHuY6HRgruOmU0egklXqDUUEARjrEc7XnuyqNiD6bfOJSuyUF1Z0HtvyAFckvorhzkAZiqFoBUCDMBuC-TBRneyeWiMBsmW_RFSTqTPVnZ6HG7ADhm6GdaMCzBH3Et2ab1sY5Q
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '1132'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      User-Agent:
+      - python-requests/2.31.0
+    method: POST
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/logout
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       You are logged out\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n    <div id=\"kc-info-message\">\n
+        \       <p class=\"instruction\">You are logged out</p>\n    </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - AUTH_SESSION_ID=3002fd48-03dc-458e-80f4-3dcd5a426be5; Version=1; Path=/realms/test/;
+        SameSite=None; Secure; HttpOnly
+      - AUTH_SESSION_ID_LEGACY=3002fd48-03dc-458e-80f4-3dcd5a426be5; Version=1; Path=/realms/test/;
+        HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1566'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Cookie:
+      - AUTH_SESSION_ID_LEGACY=b99f3ad2-4108-4e72-9a5b-685d1de56520; KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9laGVya2VubmluZy1vaWRjL2NhbGxiYWNrLyIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIGt2ayIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovL3Rlc3RzZXJ2ZXIvZWhlcmtlbm5pbmctb2lkYy9jYWxsYmFjay8iLCJzdGF0ZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmciLCJub25jZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmcifX0.SpI7JvuDjU8Dn4CR3RD56sJAxNizNRciRym82v57Ylo;
+        KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTY0OTY4MDMsImlhdCI6MTcxNjQ2MDgwMywianRpIjoiZTkxYmRkN2UtZTUwNi00NjViLWFhZjQtMDIyZTY0MzM0NjFjIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiYWExMGNmYzctMmM0ZC00MWY2LThmYWMtN2JmNDA1YzU3MmM0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiJiOTlmM2FkMi00MTA4LTRlNzItOWE1Yi02ODVkMWRlNTY1MjAiLCJzaWQiOiJiOTlmM2FkMi00MTA4LTRlNzItOWE1Yi02ODVkMWRlNTY1MjAiLCJzdGF0ZV9jaGVja2VyIjoiZ2xlbnBIa3NBU0pxOUh3Z2tPTE1zUFVpLWxqcjNsbFBDYUpEdWRTTUx5SSJ9.YyIoob_v_bdeEpwl7BNB74nD6aRrkI1bol_Sa0Wktvg;
+        KEYCLOAK_SESSION_LEGACY=test/aa10cfc7-2c4d-41f6-8fac-7bf405c572c4/b99f3ad2-4108-4e72-9a5b-685d1de56520
+      User-Agent:
+      - python-requests/2.31.0
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=openid+kvk&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Feherkenning-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n        <script type=\"module\">\n            import
+        { checkCookiesAndSetTimer } from \"/resources/1rz7o/login/keycloak/js/authChecker.js\";\n\n
+        \           checkCookiesAndSetTimer(\n              \"a7dcc4f9-0f70-48bd-8532-6d784d084d9b\",\n
+        \             \"q_L7GkPkc88\",\n              \"/realms/test/login-actions/restart?client_id=testid&tab_id=q_L7GkPkc88&skip_logout=true\"\n
+        \           );\n        </script>\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       Sign in to your account\n\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-form\">\n
+        \         <div id=\"kc-form-wrapper\">\n                <form id=\"kc-form-login\"
+        onsubmit=\"login.disabled = true; return true;\" action=\"http://localhost:8080/realms/test/login-actions/authenticate?session_code=EkrxCprCVd-5tXjU2dl6MNKD_LlE2iZeyus00eMr8dE&amp;execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&amp;client_id=testid&amp;tab_id=q_L7GkPkc88\"
+        method=\"post\">\n                        <div class=\"form-group\">\n                            <label
+        for=\"username\" class=\"pf-c-form__label pf-c-form__label-text\">Username
+        or email</label>\n\n                            <input tabindex=\"1\" id=\"username\"
+        class=\"pf-c-form-control\" name=\"username\" value=\"\"  type=\"text\" autofocus
+        autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n\n\n                        </div>\n\n                    <div
+        class=\"form-group\">\n                        <label for=\"password\" class=\"pf-c-form__label
+        pf-c-form__label-text\">Password</label>\n\n                        <div class=\"pf-c-input-group\">\n
+        \                           <input tabindex=\"2\" id=\"password\" class=\"pf-c-form-control\"
+        name=\"password\" type=\"password\" autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n                            <button class=\"pf-c-button
+        pf-m-control\" type=\"button\" aria-label=\"Show password\"\n                                    aria-controls=\"password\"
+        \ data-password-toggle\n                                    data-icon-show=\"fa
+        fa-eye\" data-icon-hide=\"fa fa-eye-slash\"\n                                    data-label-show=\"Show
+        password\" data-label-hide=\"Hide password\">\n                                <i
+        class=\"fa fa-eye\" aria-hidden=\"true\"></i>\n                            </button>\n
+        \                       </div>\n\n\n                    </div>\n\n                    <div
+        class=\"form-group login-pf-settings\">\n                        <div id=\"kc-form-options\">\n
+        \                           </div>\n                            <div class=\"\">\n
+        \                           </div>\n\n                      </div>\n\n                      <div
+        id=\"kc-form-buttons\" class=\"form-group\">\n                          <input
+        type=\"hidden\" id=\"id-hidden-input\" name=\"credentialId\" />\n                          <input
+        tabindex=\"4\" class=\"pf-c-button pf-m-primary pf-m-block btn-lg\" name=\"login\"
+        id=\"kc-login\" type=\"submit\" value=\"Sign In\"/>\n                      </div>\n
+        \               </form>\n            </div>\n        </div>\n        <script
+        type=\"module\" src=\"/resources/1rz7o/login/keycloak/js/passwordVisibility.js\"></script>\n\n\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - KEYCLOAK_IDENTITY=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      - KEYCLOAK_IDENTITY_LEGACY=; Version=1; Comment=Expiring cookie; Expires=Thu,
+        01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      - KEYCLOAK_SESSION=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/
+      - KEYCLOAK_SESSION_LEGACY=; Version=1; Comment=Expiring cookie; Expires=Thu,
+        01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/realms/test/
+      - KEYCLOAK_IDENTITY=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test; HttpOnly
+      - KEYCLOAK_IDENTITY_LEGACY=; Version=1; Comment=Expiring cookie; Expires=Thu,
+        01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/realms/test; HttpOnly
+      - KEYCLOAK_SESSION=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test
+      - KEYCLOAK_SESSION_LEGACY=; Version=1; Comment=Expiring cookie; Expires=Thu,
+        01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/realms/test
+      - AUTH_SESSION_ID=a7dcc4f9-0f70-48bd-8532-6d784d084d9b; Version=1; Path=/realms/test/;
+        SameSite=None; Secure; HttpOnly
+      - AUTH_SESSION_ID_LEGACY=a7dcc4f9-0f70-48bd-8532-6d784d084d9b; Version=1; Path=/realms/test/;
+        HttpOnly
+      - KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9laGVya2VubmluZy1vaWRjL2NhbGxiYWNrLyIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIGt2ayIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovL3Rlc3RzZXJ2ZXIvZWhlcmtlbm5pbmctb2lkYy9jYWxsYmFjay8iLCJzdGF0ZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmciLCJub25jZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmcifX0.SpI7JvuDjU8Dn4CR3RD56sJAxNizNRciRym82v57Ylo;
+        Version=1; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '4466'
+    status:
+      code: 200
+      message: OK
+version: 1
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/digid/test_admin.py b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/digid/test_admin.py
deleted file mode 100644
index 6355a8c1d7..0000000000
--- a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/digid/test_admin.py
+++ /dev/null
@@ -1,80 +0,0 @@
-import json
-
-from django.test import override_settings
-from django.urls import reverse
-
-from django_webtest import WebTest
-from maykin_2fa.test import disable_admin_mfa
-
-from digid_eherkenning_oidc_generics.models import OpenIDConnectPublicConfig
-from openforms.accounts.tests.factories import SuperUserFactory
-from openforms.forms.tests.factories import FormFactory
-
-default_config = dict(
-    enabled=True,
-    oidc_rp_client_id="testclient",
-    oidc_rp_client_secret="secret",
-    oidc_rp_sign_algo="RS256",
-    oidc_rp_scopes_list=["openid", "bsn"],
-    oidc_op_jwks_endpoint="http://provider.com/auth/realms/master/protocol/openid-connect/certs",
-    oidc_op_authorization_endpoint="http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-    oidc_op_token_endpoint="http://provider.com/auth/realms/master/protocol/openid-connect/token",
-    oidc_op_user_endpoint="http://provider.com/auth/realms/master/protocol/openid-connect/userinfo",
-    oidc_op_logout_endpoint="http://provider.com/auth/realms/master/protocol/openid-connect/logout",
-)
-
-
-@disable_admin_mfa()
-@override_settings(CORS_ALLOW_ALL_ORIGINS=True, IS_HTTPS=True)
-class DigiDOIDCFormAdminTests(WebTest):
-    def setUp(self):
-        super().setUp()
-
-        self.user = SuperUserFactory.create()
-        self.app.set_user(self.user)
-
-    def test_digid_oidc_disable_allowed(self):
-        # Patching `get_solo()` doesn't seem to work when retrieving the change_form
-        config = OpenIDConnectPublicConfig(**default_config)
-        config.save()
-
-        FormFactory.create(authentication_backends=["eherkenning_oidc"])
-
-        response = self.app.get(
-            reverse(
-                "admin:digid_eherkenning_oidc_generics_openidconnectpublicconfig_change"
-            )
-        )
-
-        form = response.forms["openidconnectpublicconfig_form"]
-        form["enabled"] = False
-        # set the value manually, normally this is done through JS
-        form["oidc_rp_scopes_list"] = json.dumps(config.oidc_rp_scopes_list)
-        form["oidc_exempt_urls"] = json.dumps(config.oidc_exempt_urls)
-        response = form.submit()
-
-        self.assertEqual(response.status_code, 302)
-        self.assertFalse(OpenIDConnectPublicConfig.get_solo().enabled)
-
-    def test_digid_oidc_disable_not_allowed(self):
-        # Patching `get_solo()` doesn't seem to work when retrieving the change_form
-        config = OpenIDConnectPublicConfig(**default_config)
-        config.save()
-
-        FormFactory.create(authentication_backends=["digid_oidc"])
-
-        response = self.app.get(
-            reverse(
-                "admin:digid_eherkenning_oidc_generics_openidconnectpublicconfig_change"
-            )
-        )
-
-        form = response.forms["openidconnectpublicconfig_form"]
-        form["enabled"] = False
-        # set the value manually, normally this is done through JS
-        form["oidc_rp_scopes_list"] = json.dumps(config.oidc_rp_scopes_list)
-        form["oidc_exempt_urls"] = json.dumps(config.oidc_exempt_urls)
-        response = form.submit()
-
-        self.assertEqual(response.status_code, 200)
-        self.assertTrue(OpenIDConnectPublicConfig.get_solo().enabled)
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/digid/test_auth_plugin_endpoint.py b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/digid/test_auth_plugin_endpoint.py
deleted file mode 100644
index ca1b829846..0000000000
--- a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/digid/test_auth_plugin_endpoint.py
+++ /dev/null
@@ -1,58 +0,0 @@
-from unittest.mock import patch
-
-from django.urls import reverse
-
-from rest_framework import status
-from rest_framework.test import APITestCase
-
-from openforms.accounts.tests.factories import UserFactory
-from openforms.config.models import GlobalConfiguration
-
-
-class DigiDOIDCAuthPluginEndpointTests(APITestCase):
-    @classmethod
-    def setUpTestData(cls):
-        super().setUpTestData()
-
-        cls.user = UserFactory.create(is_staff=True)
-
-    def setUp(self):
-        super().setUp()
-
-        self.client.force_authenticate(user=self.user)
-
-    @patch("openforms.plugins.plugin.GlobalConfiguration.get_solo")
-    def test_plugin_list_digid_oidc_enabled(self, mock_get_solo):
-        mock_get_solo.return_value = GlobalConfiguration(
-            plugin_configuration={
-                "authentication": {
-                    "digid_oidc": {"enabled": True},
-                },
-            }
-        )
-
-        endpoint = reverse("api:authentication-plugin-list")
-
-        response = self.client.get(endpoint)
-        self.assertEqual(response.status_code, status.HTTP_200_OK)
-
-        plugin_names = [p["id"] for p in response.data]
-        self.assertIn("digid_oidc", plugin_names)
-
-    @patch("openforms.plugins.plugin.GlobalConfiguration.get_solo")
-    def test_plugin_list_digid_oidc_not_enabled(self, mock_get_solo):
-        mock_get_solo.return_value = GlobalConfiguration(
-            plugin_configuration={
-                "authentication": {
-                    "digid_oidc": {"enabled": False},
-                },
-            }
-        )
-
-        endpoint = reverse("api:authentication-plugin-list")
-
-        response = self.client.get(endpoint)
-        self.assertEqual(response.status_code, status.HTTP_200_OK)
-
-        plugin_names = [p["id"] for p in response.data]
-        self.assertNotIn("digid_oidc", plugin_names)
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/digid/test_auth_procedure.py b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/digid/test_auth_procedure.py
deleted file mode 100644
index 0bc1593627..0000000000
--- a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/digid/test_auth_procedure.py
+++ /dev/null
@@ -1,253 +0,0 @@
-from unittest.mock import patch
-
-from django.test import TestCase, override_settings, tag
-from django.urls import reverse
-
-import requests_mock
-from furl import furl
-from rest_framework import status
-
-from digid_eherkenning_oidc_generics.models import OpenIDConnectPublicConfig
-from openforms.accounts.tests.factories import StaffUserFactory
-from openforms.authentication.tests.utils import get_start_form_url, get_start_url
-from openforms.authentication.views import BACKEND_OUTAGE_RESPONSE_PARAMETER
-from openforms.forms.tests.factories import FormFactory
-
-default_config = OpenIDConnectPublicConfig(
-    enabled=True,
-    oidc_rp_client_id="testclient",
-    oidc_rp_client_secret="secret",
-    oidc_rp_sign_algo="RS256",
-    oidc_rp_scopes_list=["openid", "bsn"],
-    oidc_op_jwks_endpoint="http://provider.com/auth/realms/master/protocol/openid-connect/certs",
-    oidc_op_authorization_endpoint="http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-    oidc_op_token_endpoint="http://provider.com/auth/realms/master/protocol/openid-connect/token",
-    oidc_op_user_endpoint="http://provider.com/auth/realms/master/protocol/openid-connect/userinfo",
-)
-
-
-@override_settings(CORS_ALLOW_ALL_ORIGINS=True, IS_HTTPS=True)
-class DigiDOIDCTests(TestCase):
-    @classmethod
-    def setUpTestData(cls):
-        super().setUpTestData()
-        cls.form = FormFactory.create(
-            generate_minimal_setup=True,
-            authentication_backends=["digid_oidc"],
-        )
-
-    def setUp(self):
-        super().setUp()
-
-        config_patcher = patch(
-            "digid_eherkenning_oidc_generics.models.OpenIDConnectPublicConfig.get_solo",
-            return_value=default_config,
-        )
-        self.mock_config = config_patcher.start()
-        self.addCleanup(config_patcher.stop)
-
-        self.requests_mocker = requests_mock.Mocker()
-        self.addCleanup(self.requests_mocker.stop)
-        self.requests_mocker.start()
-
-    def test_redirect_to_digid_oidc(self):
-        self.requests_mocker.get(
-            "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-            status_code=200,
-        )
-        form_url = get_start_form_url(self.form)
-        start_url = get_start_url(self.form, plugin_id="digid_oidc")
-
-        response = self.client.get(start_url)
-
-        with self.subTest("Sends user to IdP"):
-            self.assertEqual(status.HTTP_302_FOUND, response.status_code)
-
-            redirect_target = furl(response.url)  # type: ignore
-            query_params = redirect_target.query.params
-
-            self.assertEqual(redirect_target.host, "provider.com")
-            self.assertEqual(
-                redirect_target.path,
-                "/auth/realms/master/protocol/openid-connect/auth",
-            )
-            self.assertEqual(query_params["scope"], "openid bsn")
-            self.assertEqual(query_params["client_id"], "testclient")
-            self.assertEqual(
-                query_params["redirect_uri"],
-                f"http://testserver{reverse('digid_oidc:oidc_authentication_callback')}",
-            )
-
-        with self.subTest("Return state setup"):
-            oidc_login_next = furl(self.client.session["oidc_login_next"])
-            query_params = oidc_login_next.query.params
-
-            self.assertEqual(
-                oidc_login_next.path,
-                reverse(
-                    "authentication:return",
-                    kwargs={"slug": self.form.slug, "plugin_id": "digid_oidc"},
-                ),
-            )
-            self.assertEqual(query_params["next"], form_url)
-
-    def test_redirect_to_digid_oidc_internal_server_error(self):
-        self.requests_mocker.get(
-            "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-            status_code=500,
-        )
-        start_url = get_start_url(self.form, plugin_id="digid_oidc")
-
-        response = self.client.get(start_url)
-
-        self.assertEqual(status.HTTP_302_FOUND, response.status_code)
-        assert self.requests_mocker.last_request is not None
-        self.assertEqual(
-            self.requests_mocker.last_request.url,
-            "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-        )
-        parsed = furl(response.url)  # type: ignore
-
-        self.assertEqual(parsed.host, "testserver")
-        self.assertEqual(parsed.path, f"/{self.form.slug}/")
-        query_params = parsed.query.params
-        self.assertEqual(query_params[BACKEND_OUTAGE_RESPONSE_PARAMETER], "digid_oidc")
-
-    def test_redirect_to_digid_oidc_callback_error(self):
-        # set up session/state
-        self.requests_mocker.get(
-            "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-            status_code=200,
-        )
-        start_url = get_start_url(self.form, plugin_id="digid_oidc")
-        response = self.client.get(start_url)
-        assert response.status_code == 302
-        assert response.url.startswith("http://provider.com")  # type: ignore
-
-        with patch(
-            "openforms.authentication.contrib.digid_eherkenning_oidc.backends"
-            ".OIDCAuthenticationDigiDBackend.verify_claims",
-            return_value=False,
-        ):
-            response = self.client.get(reverse("digid_oidc:callback"))
-
-        self.assertEqual(response.status_code, status.HTTP_302_FOUND)
-
-        parsed = furl(response.url)
-        query_params = parsed.query.params
-
-        self.assertEqual(parsed.path, f"/{self.form.slug}/")
-        self.assertEqual(query_params["_start"], "1")
-        self.assertEqual(query_params[BACKEND_OUTAGE_RESPONSE_PARAMETER], "digid_oidc")
-
-    @override_settings(CORS_ALLOW_ALL_ORIGINS=False, CORS_ALLOWED_ORIGINS=[])
-    def test_redirect_to_disallowed_domain(self):
-        start_url = get_start_url(
-            self.form, plugin_id="digid_oidc", host="http://example.com"
-        )
-
-        response = self.client.get(start_url)
-
-        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
-
-    @override_settings(
-        CORS_ALLOW_ALL_ORIGINS=False, CORS_ALLOWED_ORIGINS=["http://example.com"]
-    )
-    def test_redirect_to_allowed_domain(self):
-        self.requests_mocker.get(
-            "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-            status_code=200,
-        )
-        form_url = get_start_form_url(self.form, host="http://example.com")
-        start_url = get_start_url(
-            self.form, plugin_id="digid_oidc", host="http://example.com"
-        )
-
-        response = self.client.get(start_url)
-
-        with self.subTest("Sends user to IdP"):
-            self.assertEqual(status.HTTP_302_FOUND, response.status_code)
-            self.assertTrue(response.url.startswith("http://provider.com/"))  # type: ignore
-
-        with self.subTest("Return state setup"):
-            oidc_login_next = furl(self.client.session["oidc_login_next"])
-            expected_next = reverse(
-                "authentication:return",
-                kwargs={"slug": self.form.slug, "plugin_id": "digid_oidc"},
-            )
-            self.assertEqual(oidc_login_next.path, expected_next)
-            query_params = oidc_login_next.query.params
-            self.assertEqual(query_params["next"], form_url)
-
-    def test_redirect_with_keycloak_identity_provider_hint(self, *m):
-        self.mock_config.return_value.oidc_keycloak_idp_hint = "oidc-digid"
-        self.requests_mocker.get(
-            "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-            status_code=200,
-        )
-        start_url = get_start_url(self.form, plugin_id="digid_oidc")
-
-        response = self.client.get(start_url)
-
-        self.assertEqual(status.HTTP_302_FOUND, response.status_code)
-        parsed = furl(response.url)  # type: ignore
-        query_params = parsed.query.params
-        self.assertEqual(query_params["kc_idp_hint"], "oidc-digid")
-
-    @tag("gh-3656", "gh-3692")
-    # This is an example of a specific provider. It may differ when a different provider is used.
-    # According to https://openid.net/specs/openid-connect-core-1_0.html#AuthError and
-    # https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1.2.1 , this is the error we expect from OIDC
-    def test_redirect_to_form_when_login_cancelled_by_anonymous_user(self):
-        # set up session/state
-        self.requests_mocker.get(
-            "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-            status_code=200,
-        )
-        start_url = get_start_url(self.form, plugin_id="digid_oidc")
-        response = self.client.get(start_url)
-        assert response.status_code == 302
-        assert response.url.startswith("http://provider.com")  # type: ignore
-
-        response = self.client.get(
-            reverse("digid_oidc:callback"),
-            {
-                "error": "access_denied",
-                "error_description": "The user cancelled",
-            },
-        )
-
-        self.assertEqual(response.status_code, status.HTTP_302_FOUND)
-
-        parsed = furl(response.url)  # type: ignore
-        query_params = parsed.query.params
-
-        self.assertEqual(query_params["_digid-message"], "login-cancelled")
-        self.assertIsNone(query_params.get(BACKEND_OUTAGE_RESPONSE_PARAMETER))
-
-    @tag("gh-3656", "gh-3692")
-    def test_redirect_to_form_when_login_cancelled_by_authenticated_user(self):
-        # set up session/state
-        self.requests_mocker.get(
-            "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-            status_code=200,
-        )
-        user = StaffUserFactory.create()
-        start_url = get_start_url(self.form, plugin_id="digid_oidc")
-        self.client.force_login(user=user)
-        response = self.client.get(start_url)
-        assert response.status_code == 302
-        assert response.url.startswith("http://provider.com")  # type: ignore
-
-        response = self.client.get(
-            reverse("digid_oidc:callback"),
-            {"error": "access_denied", "error_description": "The user cancelled"},
-        )
-
-        self.assertEqual(response.status_code, status.HTTP_302_FOUND)
-
-        parsed = furl(response.url)
-        query_params = parsed.query.params
-
-        self.assertEqual(query_params["_digid-message"], "login-cancelled")
-        self.assertIsNone(query_params.get(BACKEND_OUTAGE_RESPONSE_PARAMETER))
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/digid_machtigen/__init__.py b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/digid_machtigen/__init__.py
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/digid_machtigen/test_auth_plugin.py b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/digid_machtigen/test_auth_plugin.py
deleted file mode 100644
index ab99320909..0000000000
--- a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/digid_machtigen/test_auth_plugin.py
+++ /dev/null
@@ -1,58 +0,0 @@
-from unittest.mock import patch
-
-from django.urls import reverse
-
-from rest_framework import status
-from rest_framework.test import APITestCase
-
-from openforms.accounts.tests.factories import UserFactory
-from openforms.config.models import GlobalConfiguration
-
-
-class DigiDMachtigenOIDCAuthPluginEndpointTests(APITestCase):
-    @classmethod
-    def setUpTestData(cls):
-        super().setUpTestData()
-
-        cls.user = UserFactory.create(is_staff=True)
-
-    def setUp(self):
-        super().setUp()
-
-        self.client.force_authenticate(user=self.user)
-
-    @patch("openforms.plugins.plugin.GlobalConfiguration.get_solo")
-    def test_plugin_list_digid_machtigen_oidc_enabled(self, mock_get_solo):
-        mock_get_solo.return_value = GlobalConfiguration(
-            plugin_configuration={
-                "authentication": {
-                    "digid_machtigen_oidc": {"enabled": True},
-                },
-            }
-        )
-
-        endpoint = reverse("api:authentication-plugin-list")
-
-        response = self.client.get(endpoint)
-        self.assertEqual(response.status_code, status.HTTP_200_OK)
-
-        plugin_names = [p["id"] for p in response.data]
-        self.assertIn("digid_machtigen_oidc", plugin_names)
-
-    @patch("openforms.plugins.plugin.GlobalConfiguration.get_solo")
-    def test_plugin_list_digid_machtigen_oidc_not_enabled(self, mock_get_solo):
-        mock_get_solo.return_value = GlobalConfiguration(
-            plugin_configuration={
-                "authentication": {
-                    "digid_machtigen_oidc": {"enabled": False},
-                },
-            }
-        )
-
-        endpoint = reverse("api:authentication-plugin-list")
-
-        response = self.client.get(endpoint)
-        self.assertEqual(response.status_code, status.HTTP_200_OK)
-
-        plugin_names = [p["id"] for p in response.data]
-        self.assertNotIn("digid_machtigen_oidc", plugin_names)
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/digid_machtigen/test_auth_procedure.py b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/digid_machtigen/test_auth_procedure.py
deleted file mode 100644
index a804fd7cc9..0000000000
--- a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/digid_machtigen/test_auth_procedure.py
+++ /dev/null
@@ -1,332 +0,0 @@
-from unittest.mock import patch
-
-from django.test import TestCase, override_settings, tag
-from django.urls import reverse
-
-import requests_mock
-from furl import furl
-from rest_framework import status
-from rest_framework.test import APIRequestFactory
-
-from digid_eherkenning_oidc_generics.models import OpenIDConnectDigiDMachtigenConfig
-from openforms.accounts.tests.factories import StaffUserFactory
-from openforms.authentication.constants import (
-    CO_SIGN_PARAMETER,
-    FORM_AUTH_SESSION_KEY,
-    AuthAttribute,
-)
-from openforms.authentication.tests.utils import get_start_form_url, get_start_url
-from openforms.authentication.views import BACKEND_OUTAGE_RESPONSE_PARAMETER
-from openforms.forms.tests.factories import FormFactory
-
-from ...constants import DIGID_MACHTIGEN_OIDC_AUTH_SESSION_KEY
-from ...plugin import DigiDMachtigenOIDCAuthentication
-
-default_config = OpenIDConnectDigiDMachtigenConfig(
-    enabled=True,
-    oidc_rp_client_id="testclient",
-    oidc_rp_client_secret="secret",
-    oidc_rp_sign_algo="RS256",
-    oidc_rp_scopes_list=["openid", "bsn"],
-    oidc_op_jwks_endpoint="http://provider.com/auth/realms/master/protocol/openid-connect/certs",
-    oidc_op_authorization_endpoint="http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-    oidc_op_token_endpoint="http://provider.com/auth/realms/master/protocol/openid-connect/token",
-    oidc_op_user_endpoint="http://provider.com/auth/realms/master/protocol/openid-connect/userinfo",
-)
-
-
-class MockConfigMixin:
-    def setUp(self):
-        super().setUp()
-
-        config_patcher = patch(
-            "digid_eherkenning_oidc_generics.models.OpenIDConnectDigiDMachtigenConfig.get_solo",
-            return_value=default_config,
-        )
-        self.mock_config = config_patcher.start()
-        self.addCleanup(config_patcher.stop)
-
-
-@override_settings(CORS_ALLOW_ALL_ORIGINS=True, IS_HTTPS=True)
-class DigiDMachtigenOIDCTests(MockConfigMixin, TestCase):
-    @classmethod
-    def setUpTestData(cls):
-        super().setUpTestData()
-        cls.form = FormFactory.create(
-            generate_minimal_setup=True,
-            authentication_backends=["digid_machtigen_oidc"],
-        )
-
-    def setUp(self):
-        super().setUp()
-
-        self.requests_mocker = requests_mock.Mocker()
-        self.addCleanup(self.requests_mocker.stop)
-        self.requests_mocker.start()
-
-    def test_redirect_to_digid_machtigen_oidc(self):
-        self.requests_mocker.get(
-            "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-            status_code=200,
-        )
-        form_url = get_start_form_url(self.form)
-        start_url = get_start_url(self.form, plugin_id="digid_machtigen_oidc")
-
-        response = self.client.get(start_url)
-
-        with self.subTest("Sends user to IdP"):
-            self.assertEqual(status.HTTP_302_FOUND, response.status_code)
-
-            redirect_target = furl(response.url)  # type: ignore
-            query_params = redirect_target.query.params
-
-            self.assertEqual(redirect_target.host, "provider.com")
-            self.assertEqual(
-                redirect_target.path,
-                "/auth/realms/master/protocol/openid-connect/auth",
-            )
-            self.assertEqual(query_params["scope"], "openid bsn")
-            self.assertEqual(query_params["client_id"], "testclient")
-            self.assertEqual(
-                query_params["redirect_uri"],
-                f"http://testserver{reverse('digid_machtigen_oidc:oidc_authentication_callback')}",
-            )
-
-        with self.subTest("Return state setup"):
-            oidc_login_next = furl(self.client.session["oidc_login_next"])
-            query_params = oidc_login_next.query.params
-
-            self.assertEqual(
-                oidc_login_next.path,
-                reverse(
-                    "authentication:return",
-                    kwargs={
-                        "slug": self.form.slug,
-                        "plugin_id": "digid_machtigen_oidc",
-                    },
-                ),
-            )
-            self.assertEqual(query_params["next"], form_url)
-
-    def test_redirect_to_digid_machtigen_oidc_internal_server_error(self):
-        self.requests_mocker.get(
-            "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-            status_code=500,
-        )
-        start_url = get_start_url(self.form, plugin_id="digid_machtigen_oidc")
-
-        response = self.client.get(start_url)
-
-        self.assertEqual(status.HTTP_302_FOUND, response.status_code)
-        assert self.requests_mocker.last_request is not None
-        self.assertEqual(
-            self.requests_mocker.last_request.url,
-            "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-        )
-        parsed = furl(response.url)  # type: ignore
-
-        self.assertEqual(parsed.host, "testserver")
-        self.assertEqual(parsed.path, f"/{self.form.slug}/")
-        query_params = parsed.query.params
-        self.assertEqual(
-            query_params[BACKEND_OUTAGE_RESPONSE_PARAMETER], "digid_machtigen_oidc"
-        )
-
-    def test_redirect_to_digid_machtigen_oidc_callback_error(self):
-        # set up session/state
-        self.requests_mocker.get(
-            "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-            status_code=200,
-        )
-        start_url = get_start_url(self.form, plugin_id="digid_machtigen_oidc")
-        response = self.client.get(start_url)
-        assert response.status_code == 302
-        assert response.url.startswith("http://provider.com")  # type: ignore
-
-        with patch(
-            "openforms.authentication.contrib.digid_eherkenning_oidc.backends"
-            ".OIDCAuthenticationDigiDBackend.verify_claims",
-            return_value=False,
-        ):
-            response = self.client.get(reverse("digid_machtigen_oidc:callback"))
-
-        self.assertEqual(response.status_code, status.HTTP_302_FOUND)
-
-        parsed = furl(response.url)
-        query_params = parsed.query.params
-
-        self.assertEqual(parsed.path, f"/{self.form.slug}/")
-        self.assertEqual(query_params["_start"], "1")
-        self.assertEqual(
-            query_params[BACKEND_OUTAGE_RESPONSE_PARAMETER], "digid_machtigen_oidc"
-        )
-
-    @override_settings(CORS_ALLOW_ALL_ORIGINS=False, CORS_ALLOWED_ORIGINS=[])
-    def test_redirect_to_disallowed_domain(self):
-        start_url = get_start_url(
-            self.form, plugin_id="digid_machtigen_oidc", host="http://example.com"
-        )
-
-        response = self.client.get(start_url)
-
-        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
-
-    @override_settings(
-        CORS_ALLOW_ALL_ORIGINS=False, CORS_ALLOWED_ORIGINS=["http://example.com"]
-    )
-    def test_redirect_to_allowed_domain(self):
-        self.requests_mocker.get(
-            "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-            status_code=200,
-        )
-        form_url = get_start_form_url(self.form, host="http://example.com")
-        start_url = get_start_url(
-            self.form, plugin_id="digid_machtigen_oidc", host="http://example.com"
-        )
-
-        response = self.client.get(start_url)
-
-        with self.subTest("Sends user to IdP"):
-            self.assertEqual(status.HTTP_302_FOUND, response.status_code)
-            self.assertTrue(response.url.startswith("http://provider.com/"))  # type: ignore
-
-        with self.subTest("Return state setup"):
-            oidc_login_next = furl(self.client.session["oidc_login_next"])
-            expected_next = reverse(
-                "authentication:return",
-                kwargs={"slug": self.form.slug, "plugin_id": "digid_machtigen_oidc"},
-            )
-            self.assertEqual(oidc_login_next.path, expected_next)
-            query_params = oidc_login_next.query.params
-            self.assertEqual(query_params["next"], form_url)
-
-    def test_redirect_with_keycloak_identity_provider_hint(self):
-        self.mock_config.return_value.oidc_keycloak_idp_hint = "oidc-digid-machtigen"
-        self.requests_mocker.get(
-            "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-            status_code=200,
-        )
-        start_url = get_start_url(self.form, plugin_id="digid_machtigen_oidc")
-
-        response = self.client.get(start_url)
-
-        self.assertEqual(status.HTTP_302_FOUND, response.status_code)
-        parsed = furl(response.url)  # type: ignore
-        query_params = parsed.query.params
-        self.assertEqual(query_params["kc_idp_hint"], "oidc-digid-machtigen")
-
-    @tag("gh-3656", "gh-3692")
-    # This is an example of a specific provider. It may differ when a different provider is used.
-    # According to https://openid.net/specs/openid-connect-core-1_0.html#AuthError and
-    # https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1.2.1 , this is the error we expect from OIDC
-    def test_redirect_to_form_when_login_cancelled_by_anonymous_user(self):
-        # set up session/state
-        self.requests_mocker.get(
-            "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-            status_code=200,
-        )
-        start_url = get_start_url(self.form, plugin_id="digid_machtigen_oidc")
-        response = self.client.get(start_url)
-        assert response.status_code == 302
-        assert response.url.startswith("http://provider.com")  # type: ignore
-
-        response = self.client.get(
-            reverse("digid_machtigen_oidc:callback"),
-            {
-                "error": "access_denied",
-                "error_description": "The user cancelled",
-            },
-        )
-
-        self.assertEqual(response.status_code, status.HTTP_302_FOUND)
-
-        parsed = furl(response.url)  # type: ignore
-        query_params = parsed.query.params
-
-        self.assertEqual(query_params["_digid-message"], "login-cancelled")
-        self.assertIsNone(query_params.get(BACKEND_OUTAGE_RESPONSE_PARAMETER))
-
-    @tag("gh-3656", "gh-3692")
-    def test_redirect_to_form_when_login_cancelled_by_authenticated_user(self):
-        # set up session/state
-        self.requests_mocker.get(
-            "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-            status_code=200,
-        )
-        user = StaffUserFactory.create()
-        start_url = get_start_url(self.form, plugin_id="digid_machtigen_oidc")
-        self.client.force_login(user=user)
-        response = self.client.get(start_url)
-        assert response.status_code == 302
-        assert response.url.startswith("http://provider.com")  # type: ignore
-
-        response = self.client.get(
-            reverse("digid_machtigen_oidc:callback"),
-            {"error": "access_denied", "error_description": "The user cancelled"},
-        )
-
-        self.assertEqual(response.status_code, status.HTTP_302_FOUND)
-
-        parsed = furl(response.url)
-        query_params = parsed.query.params
-
-        self.assertEqual(query_params["_digid-message"], "login-cancelled")
-        self.assertIsNone(query_params.get(BACKEND_OUTAGE_RESPONSE_PARAMETER))
-
-
-class AddClaimsToSessionTests(MockConfigMixin, TestCase):
-
-    def test_handle_return_without_claim_digid_machtigen(self):
-        factory = APIRequestFactory()
-        request = factory.get("/xyz")
-        request.session = {}  # type: ignore
-
-        plugin = DigiDMachtigenOIDCAuthentication(identifier="boh")
-        plugin.add_claims_to_sessions_if_not_cosigning(claim="", request=request)
-
-        self.assertNotIn(FORM_AUTH_SESSION_KEY, request.session)
-
-    def test_handle_return_with_cosign_param_digid_machtigen(self):
-        factory = APIRequestFactory()
-        request = factory.get(f"/xyz?{CO_SIGN_PARAMETER}=tralala")
-        request.session = {}  # type: ignore
-
-        plugin = DigiDMachtigenOIDCAuthentication(identifier="boh")
-        plugin.add_claims_to_sessions_if_not_cosigning(claim="tralala", request=request)
-
-        self.assertNotIn(FORM_AUTH_SESSION_KEY, request.session)
-
-    def test_handle_return_digid_machtigen(self):
-        factory = APIRequestFactory()
-        request = factory.get("/xyz")
-        request.session = {  # type: ignore
-            DIGID_MACHTIGEN_OIDC_AUTH_SESSION_KEY: {"aanvrager.bsn": "222222222"}
-        }
-
-        plugin = DigiDMachtigenOIDCAuthentication(identifier="boh")
-
-        with patch(
-            "openforms.authentication.contrib.digid_eherkenning_oidc"
-            ".plugin.OpenIDConnectDigiDMachtigenConfig.get_solo",
-            return_value=OpenIDConnectDigiDMachtigenConfig(
-                vertegenwoordigde_claim_name="gemachtige.bsn",
-                gemachtigde_claim_name="aanvrager.bsn",
-            ),
-        ):
-            plugin.add_claims_to_sessions_if_not_cosigning(
-                claim={
-                    "gemachtige.bsn": "111111111",
-                },
-                request=request,
-            )
-
-        self.assertIn(FORM_AUTH_SESSION_KEY, request.session)
-        self.assertEqual(
-            {
-                "plugin": "boh",
-                "attribute": AuthAttribute.bsn,
-                "value": "111111111",
-                "machtigen": {"identifier_value": "222222222"},
-            },
-            request.session[FORM_AUTH_SESSION_KEY],
-        )
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/eherkenning/__init__.py b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/eherkenning/__init__.py
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/eherkenning/test_admin.py b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/eherkenning/test_admin.py
deleted file mode 100644
index bde3385bb0..0000000000
--- a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/eherkenning/test_admin.py
+++ /dev/null
@@ -1,80 +0,0 @@
-import json
-
-from django.test import override_settings
-from django.urls import reverse
-
-from django_webtest import WebTest
-from maykin_2fa.test import disable_admin_mfa
-
-from digid_eherkenning_oidc_generics.models import OpenIDConnectEHerkenningConfig
-from openforms.accounts.tests.factories import SuperUserFactory
-from openforms.forms.tests.factories import FormFactory
-
-default_config = dict(
-    enabled=True,
-    oidc_rp_client_id="testclient",
-    oidc_rp_client_secret="secret",
-    oidc_rp_sign_algo="RS256",
-    oidc_rp_scopes_list=["openid", "kvk"],
-    oidc_op_jwks_endpoint="http://provider.com/auth/realms/master/protocol/openid-connect/certs",
-    oidc_op_authorization_endpoint="http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-    oidc_op_token_endpoint="http://provider.com/auth/realms/master/protocol/openid-connect/token",
-    oidc_op_user_endpoint="http://provider.com/auth/realms/master/protocol/openid-connect/userinfo",
-    oidc_op_logout_endpoint="http://provider.com/auth/realms/master/protocol/openid-connect/logout",
-)
-
-
-@disable_admin_mfa()
-@override_settings(CORS_ALLOW_ALL_ORIGINS=True, IS_HTTPS=True)
-class eHerkenningOIDCFormAdminTests(WebTest):
-    def setUp(self):
-        super().setUp()
-
-        self.user = SuperUserFactory.create()
-        self.app.set_user(self.user)
-
-    def test_eherkenning_oidc_disable_allowed(self):
-        # Patching `get_solo()` doesn't seem to work when retrieving the change_form
-        config = OpenIDConnectEHerkenningConfig(**default_config)
-        config.save()
-
-        FormFactory.create(authentication_backends=["digid_oidc"])
-
-        response = self.app.get(
-            reverse(
-                "admin:digid_eherkenning_oidc_generics_openidconnecteherkenningconfig_change"
-            )
-        )
-
-        form = response.forms["openidconnecteherkenningconfig_form"]
-        form["enabled"] = False
-        # set the value manually, normally this is done through JS
-        form["oidc_rp_scopes_list"] = json.dumps(config.oidc_rp_scopes_list)
-        form["oidc_exempt_urls"] = json.dumps(config.oidc_exempt_urls)
-        response = form.submit()
-
-        self.assertEqual(response.status_code, 302)
-        self.assertFalse(OpenIDConnectEHerkenningConfig.get_solo().enabled)
-
-    def test_eherkenning_oidc_disable_not_allowed(self):
-        # Patching `get_solo()` doesn't seem to work when retrieving the change_form
-        config = OpenIDConnectEHerkenningConfig(**default_config)
-        config.save()
-
-        FormFactory.create(authentication_backends=["eherkenning_oidc"])
-
-        response = self.app.get(
-            reverse(
-                "admin:digid_eherkenning_oidc_generics_openidconnecteherkenningconfig_change"
-            )
-        )
-
-        form = response.forms["openidconnecteherkenningconfig_form"]
-        form["enabled"] = False
-        # set the value manually, normally this is done through JS
-        form["oidc_rp_scopes_list"] = json.dumps(config.oidc_rp_scopes_list)
-        form["oidc_exempt_urls"] = json.dumps(config.oidc_exempt_urls)
-        response = form.submit()
-
-        self.assertEqual(response.status_code, 200)
-        self.assertTrue(OpenIDConnectEHerkenningConfig.get_solo().enabled)
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/eherkenning/test_auth_logout.py b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/eherkenning/test_auth_logout.py
deleted file mode 100644
index a0cdadc908..0000000000
--- a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/eherkenning/test_auth_logout.py
+++ /dev/null
@@ -1,94 +0,0 @@
-from unittest.mock import patch
-
-from django.test import RequestFactory, TestCase
-
-import requests_mock
-
-from digid_eherkenning_oidc_generics.models import (
-    OpenIDConnectEHerkenningConfig,
-    OpenIDConnectPublicConfig,
-)
-from openforms.authentication.contrib.digid_eherkenning_oidc.plugin import (
-    DigiDOIDCAuthentication,
-    eHerkenningOIDCAuthentication,
-)
-
-
-class PluginLogoutTest(TestCase):
-    @patch(
-        "digid_eherkenning_oidc_generics.models.OpenIDConnectPublicConfig.get_solo",
-        return_value=OpenIDConnectPublicConfig(
-            oidc_op_logout_endpoint="http://foo/logout",
-        ),
-    )
-    @requests_mock.Mocker(real_http=False)
-    def test_logout_digid(self, p, mocker):
-        mocker.get(
-            "http://foo/logout",
-            text="ignored",
-        )
-
-        plugin = DigiDOIDCAuthentication("digid")
-
-        with self.subTest("empty session"):
-            request = RequestFactory().post("/dummy")
-            request.session = self.client.session
-
-            plugin.logout(request)
-
-            self.assertEqual(list(request.session.keys()), [])
-            self.assertFalse(mocker.called)
-
-        with self.subTest("session"):
-            session = self.client.session
-            session["oidc_id_token"] = "xyz"
-            session["oidc_login_next"] = "xyz"
-            session[plugin.session_key] = "xyz"
-            session.save()
-
-            request = RequestFactory().post("/dummy")
-            request.session = session
-
-            plugin.logout(request)
-
-            self.assertEqual(list(request.session.keys()), [])
-            self.assertTrue(mocker.called)
-
-    @patch(
-        "digid_eherkenning_oidc_generics.models.OpenIDConnectEHerkenningConfig.get_solo",
-        return_value=OpenIDConnectEHerkenningConfig(
-            oidc_op_logout_endpoint="http://foo/logout",
-        ),
-    )
-    @requests_mock.Mocker(real_http=False)
-    def test_logout_eherkenning(self, p, mocker):
-        mocker.get(
-            "http://foo/logout",
-            text="ignored",
-        )
-
-        plugin = eHerkenningOIDCAuthentication("eherkenning")
-
-        with self.subTest("empty session"):
-            request = RequestFactory().post("/dummy")
-            request.session = self.client.session
-
-            plugin.logout(request)
-
-            self.assertEqual(list(request.session.keys()), [])
-            self.assertFalse(mocker.called)
-
-        with self.subTest("session"):
-            session = self.client.session
-            session["oidc_id_token"] = "xyz"
-            session["oidc_login_next"] = "xyz"
-            session[plugin.session_key] = "xyz"
-            session.save()
-
-            request = RequestFactory().post("/dummy")
-            request.session = session
-
-            plugin.logout(request)
-
-            self.assertEqual(list(request.session.keys()), [])
-            self.assertTrue(mocker.called)
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/eherkenning/test_auth_plugin_endpoint.py b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/eherkenning/test_auth_plugin_endpoint.py
deleted file mode 100644
index 191f7cd045..0000000000
--- a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/eherkenning/test_auth_plugin_endpoint.py
+++ /dev/null
@@ -1,58 +0,0 @@
-from unittest.mock import patch
-
-from django.urls import reverse
-
-from rest_framework import status
-from rest_framework.test import APITestCase
-
-from openforms.accounts.tests.factories import UserFactory
-from openforms.config.models import GlobalConfiguration
-
-
-class eHerkenningOIDCAuthPluginEndpointTests(APITestCase):
-    @classmethod
-    def setUpTestData(cls):
-        super().setUpTestData()
-
-        cls.user = UserFactory.create(is_staff=True)
-
-    def setUp(self):
-        super().setUp()
-
-        self.client.force_authenticate(user=self.user)
-
-    @patch("openforms.plugins.plugin.GlobalConfiguration.get_solo")
-    def test_plugin_list_eherkenning_oidc_enabled(self, mock_get_solo):
-        mock_get_solo.return_value = GlobalConfiguration(
-            plugin_configuration={
-                "authentication": {
-                    "eherkenning_oidc": {"enabled": True},
-                },
-            },
-        )
-
-        endpoint = reverse("api:authentication-plugin-list")
-
-        response = self.client.get(endpoint)
-        self.assertEqual(response.status_code, status.HTTP_200_OK)
-
-        plugin_names = [p["id"] for p in response.data]
-        self.assertIn("eherkenning_oidc", plugin_names)
-
-    @patch("openforms.plugins.plugin.GlobalConfiguration.get_solo")
-    def test_plugin_list_eherkenning_oidc_not_enabled(self, mock_get_solo):
-        mock_get_solo.return_value = GlobalConfiguration(
-            plugin_configuration={
-                "authentication": {
-                    "eherkenning_oidc": {"enabled": False},
-                },
-            }
-        )
-
-        endpoint = reverse("api:authentication-plugin-list")
-
-        response = self.client.get(endpoint)
-        self.assertEqual(response.status_code, status.HTTP_200_OK)
-
-        plugin_names = [p["id"] for p in response.data]
-        self.assertNotIn("eherkenning_oidc", plugin_names)
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/eherkenning/test_auth_procedure.py b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/eherkenning/test_auth_procedure.py
deleted file mode 100644
index 162d1dced4..0000000000
--- a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/eherkenning/test_auth_procedure.py
+++ /dev/null
@@ -1,256 +0,0 @@
-from unittest.mock import patch
-
-from django.test import TestCase, override_settings, tag
-from django.urls import reverse
-
-import requests_mock
-from furl import furl
-from rest_framework import status
-
-from digid_eherkenning_oidc_generics.models import OpenIDConnectEHerkenningConfig
-from openforms.accounts.tests.factories import StaffUserFactory
-from openforms.authentication.tests.utils import get_start_form_url, get_start_url
-from openforms.authentication.views import BACKEND_OUTAGE_RESPONSE_PARAMETER
-from openforms.forms.tests.factories import FormFactory
-
-default_config = OpenIDConnectEHerkenningConfig(
-    enabled=True,
-    oidc_rp_client_id="testclient",
-    oidc_rp_client_secret="secret",
-    oidc_rp_sign_algo="RS256",
-    oidc_rp_scopes_list=["openid", "kvk"],
-    oidc_op_jwks_endpoint="http://provider.com/auth/realms/master/protocol/openid-connect/certs",
-    oidc_op_authorization_endpoint="http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-    oidc_op_token_endpoint="http://provider.com/auth/realms/master/protocol/openid-connect/token",
-    oidc_op_user_endpoint="http://provider.com/auth/realms/master/protocol/openid-connect/userinfo",
-)
-
-
-@override_settings(CORS_ALLOW_ALL_ORIGINS=True, IS_HTTPS=True)
-class eHerkenningOIDCTests(TestCase):
-    @classmethod
-    def setUpTestData(cls):
-        super().setUpTestData()
-        cls.form = FormFactory.create(
-            generate_minimal_setup=True,
-            authentication_backends=["eherkenning_oidc"],
-        )
-
-    def setUp(self):
-        super().setUp()
-
-        config_patcher = patch(
-            "digid_eherkenning_oidc_generics.models.OpenIDConnectEHerkenningConfig.get_solo",
-            return_value=default_config,
-        )
-        self.mock_config = config_patcher.start()
-        self.addCleanup(config_patcher.stop)
-
-        self.requests_mocker = requests_mock.Mocker()
-        self.addCleanup(self.requests_mocker.stop)
-        self.requests_mocker.start()
-
-    def test_redirect_to_eherkenning_oidc(self):
-        self.requests_mocker.get(
-            "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-            status_code=200,
-        )
-        form_url = get_start_form_url(self.form)
-        start_url = get_start_url(self.form, plugin_id="eherkenning_oidc")
-
-        response = self.client.get(start_url)
-
-        with self.subTest("Sends user to IdP"):
-            self.assertEqual(status.HTTP_302_FOUND, response.status_code)
-
-            redirect_target = furl(response.url)  # type: ignore
-            query_params = redirect_target.query.params
-
-            self.assertEqual(redirect_target.host, "provider.com")
-            self.assertEqual(
-                redirect_target.path,
-                "/auth/realms/master/protocol/openid-connect/auth",
-            )
-            self.assertEqual(query_params["scope"], "openid kvk")
-            self.assertEqual(query_params["client_id"], "testclient")
-            self.assertEqual(
-                query_params["redirect_uri"],
-                f"http://testserver{reverse('eherkenning_oidc:oidc_authentication_callback')}",
-            )
-
-        with self.subTest("Return state setup"):
-            oidc_login_next = furl(self.client.session["oidc_login_next"])
-            query_params = oidc_login_next.query.params
-
-            self.assertEqual(
-                oidc_login_next.path,
-                reverse(
-                    "authentication:return",
-                    kwargs={"slug": self.form.slug, "plugin_id": "eherkenning_oidc"},
-                ),
-            )
-            self.assertEqual(query_params["next"], form_url)
-
-    def test_redirect_to_eherkenning_oidc_internal_server_error(self):
-        self.requests_mocker.get(
-            "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-            status_code=500,
-        )
-        start_url = get_start_url(self.form, plugin_id="eherkenning_oidc")
-
-        response = self.client.get(start_url)
-
-        self.assertEqual(status.HTTP_302_FOUND, response.status_code)
-        assert self.requests_mocker.last_request is not None
-        self.assertEqual(
-            self.requests_mocker.last_request.url,
-            "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-        )
-        parsed = furl(response.url)  # type: ignore
-
-        self.assertEqual(parsed.host, "testserver")
-        self.assertEqual(parsed.path, f"/{self.form.slug}/")
-        query_params = parsed.query.params
-        self.assertEqual(
-            query_params[BACKEND_OUTAGE_RESPONSE_PARAMETER], "eherkenning_oidc"
-        )
-
-    def test_redirect_to_eherkenning_oidc_callback_error(self):
-        # set up session/state
-        self.requests_mocker.get(
-            "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-            status_code=200,
-        )
-        start_url = get_start_url(self.form, plugin_id="eherkenning_oidc")
-        response = self.client.get(start_url)
-        assert response.status_code == 302
-        assert response.url.startswith("http://provider.com")  # type: ignore
-
-        with patch(
-            "openforms.authentication.contrib.digid_eherkenning_oidc.backends"
-            ".OIDCAuthenticationEHerkenningBackend.verify_claims",
-            return_value=False,
-        ):
-            response = self.client.get(reverse("eherkenning_oidc:callback"))
-
-        self.assertEqual(response.status_code, status.HTTP_302_FOUND)
-
-        parsed = furl(response.url)
-        query_params = parsed.query.params
-
-        self.assertEqual(parsed.path, f"/{self.form.slug}/")
-        self.assertEqual(query_params["_start"], "1")
-        self.assertEqual(
-            query_params[BACKEND_OUTAGE_RESPONSE_PARAMETER], "eherkenning_oidc"
-        )
-
-    @override_settings(CORS_ALLOW_ALL_ORIGINS=False, CORS_ALLOWED_ORIGINS=[])
-    def test_redirect_to_disallowed_domain(self):
-        start_url = get_start_url(
-            self.form, plugin_id="eherkenning_oidc", host="http://example.com"
-        )
-
-        response = self.client.get(start_url)
-
-        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
-
-    @override_settings(
-        CORS_ALLOW_ALL_ORIGINS=False, CORS_ALLOWED_ORIGINS=["http://example.com"]
-    )
-    def test_redirect_to_allowed_domain(self):
-        self.requests_mocker.get(
-            "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-            status_code=200,
-        )
-        form_url = get_start_form_url(self.form, host="http://example.com")
-        start_url = get_start_url(
-            self.form, plugin_id="eherkenning_oidc", host="http://example.com"
-        )
-
-        response = self.client.get(start_url)
-
-        with self.subTest("Sends user to IdP"):
-            self.assertEqual(status.HTTP_302_FOUND, response.status_code)
-            self.assertTrue(response.url.startswith("http://provider.com/"))  # type: ignore
-
-        with self.subTest("Return state setup"):
-            oidc_login_next = furl(self.client.session["oidc_login_next"])
-            expected_next = reverse(
-                "authentication:return",
-                kwargs={"slug": self.form.slug, "plugin_id": "eherkenning_oidc"},
-            )
-            self.assertEqual(oidc_login_next.path, expected_next)
-            query_params = oidc_login_next.query.params
-            self.assertEqual(query_params["next"], form_url)
-
-    def test_redirect_with_keycloak_identity_provider_hint(self):
-        self.mock_config.return_value.oidc_keycloak_idp_hint = "oidc-eHerkenning"
-        self.requests_mocker.get(
-            "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-            status_code=200,
-        )
-        start_url = get_start_url(self.form, plugin_id="eherkenning_oidc")
-
-        response = self.client.get(start_url)
-
-        self.assertEqual(status.HTTP_302_FOUND, response.status_code)
-        parsed = furl(response.url)  # type: ignore
-        query_params = parsed.query.params
-        self.assertEqual(query_params["kc_idp_hint"], "oidc-eHerkenning")
-
-    @tag("gh-3656", "gh-3692")
-    # This is an example of a specific provider. It may differ when a different provider is used.
-    # According to https://openid.net/specs/openid-connect-core-1_0.html#AuthError and
-    # https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1.2.1 , this is the error we expect from OIDC
-    def test_redirect_to_form_when_login_cancelled_by_anonymous_user(self):
-        self.requests_mocker.get(
-            "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-            status_code=200,
-        )
-        start_url = get_start_url(self.form, plugin_id="eherkenning_oidc")
-        response = self.client.get(start_url)
-        assert response.status_code == 302
-        assert response.url.startswith("http://provider.com")  # type: ignore
-
-        response = self.client.get(
-            reverse("eherkenning_oidc:callback"),
-            {
-                "error": "access_denied",
-                "error_description": "The user cancelled",
-            },
-        )
-
-        self.assertEqual(response.status_code, status.HTTP_302_FOUND)
-
-        parsed = furl(response.url)  # type: ignore
-        query_params = parsed.query.params
-
-        self.assertEqual(query_params["_eherkenning-message"], "login-cancelled")
-        self.assertIsNone(query_params.get(BACKEND_OUTAGE_RESPONSE_PARAMETER))
-
-    @tag("gh-3656", "gh-3692")
-    def test_redirect_to_form_when_login_cancelled_by_authenticated_user(self):
-        # set up session/state
-        self.requests_mocker.get(
-            "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-            status_code=200,
-        )
-        user = StaffUserFactory.create()
-        start_url = get_start_url(self.form, plugin_id="eherkenning_oidc")
-        self.client.force_login(user=user)
-        response = self.client.get(start_url)
-        assert response.status_code == 302
-        assert response.url.startswith("http://provider.com")  # type: ignore
-
-        response = self.client.get(
-            reverse("eherkenning_oidc:callback"),
-            {"error": "access_denied", "error_description": "The user cancelled"},
-        )
-
-        self.assertEqual(response.status_code, status.HTTP_302_FOUND)
-
-        parsed = furl(response.url)
-        query_params = parsed.query.params
-
-        self.assertEqual(query_params["_eherkenning-message"], "login-cancelled")
-        self.assertIsNone(query_params.get(BACKEND_OUTAGE_RESPONSE_PARAMETER))
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/eherkenning_bewindvoering/__init__.py b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/eherkenning_bewindvoering/__init__.py
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/eherkenning_bewindvoering/test_auth_plugin.py b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/eherkenning_bewindvoering/test_auth_plugin.py
deleted file mode 100644
index 7e60629c3c..0000000000
--- a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/eherkenning_bewindvoering/test_auth_plugin.py
+++ /dev/null
@@ -1,60 +0,0 @@
-from unittest.mock import patch
-
-from django.urls import reverse
-
-from rest_framework import status
-from rest_framework.test import APITestCase
-
-from openforms.accounts.tests.factories import UserFactory
-from openforms.config.models import GlobalConfiguration
-
-
-class EHerkenningBewindvoeringOIDCAuthPluginEndpointTests(APITestCase):
-    @classmethod
-    def setUpTestData(cls):
-        super().setUpTestData()
-
-        cls.user = UserFactory.create(is_staff=True)
-
-    def setUp(self):
-        super().setUp()
-
-        self.client.force_authenticate(user=self.user)
-
-    @patch("openforms.plugins.plugin.GlobalConfiguration.get_solo")
-    def test_plugin_list_eherkenning_bewindvoering_oidc_enabled(self, mock_get_solo):
-        mock_get_solo.return_value = GlobalConfiguration(
-            plugin_configuration={
-                "authentication": {
-                    "eherkenning_bewindvoering_oidc": {"enabled": True},
-                },
-            }
-        )
-
-        endpoint = reverse("api:authentication-plugin-list")
-
-        response = self.client.get(endpoint)
-        self.assertEqual(response.status_code, status.HTTP_200_OK)
-
-        plugin_names = [p["id"] for p in response.data]
-        self.assertIn("eherkenning_bewindvoering_oidc", plugin_names)
-
-    @patch("openforms.plugins.plugin.GlobalConfiguration.get_solo")
-    def test_plugin_list_eherkenning_bewindvoering_oidc_not_enabled(
-        self, mock_get_solo
-    ):
-        mock_get_solo.return_value = GlobalConfiguration(
-            plugin_configuration={
-                "authentication": {
-                    "eherkenning_bewindvoering_oidc": {"enabled": False},
-                },
-            }
-        )
-
-        endpoint = reverse("api:authentication-plugin-list")
-
-        response = self.client.get(endpoint)
-        self.assertEqual(response.status_code, status.HTTP_200_OK)
-
-        plugin_names = [p["id"] for p in response.data]
-        self.assertNotIn("eherkenning_bewindvoering_oidc", plugin_names)
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/eherkenning_bewindvoering/test_auth_procedure.py b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/eherkenning_bewindvoering/test_auth_procedure.py
deleted file mode 100644
index 3b00f84aae..0000000000
--- a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/eherkenning_bewindvoering/test_auth_procedure.py
+++ /dev/null
@@ -1,286 +0,0 @@
-from unittest.mock import patch
-
-from django.test import TestCase, override_settings
-from django.urls import reverse
-
-import requests_mock
-from furl import furl
-from rest_framework import status
-from rest_framework.test import APIRequestFactory
-
-from digid_eherkenning_oidc_generics.models import (
-    OpenIDConnectEHerkenningBewindvoeringConfig,
-)
-from openforms.authentication.constants import (
-    CO_SIGN_PARAMETER,
-    FORM_AUTH_SESSION_KEY,
-    AuthAttribute,
-)
-from openforms.authentication.tests.utils import get_start_form_url, get_start_url
-from openforms.authentication.views import BACKEND_OUTAGE_RESPONSE_PARAMETER
-from openforms.forms.tests.factories import FormFactory
-
-from ...constants import EHERKENNING_BEWINDVOERING_OIDC_AUTH_SESSION_KEY
-from ...plugin import EHerkenningBewindvoeringOIDCAuthentication
-
-default_config = OpenIDConnectEHerkenningBewindvoeringConfig(
-    enabled=True,
-    oidc_rp_client_id="testclient",
-    oidc_rp_client_secret="secret",
-    oidc_rp_sign_algo="RS256",
-    oidc_rp_scopes_list=["openid", "bsn"],
-    oidc_op_jwks_endpoint="http://provider.com/auth/realms/master/protocol/openid-connect/certs",
-    oidc_op_authorization_endpoint="http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-    oidc_op_token_endpoint="http://provider.com/auth/realms/master/protocol/openid-connect/token",
-    oidc_op_user_endpoint="http://provider.com/auth/realms/master/protocol/openid-connect/userinfo",
-)
-
-
-class MockConfigMixin:
-    def setUp(self):
-        super().setUp()
-
-        config_patcher = patch(
-            "digid_eherkenning_oidc_generics.models"
-            ".OpenIDConnectEHerkenningBewindvoeringConfig.get_solo",
-            return_value=default_config,
-        )
-        self.mock_config = config_patcher.start()
-        self.addCleanup(config_patcher.stop)
-
-
-@override_settings(CORS_ALLOW_ALL_ORIGINS=True, IS_HTTPS=True)
-class EHerkenningBewindvoeringOIDCTests(MockConfigMixin, TestCase):
-    @classmethod
-    def setUpTestData(cls):
-        cls.form = FormFactory.create(
-            generate_minimal_setup=True,
-            authentication_backends=["eherkenning_bewindvoering_oidc"],
-        )
-
-    def setUp(self):
-        super().setUp()
-
-        self.requests_mocker = requests_mock.Mocker()
-        self.addCleanup(self.requests_mocker.stop)
-        self.requests_mocker.start()
-
-    def test_redirect_to_eherkenning_bewindvoering_oidc(self):
-        self.requests_mocker.get(
-            "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-            status_code=200,
-        )
-        form_url = get_start_form_url(self.form)
-        start_url = get_start_url(self.form, plugin_id="eherkenning_bewindvoering_oidc")
-
-        response = self.client.get(start_url)
-
-        with self.subTest("Sends user to IdP"):
-            self.assertEqual(status.HTTP_302_FOUND, response.status_code)
-
-            redirect_target = furl(response.url)  # type: ignore
-            query_params = redirect_target.query.params
-
-            self.assertEqual(redirect_target.host, "provider.com")
-            self.assertEqual(
-                redirect_target.path,
-                "/auth/realms/master/protocol/openid-connect/auth",
-            )
-            self.assertEqual(query_params["scope"], "openid bsn")
-            self.assertEqual(query_params["client_id"], "testclient")
-            self.assertEqual(
-                query_params["redirect_uri"],
-                f"http://testserver{reverse('eherkenning_bewindvoering_oidc:oidc_authentication_callback')}",
-            )
-
-        with self.subTest("Return state setup"):
-            oidc_login_next = furl(self.client.session["oidc_login_next"])
-            query_params = oidc_login_next.query.params
-
-            self.assertEqual(
-                oidc_login_next.path,
-                reverse(
-                    "authentication:return",
-                    kwargs={
-                        "slug": self.form.slug,
-                        "plugin_id": "eherkenning_bewindvoering_oidc",
-                    },
-                ),
-            )
-            self.assertEqual(query_params["next"], form_url)
-
-    def test_redirect_to_eherkenning_bewindvoering_oidc_internal_server_error(self):
-        self.requests_mocker.get(
-            "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-            status_code=500,
-        )
-        start_url = get_start_url(self.form, plugin_id="eherkenning_bewindvoering_oidc")
-
-        response = self.client.get(start_url)
-
-        self.assertEqual(status.HTTP_302_FOUND, response.status_code)
-        assert self.requests_mocker.last_request is not None
-        self.assertEqual(
-            self.requests_mocker.last_request.url,
-            "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-        )
-        parsed = furl(response.url)  # type: ignore
-
-        self.assertEqual(parsed.host, "testserver")
-        self.assertEqual(parsed.path, f"/{self.form.slug}/")
-        query_params = parsed.query.params
-        self.assertEqual(
-            query_params[BACKEND_OUTAGE_RESPONSE_PARAMETER],
-            "eherkenning_bewindvoering_oidc",
-        )
-
-    def test_redirect_to_eherkenning_bewindvoering_oidc_callback_error(self):
-        # set up session/state
-        self.requests_mocker.get(
-            "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-            status_code=200,
-        )
-        start_url = get_start_url(self.form, plugin_id="eherkenning_bewindvoering_oidc")
-        response = self.client.get(start_url)
-        assert response.status_code == 302
-        assert response.url.startswith("http://provider.com")  # type: ignore
-
-        with patch(
-            "openforms.authentication.contrib.digid_eherkenning_oidc.backends"
-            ".OIDCAuthenticationEHerkenningBewindvoeringBackend.verify_claims",
-            return_value=False,
-        ):
-            response = self.client.get(
-                reverse("eherkenning_bewindvoering_oidc:callback")
-            )
-
-        self.assertEqual(response.status_code, status.HTTP_302_FOUND)
-
-        parsed = furl(response.url)
-        query_params = parsed.query.params
-
-        self.assertEqual(parsed.path, f"/{self.form.slug}/")
-        self.assertEqual(query_params["_start"], "1")
-        self.assertEqual(
-            query_params[BACKEND_OUTAGE_RESPONSE_PARAMETER],
-            "eherkenning_bewindvoering_oidc",
-        )
-
-    @override_settings(CORS_ALLOW_ALL_ORIGINS=False, CORS_ALLOWED_ORIGINS=[])
-    def test_redirect_to_disallowed_domain(self):
-        start_url = get_start_url(
-            self.form,
-            plugin_id="eherkenning_bewindvoering_oidc",
-            host="http://example.com",
-        )
-
-        response = self.client.get(start_url)
-
-        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
-
-    @override_settings(
-        CORS_ALLOW_ALL_ORIGINS=False, CORS_ALLOWED_ORIGINS=["http://example.com"]
-    )
-    def test_redirect_to_allowed_domain(self):
-        self.requests_mocker.get(
-            "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-            status_code=200,
-        )
-        form_url = get_start_form_url(self.form, host="http://example.com")
-        start_url = get_start_url(
-            self.form,
-            plugin_id="eherkenning_bewindvoering_oidc",
-            host="http://example.com",
-        )
-
-        response = self.client.get(start_url)
-
-        with self.subTest("Sends user to IdP"):
-            self.assertEqual(status.HTTP_302_FOUND, response.status_code)
-            self.assertTrue(response.url.startswith("http://provider.com/"))  # type: ignore
-
-        with self.subTest("Return state setup"):
-            oidc_login_next = furl(self.client.session["oidc_login_next"])
-            expected_next = reverse(
-                "authentication:return",
-                kwargs={
-                    "slug": self.form.slug,
-                    "plugin_id": "eherkenning_bewindvoering_oidc",
-                },
-            )
-            self.assertEqual(oidc_login_next.path, expected_next)
-            query_params = oidc_login_next.query.params
-            self.assertEqual(query_params["next"], form_url)
-
-    def test_redirect_with_keycloak_identity_provider_hint(self):
-        self.mock_config.return_value.oidc_keycloak_idp_hint = "oidc-eHerkenning-bewind"
-        self.requests_mocker.get(
-            "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-            status_code=200,
-        )
-        start_url = get_start_url(self.form, plugin_id="eherkenning_bewindvoering_oidc")
-
-        response = self.client.get(start_url)
-
-        self.assertEqual(status.HTTP_302_FOUND, response.status_code)
-        parsed = furl(response.url)  # type: ignore
-        query_params = parsed.query.params
-        self.assertEqual(query_params["kc_idp_hint"], "oidc-eHerkenning-bewind")
-
-
-class AddClaimsToSessionTests(MockConfigMixin, TestCase):
-    def test_handle_return_without_claim_eherkenning_bewindvoering(self):
-        factory = APIRequestFactory()
-        request = factory.get("/xyz")
-        request.session = {}  # type: ignore
-
-        plugin = EHerkenningBewindvoeringOIDCAuthentication(identifier="boh")
-        plugin.add_claims_to_sessions_if_not_cosigning(claim="", request=request)
-
-        self.assertNotIn(FORM_AUTH_SESSION_KEY, request.session)
-
-    def test_handle_return_with_cosign_param_eherkenning_bewindvoering(self):
-        factory = APIRequestFactory()
-        request = factory.get(f"/xyz?{CO_SIGN_PARAMETER}=tralala")
-        request.session = {}  # type: ignore
-
-        plugin = EHerkenningBewindvoeringOIDCAuthentication(identifier="boh")
-        plugin.add_claims_to_sessions_if_not_cosigning(claim="tralala", request=request)
-
-        self.assertNotIn(FORM_AUTH_SESSION_KEY, request.session)
-
-    def test_handle_return_eherkenning_bewindvoering(self):
-        factory = APIRequestFactory()
-        request = factory.get("/xyz")
-        request.session = {  # type: ignore
-            EHERKENNING_BEWINDVOERING_OIDC_AUTH_SESSION_KEY: {
-                "aanvrager.bsn": "222222222"
-            }
-        }
-
-        plugin = EHerkenningBewindvoeringOIDCAuthentication(identifier="boh")
-
-        with patch(
-            "openforms.authentication.contrib.digid_eherkenning_oidc.plugin.OpenIDConnectEHerkenningBewindvoeringConfig.get_solo",
-            return_value=OpenIDConnectEHerkenningBewindvoeringConfig(
-                vertegenwoordigde_company_claim_name="gemachtige.kvk",
-                gemachtigde_person_claim_name="aanvrager.bsn",
-            ),
-        ):
-            plugin.add_claims_to_sessions_if_not_cosigning(
-                claim={
-                    "gemachtige.kvk": "111111111",
-                },
-                request=request,
-            )
-
-        self.assertIn(FORM_AUTH_SESSION_KEY, request.session)
-        self.assertEqual(
-            {
-                "plugin": "boh",
-                "attribute": AuthAttribute.kvk,
-                "value": "111111111",
-                "machtigen": {"identifier_value": "222222222"},
-            },
-            request.session[FORM_AUTH_SESSION_KEY],
-        )
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/test_admin.py b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/test_admin.py
new file mode 100644
index 0000000000..ab07612aea
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/test_admin.py
@@ -0,0 +1,260 @@
+import json
+
+from django.contrib.postgres.fields import ArrayField
+from django.db import models
+from django.test import override_settings
+from django.urls import reverse_lazy
+
+from django_webtest import WebTest
+from maykin_2fa.test import disable_admin_mfa
+
+from openforms.accounts.tests.factories import SuperUserFactory
+from openforms.forms.tests.factories import FormFactory
+
+from ..models import (
+    OFDigiDConfig,
+    OFDigiDMachtigenConfig,
+    OFEHerkenningBewindvoeringConfig,
+    OFEHerkenningConfig,
+)
+
+
+# disable django solo cache to prevent test isolation breakage
+@override_settings(SOLO_CACHE=None)
+@disable_admin_mfa()
+class AdminTestsBase(WebTest):
+    pass
+
+
+def _set_arrayfields(form, config: type[models.Model]) -> None:
+    """
+    Set the field values manually, normally this is done through JS in the admin.
+    """
+    fields = [f.name for f in config._meta.get_fields() if isinstance(f, ArrayField)]
+    for field in fields:
+        form[field] = json.dumps(getattr(config, field))
+
+
+class DigiDConfigAdminTests(AdminTestsBase):
+    CHANGE_PAGE_URL = reverse_lazy("admin:digid_eherkenning_oidc_ofdigidconfig_change")
+
+    @classmethod
+    def setUpTestData(cls):
+        super().setUpTestData()
+
+        # minimal configuration to pass form validation & not do network IO
+        cls.config = config = OFDigiDConfig(
+            enabled=True,
+            oidc_rp_client_id="testclient",
+            oidc_rp_client_secret="secret",
+            oidc_op_authorization_endpoint="http://localhost/oidc/auth",
+            oidc_op_token_endpoint="http://localhost/oidc/token",
+            oidc_op_user_endpoint="http://localhost/oidc/userinfo",
+            oidc_op_logout_endpoint="http://localhost/oidc/logout",
+        )
+        config.save()
+        cls.user = SuperUserFactory.create()
+
+    def test_can_disable_backend_iff_unused_in_forms(self):
+        FormFactory.create(authentication_backends=["other-backend"])
+        change_page = self.app.get(self.CHANGE_PAGE_URL, user=self.user)
+
+        form = change_page.forms["ofdigidconfig_form"]
+        _set_arrayfields(form, self.config)
+
+        # disable the backend
+        form["enabled"] = False
+        response = form.submit()
+
+        self.assertEqual(response.status_code, 302)
+        self.config.refresh_from_db()
+        self.assertFalse(self.config.enabled)
+
+    def test_cannot_disable_backend_if_used_in_any_form(self):
+        FormFactory.create(authentication_backends=["digid_oidc"])
+        change_page = self.app.get(self.CHANGE_PAGE_URL, user=self.user)
+
+        form = change_page.forms["ofdigidconfig_form"]
+        _set_arrayfields(form, self.config)
+
+        # disable the backend
+        form["enabled"] = False
+        response = form.submit()
+
+        self.assertEqual(response.status_code, 200)  # there are validation errors
+        self.config.refresh_from_db()
+        self.assertTrue(self.config.enabled)
+
+    def test_leave_enabled(self):
+        FormFactory.create(authentication_backends=["other-backend"])
+        change_page = self.app.get(self.CHANGE_PAGE_URL, user=self.user)
+
+        form = change_page.forms["ofdigidconfig_form"]
+        _set_arrayfields(form, self.config)
+
+        # enable the backend
+        form["enabled"] = True
+        response = form.submit()
+
+        self.assertEqual(response.status_code, 302)
+        self.config.refresh_from_db()
+        self.assertTrue(self.config.enabled)
+
+
+class DigiDMachtigenConfigAdminTests(AdminTestsBase):
+    CHANGE_PAGE_URL = reverse_lazy(
+        "admin:digid_eherkenning_oidc_ofdigidmachtigenconfig_change"
+    )
+
+    @classmethod
+    def setUpTestData(cls):
+        super().setUpTestData()
+
+        # minimal configuration to pass form validation & not do network IO
+        cls.config = config = OFDigiDMachtigenConfig(
+            enabled=True,
+            oidc_rp_client_id="testclient",
+            oidc_rp_client_secret="secret",
+            oidc_op_authorization_endpoint="http://localhost/oidc/auth",
+            oidc_op_token_endpoint="http://localhost/oidc/token",
+            oidc_op_user_endpoint="http://localhost/oidc/userinfo",
+            oidc_op_logout_endpoint="http://localhost/oidc/logout",
+        )
+        config.save()
+        cls.user = SuperUserFactory.create()
+
+    def test_can_disable_backend_iff_unused_in_forms(self):
+        FormFactory.create(authentication_backends=["other-backend"])
+        change_page = self.app.get(self.CHANGE_PAGE_URL, user=self.user)
+
+        form = change_page.forms["ofdigidmachtigenconfig_form"]
+        _set_arrayfields(form, self.config)
+
+        # disable the backend
+        form["enabled"] = False
+        response = form.submit()
+
+        self.assertEqual(response.status_code, 302)
+        self.config.refresh_from_db()
+        self.assertFalse(self.config.enabled)
+
+    def test_cannot_disable_backend_if_used_in_any_form(self):
+        FormFactory.create(authentication_backends=["digid_machtigen_oidc"])
+        change_page = self.app.get(self.CHANGE_PAGE_URL, user=self.user)
+
+        form = change_page.forms["ofdigidmachtigenconfig_form"]
+        _set_arrayfields(form, self.config)
+
+        # disable the backend
+        form["enabled"] = False
+        response = form.submit()
+
+        self.assertEqual(response.status_code, 200)  # there are validation errors
+        self.config.refresh_from_db()
+        self.assertTrue(self.config.enabled)
+
+
+class EHerkenningConfigAdminTests(AdminTestsBase):
+    CHANGE_PAGE_URL = reverse_lazy(
+        "admin:digid_eherkenning_oidc_ofeherkenningconfig_change"
+    )
+
+    @classmethod
+    def setUpTestData(cls):
+        super().setUpTestData()
+
+        # minimal configuration to pass form validation & not do network IO
+        cls.config = config = OFEHerkenningConfig(
+            enabled=True,
+            oidc_rp_client_id="testclient",
+            oidc_rp_client_secret="secret",
+            oidc_op_authorization_endpoint="http://localhost/oidc/auth",
+            oidc_op_token_endpoint="http://localhost/oidc/token",
+            oidc_op_user_endpoint="http://localhost/oidc/userinfo",
+            oidc_op_logout_endpoint="http://localhost/oidc/logout",
+        )
+        config.save()
+        cls.user = SuperUserFactory.create()
+
+    def test_can_disable_backend_iff_unused_in_forms(self):
+        FormFactory.create(authentication_backends=["other-backend"])
+        change_page = self.app.get(self.CHANGE_PAGE_URL, user=self.user)
+
+        form = change_page.forms["ofeherkenningconfig_form"]
+        _set_arrayfields(form, self.config)
+
+        # disable the backend
+        form["enabled"] = False
+        response = form.submit()
+
+        self.assertEqual(response.status_code, 302)
+        self.config.refresh_from_db()
+        self.assertFalse(self.config.enabled)
+
+    def test_cannot_disable_backend_if_used_in_any_form(self):
+        FormFactory.create(authentication_backends=["eherkenning_oidc"])
+        change_page = self.app.get(self.CHANGE_PAGE_URL, user=self.user)
+
+        form = change_page.forms["ofeherkenningconfig_form"]
+        _set_arrayfields(form, self.config)
+
+        # disable the backend
+        form["enabled"] = False
+        response = form.submit()
+
+        self.assertEqual(response.status_code, 200)  # there are validation errors
+        self.config.refresh_from_db()
+        self.assertTrue(self.config.enabled)
+
+
+class EHerkenningBewindvoeringConfigAdminTests(AdminTestsBase):
+    CHANGE_PAGE_URL = reverse_lazy(
+        "admin:digid_eherkenning_oidc_ofeherkenningbewindvoeringconfig_change"
+    )
+
+    @classmethod
+    def setUpTestData(cls):
+        super().setUpTestData()
+
+        # minimal configuration to pass form validation & not do network IO
+        cls.config = config = OFEHerkenningBewindvoeringConfig(
+            enabled=True,
+            oidc_rp_client_id="testclient",
+            oidc_rp_client_secret="secret",
+            oidc_op_authorization_endpoint="http://localhost/oidc/auth",
+            oidc_op_token_endpoint="http://localhost/oidc/token",
+            oidc_op_user_endpoint="http://localhost/oidc/userinfo",
+            oidc_op_logout_endpoint="http://localhost/oidc/logout",
+        )
+        config.save()
+        cls.user = SuperUserFactory.create()
+
+    def test_can_disable_backend_iff_unused_in_forms(self):
+        FormFactory.create(authentication_backends=["other-backend"])
+        change_page = self.app.get(self.CHANGE_PAGE_URL, user=self.user)
+
+        form = change_page.forms["ofeherkenningbewindvoeringconfig_form"]
+        _set_arrayfields(form, self.config)
+
+        # disable the backend
+        form["enabled"] = False
+        response = form.submit()
+
+        self.assertEqual(response.status_code, 302)
+        self.config.refresh_from_db()
+        self.assertFalse(self.config.enabled)
+
+    def test_cannot_disable_backend_if_used_in_any_form(self):
+        FormFactory.create(authentication_backends=["eherkenning_bewindvoering_oidc"])
+        change_page = self.app.get(self.CHANGE_PAGE_URL, user=self.user)
+
+        form = change_page.forms["ofeherkenningbewindvoeringconfig_form"]
+        _set_arrayfields(form, self.config)
+
+        # disable the backend
+        form["enabled"] = False
+        response = form.submit()
+
+        self.assertEqual(response.status_code, 200)  # there are validation errors
+        self.config.refresh_from_db()
+        self.assertTrue(self.config.enabled)
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/test_auth_flow_callbacks.py b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/test_auth_flow_callbacks.py
new file mode 100644
index 0000000000..96ae0969ca
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/test_auth_flow_callbacks.py
@@ -0,0 +1,486 @@
+"""
+Test the authentication flow for a form.
+
+These tests use VCR. When re-recording, making sure to:
+
+.. code-block:: bash
+
+    cd docker
+    docker compose -f docker-compose.keycloak.yml up
+
+to bring up a Keycloak instance.
+"""
+
+from django.test import tag
+
+import requests
+from furl import furl
+
+from openforms.accounts.tests.factories import StaffUserFactory
+from openforms.authentication.constants import FORM_AUTH_SESSION_KEY
+from openforms.authentication.tests.utils import URLsHelper
+from openforms.authentication.views import BACKEND_OUTAGE_RESPONSE_PARAMETER
+from openforms.forms.tests.factories import FormFactory
+from openforms.utils.tests.keycloak import keycloak_login
+
+from .base import (
+    IntegrationTestsBase,
+    mock_digid_config,
+    mock_digid_machtigen_config,
+    mock_eherkenning_bewindvoering_config,
+    mock_eherkenning_config,
+)
+
+
+class DigiDCallbackTests(IntegrationTestsBase):
+    """
+    Test the return/callback side after authenticating with the identity provider.
+    """
+
+    @mock_digid_config()
+    def test_redirects_after_successful_auth(self):
+        form = FormFactory.create(authentication_backends=["digid_oidc"])
+        url_helper = URLsHelper(form=form)
+        start_url = url_helper.get_auth_start(plugin_id="digid_oidc")
+        start_response = self.app.get(start_url)
+
+        # simulate login to Keycloak
+        redirect_uri = keycloak_login(start_response["Location"])
+
+        # complete the login flow on our end
+        callback_response = self.app.get(redirect_uri, auto_follow=True)
+
+        self.assertEqual(callback_response.request.url, url_helper.frontend_start)
+
+    @mock_digid_config(bsn_claim="absent-claim")
+    def test_failing_claim_verification(self):
+        form = FormFactory.create(authentication_backends=["digid_oidc"])
+        url_helper = URLsHelper(form=form)
+        start_url = url_helper.get_auth_start(plugin_id="digid_oidc")
+        start_response = self.app.get(start_url)
+        # simulate login to Keycloak
+        redirect_uri = keycloak_login(start_response["Location"])
+
+        # complete the login flow on our end
+        callback_response = self.app.get(redirect_uri, auto_follow=True)
+
+        # XXX: shouldn't this be "digid" so that the correct error message is rendered?
+        # Query: ?_digid-message=error
+        expected_url = furl(url_helper.frontend_start).add(
+            {BACKEND_OUTAGE_RESPONSE_PARAMETER: "digid_oidc"}
+        )
+        self.assertEqual(callback_response.request.url, str(expected_url))
+        self.assertNotIn(FORM_AUTH_SESSION_KEY, self.app.session)
+
+    @tag("gh-3656", "gh-3692")
+    @mock_digid_config(oidc_rp_scopes_list=["badscope"])
+    def test_digid_error_reported_for_cancelled_login_anon_django_user(self):
+        form = FormFactory.create(authentication_backends=["digid_oidc"])
+        url_helper = URLsHelper(form=form)
+        start_url = url_helper.get_auth_start(plugin_id="digid_oidc")
+        # initialize state, but don't actually log in - we have an invalid config and
+        # keycloak redirects back to our callback URL with error parameters.
+        start_response = self.app.get(start_url)
+        auth_response = requests.get(start_response["Location"], allow_redirects=False)
+        # check out assumptions/expectations before proceeding
+        callback_url = furl(auth_response.headers["Location"])
+        assert callback_url.netloc == "testserver"
+        assert "state" in callback_url.args
+        # modify the error parameters - there doesn't seem to be an obvious way to trigger
+        # this via keycloak itself.
+        # Note: this is an example of a specific provider. It may differ when a
+        # different provider is used. According to
+        # https://openid.net/specs/openid-connect-core-1_0.html#AuthError and
+        # https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1.2.1 , this is the
+        # error we expect from OIDC.
+        callback_url.args.update(
+            {"error": "access_denied", "error_description": "The user cancelled"}
+        )
+
+        callback_response = self.app.get(str(callback_url), auto_follow=True)
+
+        self.assertEqual(callback_response.status_code, 200)
+        expected_url = furl(url_helper.frontend_start).add(
+            {"_digid-message": "login-cancelled"}
+        )
+        assert BACKEND_OUTAGE_RESPONSE_PARAMETER not in expected_url.args
+        self.assertEqual(callback_response.request.url, str(expected_url))
+
+    @tag("gh-3656", "gh-3692")
+    @mock_digid_config(oidc_rp_scopes_list=["badscope"])
+    def test_digid_error_reported_for_cancelled_login_with_staff_django_user(self):
+        self.app.set_user(StaffUserFactory.create())
+        form = FormFactory.create(authentication_backends=["digid_oidc"])
+        url_helper = URLsHelper(form=form)
+        start_url = url_helper.get_auth_start(plugin_id="digid_oidc")
+        # initialize state, but don't actually log in - we have an invalid config and
+        # keycloak redirects back to our callback URL with error parameters.
+        start_response = self.app.get(start_url)
+        auth_response = requests.get(start_response["Location"], allow_redirects=False)
+        # check out assumptions/expectations before proceeding
+        callback_url = furl(auth_response.headers["Location"])
+        assert callback_url.netloc == "testserver"
+        assert "state" in callback_url.args
+        callback_url.args.update(
+            {"error": "access_denied", "error_description": "The user cancelled"}
+        )
+
+        callback_response = self.app.get(str(callback_url), auto_follow=True)
+
+        self.assertEqual(callback_response.status_code, 200)
+        expected_url = furl(url_helper.frontend_start).add(
+            {"_digid-message": "login-cancelled"}
+        )
+        assert BACKEND_OUTAGE_RESPONSE_PARAMETER not in expected_url.args
+        self.assertEqual(callback_response.request.url, str(expected_url))
+
+
+class EHerkenningCallbackTests(IntegrationTestsBase):
+    """
+    Test the return/callback side after authenticating with the identity provider.
+    """
+
+    @mock_eherkenning_config()
+    def test_redirects_after_successful_auth(self):
+        form = FormFactory.create(authentication_backends=["eherkenning_oidc"])
+        url_helper = URLsHelper(form=form)
+        start_url = url_helper.get_auth_start(plugin_id="eherkenning_oidc")
+        start_response = self.app.get(start_url)
+
+        # simulate login to Keycloak
+        redirect_uri = keycloak_login(start_response["Location"])
+
+        # complete the login flow on our end
+        callback_response = self.app.get(redirect_uri, auto_follow=True)
+
+        self.assertEqual(callback_response.request.url, url_helper.frontend_start)
+
+    @mock_eherkenning_config(legal_subject_claim="absent-claim")
+    def test_failing_claim_verification(self):
+        form = FormFactory.create(authentication_backends=["eherkenning_oidc"])
+        url_helper = URLsHelper(form=form)
+        start_url = url_helper.get_auth_start(plugin_id="eherkenning_oidc")
+        start_response = self.app.get(start_url)
+        # simulate login to Keycloak
+        redirect_uri = keycloak_login(start_response["Location"])
+
+        # complete the login flow on our end
+        callback_response = self.app.get(redirect_uri, auto_follow=True)
+
+        # XXX: shouldn't this be "eherkenning" so that the correct error message is rendered?
+        # Query: ?_eherkenning-message=error
+        expected_url = furl(url_helper.frontend_start).add(
+            {BACKEND_OUTAGE_RESPONSE_PARAMETER: "eherkenning_oidc"}
+        )
+        self.assertEqual(callback_response.request.url, str(expected_url))
+        self.assertNotIn(FORM_AUTH_SESSION_KEY, self.app.session)
+
+    @tag("gh-3656", "gh-3692")
+    @mock_eherkenning_config(oidc_rp_scopes_list=["badscope"])
+    def test_eherkenning_error_reported_for_cancelled_login_anon_django_user(self):
+        form = FormFactory.create(authentication_backends=["eherkenning_oidc"])
+        url_helper = URLsHelper(form=form)
+        start_url = url_helper.get_auth_start(plugin_id="eherkenning_oidc")
+        # initialize state, but don't actually log in - we have an invalid config and
+        # keycloak redirects back to our callback URL with error parameters.
+        start_response = self.app.get(start_url)
+        auth_response = requests.get(start_response["Location"], allow_redirects=False)
+        # check out assumptions/expectations before proceeding
+        callback_url = furl(auth_response.headers["Location"])
+        assert callback_url.netloc == "testserver"
+        assert "state" in callback_url.args
+        # modify the error parameters - there doesn't seem to be an obvious way to trigger
+        # this via keycloak itself.
+        # Note: this is an example of a specific provider. It may differ when a
+        # different provider is used. According to
+        # https://openid.net/specs/openid-connect-core-1_0.html#AuthError and
+        # https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1.2.1 , this is the
+        # error we expect from OIDC.
+        callback_url.args.update(
+            {"error": "access_denied", "error_description": "The user cancelled"}
+        )
+
+        callback_response = self.app.get(str(callback_url), auto_follow=True)
+
+        self.assertEqual(callback_response.status_code, 200)
+        expected_url = furl(url_helper.frontend_start).add(
+            {"_eherkenning-message": "login-cancelled"}
+        )
+        assert BACKEND_OUTAGE_RESPONSE_PARAMETER not in expected_url.args
+        self.assertEqual(callback_response.request.url, str(expected_url))
+
+    @tag("gh-3656", "gh-3692")
+    @mock_eherkenning_config(oidc_rp_scopes_list=["badscope"])
+    def test_eherkenning_error_reported_for_cancelled_login_with_staff_django_user(
+        self,
+    ):
+        self.app.set_user(StaffUserFactory.create())
+        form = FormFactory.create(authentication_backends=["eherkenning_oidc"])
+        url_helper = URLsHelper(form=form)
+        start_url = url_helper.get_auth_start(plugin_id="eherkenning_oidc")
+        # initialize state, but don't actually log in - we have an invalid config and
+        # keycloak redirects back to our callback URL with error parameters.
+        start_response = self.app.get(start_url)
+        auth_response = requests.get(start_response["Location"], allow_redirects=False)
+        # check out assumptions/expectations before proceeding
+        callback_url = furl(auth_response.headers["Location"])
+        assert callback_url.netloc == "testserver"
+        assert "state" in callback_url.args
+        callback_url.args.update(
+            {"error": "access_denied", "error_description": "The user cancelled"}
+        )
+
+        callback_response = self.app.get(str(callback_url), auto_follow=True)
+
+        self.assertEqual(callback_response.status_code, 200)
+        expected_url = furl(url_helper.frontend_start).add(
+            {"_eherkenning-message": "login-cancelled"}
+        )
+        assert BACKEND_OUTAGE_RESPONSE_PARAMETER not in expected_url.args
+        self.assertEqual(callback_response.request.url, str(expected_url))
+
+
+class DigiDMachtigenCallbackTests(IntegrationTestsBase):
+    """
+    Test the return/callback side after authenticating with the identity provider.
+    """
+
+    @mock_digid_machtigen_config()
+    def test_redirects_after_successful_auth(self):
+        form = FormFactory.create(authentication_backends=["digid_machtigen_oidc"])
+        url_helper = URLsHelper(form=form)
+        start_url = url_helper.get_auth_start(plugin_id="digid_machtigen_oidc")
+        start_response = self.app.get(start_url)
+
+        # simulate login to Keycloak
+        redirect_uri = keycloak_login(
+            start_response["Location"],
+            username="digid-machtigen",
+            password="digid-machtigen",
+        )
+
+        # complete the login flow on our end
+        callback_response = self.app.get(redirect_uri, auto_follow=True)
+
+        self.assertEqual(callback_response.request.url, url_helper.frontend_start)
+
+    @mock_digid_machtigen_config(
+        representee_bsn_claim="absent-claim",
+        authorizee_bsn_claim="absent-claim",
+    )
+    def test_failing_claim_verification(self):
+        form = FormFactory.create(authentication_backends=["digid_machtigen_oidc"])
+        url_helper = URLsHelper(form=form)
+        start_url = url_helper.get_auth_start(plugin_id="digid_machtigen_oidc")
+        start_response = self.app.get(start_url)
+        # simulate login to Keycloak
+        redirect_uri = keycloak_login(
+            start_response["Location"],
+            username="digid-machtigen",
+            password="digid-machtigen",
+        )
+
+        # complete the login flow on our end
+        callback_response = self.app.get(redirect_uri, auto_follow=True)
+
+        # XXX: shouldn't this be "digid" so that the correct error message is rendered?
+        # Query: ?_digid-message=error
+        expected_url = furl(url_helper.frontend_start).add(
+            {BACKEND_OUTAGE_RESPONSE_PARAMETER: "digid_machtigen_oidc"}
+        )
+        self.assertEqual(callback_response.request.url, str(expected_url))
+        self.assertNotIn(FORM_AUTH_SESSION_KEY, self.app.session)
+
+    @tag("gh-3656", "gh-3692")
+    @mock_digid_machtigen_config(oidc_rp_scopes_list=["badscope"])
+    def test_digid_error_reported_for_cancelled_login_anon_django_user(self):
+        form = FormFactory.create(authentication_backends=["digid_machtigen_oidc"])
+        url_helper = URLsHelper(form=form)
+        start_url = url_helper.get_auth_start(plugin_id="digid_machtigen_oidc")
+        # initialize state, but don't actually log in - we have an invalid config and
+        # keycloak redirects back to our callback URL with error parameters.
+        start_response = self.app.get(start_url)
+        auth_response = requests.get(start_response["Location"], allow_redirects=False)
+        # check out assumptions/expectations before proceeding
+        callback_url = furl(auth_response.headers["Location"])
+        assert callback_url.netloc == "testserver"
+        assert "state" in callback_url.args
+        # modify the error parameters - there doesn't seem to be an obvious way to trigger
+        # this via keycloak itself.
+        # Note: this is an example of a specific provider. It may differ when a
+        # different provider is used. According to
+        # https://openid.net/specs/openid-connect-core-1_0.html#AuthError and
+        # https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1.2.1 , this is the
+        # error we expect from OIDC.
+        callback_url.args.update(
+            {"error": "access_denied", "error_description": "The user cancelled"}
+        )
+
+        callback_response = self.app.get(str(callback_url), auto_follow=True)
+
+        self.assertEqual(callback_response.status_code, 200)
+        expected_url = furl(url_helper.frontend_start).add(
+            {"_digid-message": "login-cancelled"}
+        )
+        assert BACKEND_OUTAGE_RESPONSE_PARAMETER not in expected_url.args
+        self.assertEqual(callback_response.request.url, str(expected_url))
+
+    @tag("gh-3656", "gh-3692")
+    @mock_digid_machtigen_config(oidc_rp_scopes_list=["badscope"])
+    def test_digid_error_reported_for_cancelled_login_with_staff_django_user(self):
+        self.app.set_user(StaffUserFactory.create())
+        form = FormFactory.create(authentication_backends=["digid_machtigen_oidc"])
+        url_helper = URLsHelper(form=form)
+        start_url = url_helper.get_auth_start(plugin_id="digid_machtigen_oidc")
+        # initialize state, but don't actually log in - we have an invalid config and
+        # keycloak redirects back to our callback URL with error parameters.
+        start_response = self.app.get(start_url)
+        auth_response = requests.get(start_response["Location"], allow_redirects=False)
+        # check out assumptions/expectations before proceeding
+        callback_url = furl(auth_response.headers["Location"])
+        assert callback_url.netloc == "testserver"
+        assert "state" in callback_url.args
+        callback_url.args.update(
+            {"error": "access_denied", "error_description": "The user cancelled"}
+        )
+
+        callback_response = self.app.get(str(callback_url), auto_follow=True)
+
+        self.assertEqual(callback_response.status_code, 200)
+        expected_url = furl(url_helper.frontend_start).add(
+            {"_digid-message": "login-cancelled"}
+        )
+        assert BACKEND_OUTAGE_RESPONSE_PARAMETER not in expected_url.args
+        self.assertEqual(callback_response.request.url, str(expected_url))
+
+
+class EHerkenningBewindvoeringCallbackTests(IntegrationTestsBase):
+    """
+    Test the return/callback side after authenticating with the identity provider.
+    """
+
+    @mock_eherkenning_bewindvoering_config()
+    def test_redirects_after_successful_auth(self):
+        form = FormFactory.create(
+            authentication_backends=["eherkenning_bewindvoering_oidc"]
+        )
+        url_helper = URLsHelper(form=form)
+        start_url = url_helper.get_auth_start(
+            plugin_id="eherkenning_bewindvoering_oidc"
+        )
+        start_response = self.app.get(start_url)
+
+        # simulate login to Keycloak
+        redirect_uri = keycloak_login(
+            start_response["Location"],
+            username="eherkenning-bewindvoering",
+            password="eherkenning-bewindvoering",
+        )
+
+        # complete the login flow on our end
+        callback_response = self.app.get(redirect_uri, auto_follow=True)
+
+        self.assertEqual(callback_response.request.url, url_helper.frontend_start)
+
+    @mock_eherkenning_bewindvoering_config(
+        legal_subject_claim="absent-claim",
+        representee_claim="absent-claim",
+    )
+    def test_failing_claim_verification(self):
+        form = FormFactory.create(
+            authentication_backends=["eherkenning_bewindvoering_oidc"]
+        )
+        url_helper = URLsHelper(form=form)
+        start_url = url_helper.get_auth_start(
+            plugin_id="eherkenning_bewindvoering_oidc"
+        )
+        start_response = self.app.get(start_url)
+        # simulate login to Keycloak
+        redirect_uri = keycloak_login(
+            start_response["Location"],
+            username="eherkenning-bewindvoering",
+            password="eherkenning-bewindvoering",
+        )
+
+        # complete the login flow on our end
+        callback_response = self.app.get(redirect_uri, auto_follow=True)
+
+        # XXX: shouldn't this be "eherkenning" so that the correct error message is rendered?
+        # Query: ?_eherkenning-message=error
+        expected_url = furl(url_helper.frontend_start).add(
+            {BACKEND_OUTAGE_RESPONSE_PARAMETER: "eherkenning_bewindvoering_oidc"}
+        )
+        self.assertEqual(callback_response.request.url, str(expected_url))
+        self.assertNotIn(FORM_AUTH_SESSION_KEY, self.app.session)
+
+    @tag("gh-3656", "gh-3692")
+    @mock_eherkenning_bewindvoering_config(oidc_rp_scopes_list=["badscope"])
+    def test_eherkenning_error_reported_for_cancelled_login_anon_django_user(self):
+        form = FormFactory.create(
+            authentication_backends=["eherkenning_bewindvoering_oidc"]
+        )
+        url_helper = URLsHelper(form=form)
+        start_url = url_helper.get_auth_start(
+            plugin_id="eherkenning_bewindvoering_oidc"
+        )
+        # initialize state, but don't actually log in - we have an invalid config and
+        # keycloak redirects back to our callback URL with error parameters.
+        start_response = self.app.get(start_url)
+        auth_response = requests.get(start_response["Location"], allow_redirects=False)
+        # check out assumptions/expectations before proceeding
+        callback_url = furl(auth_response.headers["Location"])
+        assert callback_url.netloc == "testserver"
+        assert "state" in callback_url.args
+        # modify the error parameters - there doesn't seem to be an obvious way to trigger
+        # this via keycloak itself.
+        # Note: this is an example of a specific provider. It may differ when a
+        # different provider is used. According to
+        # https://openid.net/specs/openid-connect-core-1_0.html#AuthError and
+        # https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1.2.1 , this is the
+        # error we expect from OIDC.
+        callback_url.args.update(
+            {"error": "access_denied", "error_description": "The user cancelled"}
+        )
+
+        callback_response = self.app.get(str(callback_url), auto_follow=True)
+
+        self.assertEqual(callback_response.status_code, 200)
+        expected_url = furl(url_helper.frontend_start).add(
+            {"_eherkenning-message": "login-cancelled"}
+        )
+        assert BACKEND_OUTAGE_RESPONSE_PARAMETER not in expected_url.args
+        self.assertEqual(callback_response.request.url, str(expected_url))
+
+    @tag("gh-3656", "gh-3692")
+    @mock_eherkenning_bewindvoering_config(oidc_rp_scopes_list=["badscope"])
+    def test_eherkenning_error_reported_for_cancelled_login_with_staff_django_user(
+        self,
+    ):
+        self.app.set_user(StaffUserFactory.create())
+        form = FormFactory.create(
+            authentication_backends=["eherkenning_bewindvoering_oidc"]
+        )
+        url_helper = URLsHelper(form=form)
+        start_url = url_helper.get_auth_start(
+            plugin_id="eherkenning_bewindvoering_oidc"
+        )
+        # initialize state, but don't actually log in - we have an invalid config and
+        # keycloak redirects back to our callback URL with error parameters.
+        start_response = self.app.get(start_url)
+        auth_response = requests.get(start_response["Location"], allow_redirects=False)
+        # check out assumptions/expectations before proceeding
+        callback_url = furl(auth_response.headers["Location"])
+        assert callback_url.netloc == "testserver"
+        assert "state" in callback_url.args
+        callback_url.args.update(
+            {"error": "access_denied", "error_description": "The user cancelled"}
+        )
+
+        callback_response = self.app.get(str(callback_url), auto_follow=True)
+
+        self.assertEqual(callback_response.status_code, 200)
+        expected_url = furl(url_helper.frontend_start).add(
+            {"_eherkenning-message": "login-cancelled"}
+        )
+        assert BACKEND_OUTAGE_RESPONSE_PARAMETER not in expected_url.args
+        self.assertEqual(callback_response.request.url, str(expected_url))
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/test_auth_flow_init.py b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/test_auth_flow_init.py
new file mode 100644
index 0000000000..06e0883958
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/test_auth_flow_init.py
@@ -0,0 +1,283 @@
+"""
+Test the authentication flow for a form.
+
+These tests use VCR. When re-recording, making sure to:
+
+.. code-block:: bash
+
+    cd docker
+    docker compose -f docker-compose.keycloak.yml up
+
+to bring up a Keycloak instance.
+"""
+
+from django.urls import reverse_lazy
+
+from furl import furl
+
+from openforms.authentication.tests.utils import URLsHelper
+from openforms.authentication.views import BACKEND_OUTAGE_RESPONSE_PARAMETER
+from openforms.forms.tests.factories import FormFactory
+
+from .base import (
+    IntegrationTestsBase,
+    mock_digid_config,
+    mock_digid_machtigen_config,
+    mock_eherkenning_bewindvoering_config,
+    mock_eherkenning_config,
+)
+
+
+class DigiDInitTests(IntegrationTestsBase):
+    """
+    Test the outbound part of OIDC-based DigiD authentication.
+    """
+
+    CALLBACK_URL = f"http://testserver{reverse_lazy('digid_oidc:callback')}"
+
+    @mock_digid_config()
+    def test_start_flow_redirects_to_oidc_provider(self):
+        form = FormFactory.create(authentication_backends=["digid_oidc"])
+        start_url = URLsHelper(form=form).get_auth_start(plugin_id="digid_oidc")
+
+        response = self.app.get(start_url)
+
+        self.assertEqual(response.status_code, 302)
+        redirect_target = furl(response["Location"])
+        query_params = redirect_target.query.params
+        self.assertEqual(redirect_target.host, "localhost")
+        self.assertEqual(redirect_target.port, 8080)
+        self.assertEqual(
+            redirect_target.path,
+            "/realms/test/protocol/openid-connect/auth",
+        )
+        self.assertEqual(query_params["scope"], "openid bsn")
+        self.assertEqual(query_params["client_id"], "testid")
+        self.assertEqual(query_params["redirect_uri"], self.CALLBACK_URL)
+
+    @mock_digid_config(
+        oidc_op_authorization_endpoint="http://localhost:8080/i-dont-exist"
+    )
+    def test_idp_availability_check(self):
+        form = FormFactory.create(authentication_backends=["digid_oidc"])
+        url_helper = URLsHelper(form=form)
+        start_url = url_helper.get_auth_start(plugin_id="digid_oidc")
+
+        response = self.app.get(start_url)
+
+        self.assertEqual(response.status_code, 302)
+        redirect_url = furl(response["Location"])
+        self.assertEqual(redirect_url.host, "testserver")
+        self.assertEqual(redirect_url.path, url_helper.form_path)
+        query_params = redirect_url.query.params
+        self.assertEqual(query_params[BACKEND_OUTAGE_RESPONSE_PARAMETER], "digid_oidc")
+
+    @mock_digid_config(oidc_keycloak_idp_hint="oidc-digid")
+    def test_keycloak_idp_hint_is_respected(self):
+        form = FormFactory.create(authentication_backends=["digid_oidc"])
+        url_helper = URLsHelper(form=form)
+        start_url = url_helper.get_auth_start(plugin_id="digid_oidc")
+
+        response = self.app.get(start_url)
+
+        self.assertEqual(response.status_code, 302)
+        redirect_url = furl(response["Location"])
+        self.assertEqual(redirect_url.args["kc_idp_hint"], "oidc-digid")
+
+
+class EHerkenningInitTests(IntegrationTestsBase):
+    """
+    Test the outbound part of OIDC-based eHerkenning authentication.
+    """
+
+    CALLBACK_URL = f"http://testserver{reverse_lazy('eherkenning_oidc:callback')}"
+
+    @mock_eherkenning_config()
+    def test_start_flow_redirects_to_oidc_provider(self):
+        form = FormFactory.create(authentication_backends=["eherkenning_oidc"])
+        start_url = URLsHelper(form=form).get_auth_start(plugin_id="eherkenning_oidc")
+
+        response = self.app.get(start_url)
+
+        self.assertEqual(response.status_code, 302)
+        redirect_target = furl(response["Location"])
+        query_params = redirect_target.query.params
+        self.assertEqual(redirect_target.host, "localhost")
+        self.assertEqual(redirect_target.port, 8080)
+        self.assertEqual(
+            redirect_target.path,
+            "/realms/test/protocol/openid-connect/auth",
+        )
+        self.assertEqual(query_params["scope"], "openid kvk")
+        self.assertEqual(query_params["client_id"], "testid")
+        self.assertEqual(query_params["redirect_uri"], self.CALLBACK_URL)
+
+    @mock_eherkenning_config(
+        oidc_op_authorization_endpoint="http://localhost:8080/i-dont-exist"
+    )
+    def test_idp_availability_check(self):
+        form = FormFactory.create(authentication_backends=["eherkenning_oidc"])
+        url_helper = URLsHelper(form=form)
+        start_url = url_helper.get_auth_start(plugin_id="eherkenning_oidc")
+
+        response = self.app.get(start_url)
+
+        self.assertEqual(response.status_code, 302)
+        redirect_url = furl(response["Location"])
+        self.assertEqual(redirect_url.host, "testserver")
+        self.assertEqual(redirect_url.path, url_helper.form_path)
+        query_params = redirect_url.query.params
+        self.assertEqual(
+            query_params[BACKEND_OUTAGE_RESPONSE_PARAMETER], "eherkenning_oidc"
+        )
+
+    @mock_eherkenning_config(oidc_keycloak_idp_hint="oidc-eherkenning")
+    def test_keycloak_idp_hint_is_respected(self):
+        form = FormFactory.create(authentication_backends=["eherkenning_oidc"])
+        url_helper = URLsHelper(form=form)
+        start_url = url_helper.get_auth_start(plugin_id="eherkenning_oidc")
+
+        response = self.app.get(start_url)
+
+        self.assertEqual(response.status_code, 302)
+        redirect_url = furl(response["Location"])
+        self.assertEqual(redirect_url.args["kc_idp_hint"], "oidc-eherkenning")
+
+
+class DigiDMachtigenInitTests(IntegrationTestsBase):
+    """
+    Test the outbound part of OIDC-based DigiD machtigen authentication.
+    """
+
+    CALLBACK_URL = f"http://testserver{reverse_lazy('digid_machtigen_oidc:callback')}"
+
+    @mock_digid_machtigen_config()
+    def test_start_flow_redirects_to_oidc_provider(self):
+        form = FormFactory.create(authentication_backends=["digid_machtigen_oidc"])
+        start_url = URLsHelper(form=form).get_auth_start(
+            plugin_id="digid_machtigen_oidc"
+        )
+
+        response = self.app.get(start_url)
+
+        self.assertEqual(response.status_code, 302)
+        redirect_target = furl(response["Location"])
+        query_params = redirect_target.query.params
+        self.assertEqual(redirect_target.host, "localhost")
+        self.assertEqual(redirect_target.port, 8080)
+        self.assertEqual(
+            redirect_target.path,
+            "/realms/test/protocol/openid-connect/auth",
+        )
+        self.assertEqual(query_params["scope"], "openid bsn")
+        self.assertEqual(query_params["client_id"], "testid")
+        self.assertEqual(query_params["redirect_uri"], self.CALLBACK_URL)
+
+    @mock_digid_machtigen_config(
+        oidc_op_authorization_endpoint="http://localhost:8080/i-dont-exist"
+    )
+    def test_idp_availability_check(self):
+        form = FormFactory.create(authentication_backends=["digid_machtigen_oidc"])
+        url_helper = URLsHelper(form=form)
+        start_url = url_helper.get_auth_start(plugin_id="digid_machtigen_oidc")
+
+        response = self.app.get(start_url)
+
+        self.assertEqual(response.status_code, 302)
+        redirect_url = furl(response["Location"])
+        self.assertEqual(redirect_url.host, "testserver")
+        self.assertEqual(redirect_url.path, url_helper.form_path)
+        query_params = redirect_url.query.params
+        self.assertEqual(
+            query_params[BACKEND_OUTAGE_RESPONSE_PARAMETER], "digid_machtigen_oidc"
+        )
+
+    @mock_digid_machtigen_config(oidc_keycloak_idp_hint="oidc-digid-machtigen")
+    def test_keycloak_idp_hint_is_respected(self):
+        form = FormFactory.create(authentication_backends=["digid_machtigen_oidc"])
+        url_helper = URLsHelper(form=form)
+        start_url = url_helper.get_auth_start(plugin_id="digid_machtigen_oidc")
+
+        response = self.app.get(start_url)
+
+        self.assertEqual(response.status_code, 302)
+        redirect_url = furl(response["Location"])
+        self.assertEqual(redirect_url.args["kc_idp_hint"], "oidc-digid-machtigen")
+
+
+class EHerkenningBewindvoeringInitTests(IntegrationTestsBase):
+    """
+    Test the outbound part of OIDC-based eHerkenning_bewindvoering authentication.
+    """
+
+    CALLBACK_URL = (
+        f"http://testserver{reverse_lazy('eherkenning_bewindvoering_oidc:callback')}"
+    )
+
+    @mock_eherkenning_bewindvoering_config()
+    def test_start_flow_redirects_to_oidc_provider(self):
+        form = FormFactory.create(
+            authentication_backends=["eherkenning_bewindvoering_oidc"]
+        )
+        start_url = URLsHelper(form=form).get_auth_start(
+            plugin_id="eherkenning_bewindvoering_oidc"
+        )
+
+        response = self.app.get(start_url)
+
+        self.assertEqual(response.status_code, 302)
+        redirect_target = furl(response["Location"])
+        query_params = redirect_target.query.params
+        self.assertEqual(redirect_target.host, "localhost")
+        self.assertEqual(redirect_target.port, 8080)
+        self.assertEqual(
+            redirect_target.path,
+            "/realms/test/protocol/openid-connect/auth",
+        )
+        self.assertEqual(query_params["scope"], "openid bsn")
+        self.assertEqual(query_params["client_id"], "testid")
+        self.assertEqual(query_params["redirect_uri"], self.CALLBACK_URL)
+
+    @mock_eherkenning_bewindvoering_config(
+        oidc_op_authorization_endpoint="http://localhost:8080/i-dont-exist"
+    )
+    def test_idp_availability_check(self):
+        form = FormFactory.create(
+            authentication_backends=["eherkenning_bewindvoering_oidc"]
+        )
+        url_helper = URLsHelper(form=form)
+        start_url = url_helper.get_auth_start(
+            plugin_id="eherkenning_bewindvoering_oidc"
+        )
+
+        response = self.app.get(start_url)
+
+        self.assertEqual(response.status_code, 302)
+        redirect_url = furl(response["Location"])
+        self.assertEqual(redirect_url.host, "testserver")
+        self.assertEqual(redirect_url.path, url_helper.form_path)
+        query_params = redirect_url.query.params
+        self.assertEqual(
+            query_params[BACKEND_OUTAGE_RESPONSE_PARAMETER],
+            "eherkenning_bewindvoering_oidc",
+        )
+
+    @mock_eherkenning_bewindvoering_config(
+        oidc_keycloak_idp_hint="oidc-eherkenning-bewindvoering"
+    )
+    def test_keycloak_idp_hint_is_respected(self):
+        form = FormFactory.create(
+            authentication_backends=["eherkenning_bewindvoering_oidc"]
+        )
+        url_helper = URLsHelper(form=form)
+        start_url = url_helper.get_auth_start(
+            plugin_id="eherkenning_bewindvoering_oidc"
+        )
+
+        response = self.app.get(start_url)
+
+        self.assertEqual(response.status_code, 302)
+        redirect_url = furl(response["Location"])
+        self.assertEqual(
+            redirect_url.args["kc_idp_hint"], "oidc-eherkenning-bewindvoering"
+        )
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/test_auth_flow_logout.py b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/test_auth_flow_logout.py
new file mode 100644
index 0000000000..83b4b1efda
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/test_auth_flow_logout.py
@@ -0,0 +1,263 @@
+"""
+Test that logouts in our application propagate to the OpenID Connect provider.
+
+See the standard: https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout,
+section '2.  RP-Initiated Logout'.
+
+This is tested against Keycloak, which seems to take some liberties, most notably:
+
+    by redirecting the End-User's User Agent to the OP's Logout Endpoint
+
+KC appears to support logout with an API call too, rather than redirecting the user's
+browser to this endpoint.
+
+The specification appears to allow for this though, by providing the `id_token_hint`
+parameter. If this is not provided, then section '6. Security considerations' says:
+
+    Logout requests without a valid id_token_hint value are a potential means of denial
+    of service; therefore, OPs should obtain explicit confirmation from the End-User
+    before acting upon them.
+
+Terms:
+
+Relying Party (RP)
+    The application using OpenID Connect, Open Forms in this case.
+
+OpenID Provider (OP)
+    The application acting as an identity provider, Keycloak in this case.
+"""
+
+import uuid
+
+from django_webtest import DjangoTestApp
+from furl import furl
+from requests import Session
+from rest_framework.test import APIRequestFactory
+
+from openforms.authentication.registry import register
+from openforms.authentication.tests.utils import URLsHelper
+from openforms.forms.tests.factories import FormFactory
+from openforms.utils.tests.keycloak import keycloak_login
+
+from ..plugin import OIDC_ID_TOKEN_SESSION_KEY
+from .base import (
+    IntegrationTestsBase,
+    mock_digid_config,
+    mock_digid_machtigen_config,
+    mock_eherkenning_bewindvoering_config,
+    mock_eherkenning_config,
+)
+
+
+class LogoutTestsMixin:
+    app: DjangoTestApp
+
+    def _do_keycloak_login(
+        self, session: Session, start_url: str, username: str, password: str
+    ) -> str:
+        """
+        Login to keycloak and capture the callback URL to finish the OIDC flow.
+        """
+        start_response1 = self.app.get(start_url)
+        # login to Keycloak - this sets up a session in keycloak
+        redirect_uri1 = keycloak_login(
+            start_response1["Location"],
+            username=username,
+            password=password,
+            session=session,
+        )
+        login_code1 = furl(redirect_uri1).args["code"]
+        assert login_code1
+
+        # now hit the auth flow again to verify that we don't need to enter credentials
+        # again while still logged in on the OpenID Provider side of things.
+        start_response2 = self.app.get(start_url)
+        resp = session.get(start_response2["Location"], allow_redirects=False)
+        assert resp.status_code == 302
+        redirect_uri2 = resp.headers["Location"]
+        login_code2 = furl(redirect_uri2).args["code"]
+        assert login_code2 and login_code2 != login_code1
+
+        return redirect_uri2
+
+    def _do_plugin_logout(self, plugin_id: str) -> None:
+        request = APIRequestFactory().delete(
+            f"/api/v2/authentication/{uuid.uuid4()}/session"
+        )
+        request.session = self.app.session  # type: ignore
+        plugin = register[plugin_id]
+        plugin.logout(request)
+        if not isinstance(request.session, dict):
+            request.session.save()
+
+    def assertNotLoggedInToKeycloak(self, session: Session, start_url: str):
+        start_response = self.app.get(start_url)
+        login_response = session.get(start_response["Location"], allow_redirects=False)
+        # presents the login screen again, if we were still logged in, this would be a
+        # HTTP 302 redirect to the callback endpoint
+        self.assertEqual(login_response.status_code, 200)  # type: ignore
+
+
+class DigiDLogoutTests(LogoutTestsMixin, IntegrationTestsBase):
+    """
+    Test the (RP-initiated) logout flow for the DigiD plugin.
+    """
+
+    @mock_digid_config()
+    def test_logout_also_logs_out_user_in_openid_provider(self):
+        form = FormFactory.create(authentication_backends=["digid_oidc"])
+        start_url = URLsHelper(form=form).get_auth_start(plugin_id="digid_oidc")
+        # use shared session to maintain cookie state
+        session = Session()
+        self.addCleanup(session.close)
+        callback_url = self._do_keycloak_login(
+            session, start_url, username="testuser", password="testuser"
+        )
+        # proceed by completing the login flow
+        callback_response = self.app.get(callback_url, auto_follow=True)
+        assert callback_response.status_code == 200
+        assert OIDC_ID_TOKEN_SESSION_KEY in self.app.session
+
+        # now, initiate the logout, which must trigger the OP logout too
+        self._do_plugin_logout("digid_oidc")
+
+        self.assertNotIn(OIDC_ID_TOKEN_SESSION_KEY, self.app.session)
+        self.assertNotLoggedInToKeycloak(session, start_url)
+
+    @mock_digid_config()
+    def test_logout_with_empty_session(self):
+        assert OIDC_ID_TOKEN_SESSION_KEY not in self.app.session
+
+        # now, initiate the logout, which must trigger the OP logout too
+        try:
+            self._do_plugin_logout("digid_oidc")
+        except Exception as exc:
+            raise self.failureException(
+                "Logout with empty session unexpectedly crashed"
+            ) from exc
+
+
+class EHerkenningLogoutTests(LogoutTestsMixin, IntegrationTestsBase):
+    """
+    Test the (RP-initiated) logout flow for the eHerkenning plugin.
+    """
+
+    @mock_eherkenning_config()
+    def test_logout_also_logs_out_user_in_openid_provider(self):
+        form = FormFactory.create(authentication_backends=["eherkenning_oidc"])
+        start_url = URLsHelper(form=form).get_auth_start(plugin_id="eherkenning_oidc")
+        # use shared session to maintain cookie state
+        session = Session()
+        self.addCleanup(session.close)
+        callback_url = self._do_keycloak_login(
+            session, start_url, username="testuser", password="testuser"
+        )
+        # proceed by completing the login flow
+        callback_response = self.app.get(callback_url, auto_follow=True)
+        assert callback_response.status_code == 200
+        assert OIDC_ID_TOKEN_SESSION_KEY in self.app.session
+
+        # now, initiate the logout, which must trigger the OP logout too
+        self._do_plugin_logout("eherkenning_oidc")
+
+        self.assertNotIn(OIDC_ID_TOKEN_SESSION_KEY, self.app.session)
+        self.assertNotLoggedInToKeycloak(session, start_url)
+
+    @mock_eherkenning_config()
+    def test_logout_with_empty_session(self):
+        assert OIDC_ID_TOKEN_SESSION_KEY not in self.app.session
+
+        # now, initiate the logout, which must trigger the OP logout too
+        try:
+            self._do_plugin_logout("eherkenning_oidc")
+        except Exception as exc:
+            raise self.failureException(
+                "Logout with empty session unexpectedly crashed"
+            ) from exc
+
+
+class DigiDMachtigenLogoutTests(LogoutTestsMixin, IntegrationTestsBase):
+    """
+    Test the (RP-initiated) logout flow for the DigiD Nachtigen plugin.
+    """
+
+    @mock_digid_machtigen_config()
+    def test_logout_also_logs_out_user_in_openid_provider(self):
+        form = FormFactory.create(authentication_backends=["digid_machtigen_oidc"])
+        start_url = URLsHelper(form=form).get_auth_start(
+            plugin_id="digid_machtigen_oidc"
+        )
+        # use shared session to maintain cookie state
+        session = Session()
+        self.addCleanup(session.close)
+        callback_url = self._do_keycloak_login(
+            session, start_url, username="digid-machtigen", password="digid-machtigen"
+        )
+        # proceed by completing the login flow
+        callback_response = self.app.get(callback_url, auto_follow=True)
+        assert callback_response.status_code == 200
+        assert OIDC_ID_TOKEN_SESSION_KEY in self.app.session
+
+        # now, initiate the logout, which must trigger the OP logout too
+        self._do_plugin_logout("digid_machtigen_oidc")
+
+        self.assertNotIn(OIDC_ID_TOKEN_SESSION_KEY, self.app.session)
+        self.assertNotLoggedInToKeycloak(session, start_url)
+
+    @mock_digid_machtigen_config()
+    def test_logout_with_empty_session(self):
+        assert OIDC_ID_TOKEN_SESSION_KEY not in self.app.session
+
+        # now, initiate the logout, which must trigger the OP logout too
+        try:
+            self._do_plugin_logout("digid_machtigen_oidc")
+        except Exception as exc:
+            raise self.failureException(
+                "Logout with empty session unexpectedly crashed"
+            ) from exc
+
+
+class EHerkenningBewindvoeringLogoutTests(LogoutTestsMixin, IntegrationTestsBase):
+    """
+    Test the (RP-initiated) logout flow for the eHerkenning Bewindvoering plugin.
+    """
+
+    @mock_eherkenning_bewindvoering_config()
+    def test_logout_also_logs_out_user_in_openid_provider(self):
+        form = FormFactory.create(
+            authentication_backends=["eherkenning_bewindvoering_oidc"]
+        )
+        start_url = URLsHelper(form=form).get_auth_start(
+            plugin_id="eherkenning_bewindvoering_oidc"
+        )
+        # use shared session to maintain cookie state
+        session = Session()
+        self.addCleanup(session.close)
+        callback_url = self._do_keycloak_login(
+            session,
+            start_url,
+            username="eherkenning-bewindvoering",
+            password="eherkenning-bewindvoering",
+        )
+        # proceed by completing the login flow
+        callback_response = self.app.get(callback_url, auto_follow=True)
+        assert callback_response.status_code == 200
+        assert OIDC_ID_TOKEN_SESSION_KEY in self.app.session
+
+        # now, initiate the logout, which must trigger the OP logout too
+        self._do_plugin_logout("eherkenning_bewindvoering_oidc")
+
+        self.assertNotIn(OIDC_ID_TOKEN_SESSION_KEY, self.app.session)
+        self.assertNotLoggedInToKeycloak(session, start_url)
+
+    @mock_eherkenning_bewindvoering_config()
+    def test_logout_with_empty_session(self):
+        assert OIDC_ID_TOKEN_SESSION_KEY not in self.app.session
+
+        # now, initiate the logout, which must trigger the OP logout too
+        try:
+            self._do_plugin_logout("eherkenning_bewindvoering_oidc")
+        except Exception as exc:
+            raise self.failureException(
+                "Logout with empty session unexpectedly crashed"
+            ) from exc
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/test_configuration.py b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/test_configuration.py
new file mode 100644
index 0000000000..85786b8162
--- /dev/null
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/test_configuration.py
@@ -0,0 +1,65 @@
+from django.test import TestCase, override_settings
+from django.urls import reverse
+
+from mozilla_django_oidc_db.views import OIDCInit
+
+from ..models import (
+    OFDigiDConfig,
+    OFDigiDMachtigenConfig,
+    OFEHerkenningBewindvoeringConfig,
+    OFEHerkenningConfig,
+)
+
+
+class CallbackURLConfigurationTests(TestCase):
+    """
+    Test the legacy and new behaviour for the OIDC Redirect URIs for each config.
+    """
+
+    def setUp(self):
+        super().setUp()
+
+        self.addCleanup(OFDigiDConfig.clear_cache)
+        self.addCleanup(OFEHerkenningConfig.clear_cache)
+        self.addCleanup(OFDigiDMachtigenConfig.clear_cache)
+        self.addCleanup(OFEHerkenningBewindvoeringConfig.clear_cache)
+
+    def test_default_settings_backwards_compatible(self):
+        cases = (
+            (OFDigiDConfig, "/digid-oidc/callback/"),
+            (OFEHerkenningConfig, "/eherkenning-oidc/callback/"),
+            (OFDigiDMachtigenConfig, "/digid-machtigen-oidc/callback/"),
+            (
+                OFEHerkenningBewindvoeringConfig,
+                "/eherkenning-bewindvoering-oidc/callback/",
+            ),
+        )
+
+        for config_cls, expected_url in cases:
+            with self.subTest(config_cls=config_cls, expected_url=expected_url):
+                # use an init view to decouple the implementation details from the
+                # desired behaviour.
+                view = OIDCInit(config_class=config_cls)
+
+                url = reverse(view.get_settings("OIDC_AUTHENTICATION_CALLBACK_URL"))
+
+                self.assertEqual(url, expected_url)
+
+    @override_settings(USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS=False)
+    def test_new_behaviour(self):
+        cases = (
+            OFDigiDConfig,
+            OFEHerkenningConfig,
+            OFDigiDMachtigenConfig,
+            OFEHerkenningBewindvoeringConfig,
+        )
+
+        for config_cls in cases:
+            with self.subTest(config_cls=config_cls):
+                # use an init view to decouple the implementation details from the
+                # desired behaviour.
+                view = OIDCInit(config_class=config_cls)
+
+                url = reverse(view.get_settings("OIDC_AUTHENTICATION_CALLBACK_URL"))
+
+                self.assertEqual(url, "/auth/oidc/callback/")
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/views.py b/src/openforms/authentication/contrib/digid_eherkenning_oidc/views.py
index 02302aaa9c..b4cd33dc19 100644
--- a/src/openforms/authentication/contrib/digid_eherkenning_oidc/views.py
+++ b/src/openforms/authentication/contrib/digid_eherkenning_oidc/views.py
@@ -1,127 +1,134 @@
 import logging
 
-from furl import furl
+from django.http import HttpRequest
 
-from digid_eherkenning_oidc_generics.mixins import (
-    SoloConfigDigiDMachtigenMixin,
-    SoloConfigDigiDMixin,
-    SoloConfigEHerkenningBewindvoeringMixin,
-    SoloConfigEHerkenningMixin,
-)
-from digid_eherkenning_oidc_generics.views import (
+from digid_eherkenning.oidc.models import OpenIDConnectBaseConfig
+from digid_eherkenning.oidc.views import (
     OIDCAuthenticationCallbackView as _OIDCAuthenticationCallbackView,
 )
+from furl import furl
+from mozilla_django_oidc_db.config import lookup_config
+from mozilla_django_oidc_db.views import _RETURN_URL_SESSION_KEY, OIDCInit
+
 from openforms.authentication.contrib.digid.views import (
     DIGID_MESSAGE_PARAMETER,
     LOGIN_CANCELLED,
 )
-from openforms.authentication.contrib.eherkenning.views import MESSAGE_PARAMETER
+from openforms.authentication.contrib.eherkenning.views import (
+    MESSAGE_PARAMETER as EH_MESSAGE_PARAMETER,
+)
 
 from ...views import BACKEND_OUTAGE_RESPONSE_PARAMETER
-from .backends import (
-    OIDCAuthenticationDigiDBackend,
-    OIDCAuthenticationDigiDMachtigenBackend,
-    OIDCAuthenticationEHerkenningBackend,
-    OIDCAuthenticationEHerkenningBewindvoeringBackend,
+from .models import (
+    OFDigiDConfig,
+    OFDigiDMachtigenConfig,
+    OFEHerkenningBewindvoeringConfig,
+    OFEHerkenningConfig,
 )
 
 logger = logging.getLogger(__name__)
 
 
 class OIDCAuthenticationCallbackView(_OIDCAuthenticationCallbackView):
-    def get(self, request):
-        self._redirect_next = request.session.get("of_redirect_next")
+    """
+    Relay error messages back to the frontend.
+
+    This custom callback view relays any failures back to the public frontend URL of the
+    form by setting the appropriate outage parameter and/or message.
+    """
+
+    expect_django_user: bool = False  # do NOT create real Django users
+
+    _redirect_next: str
+
+    def get(self, request: HttpRequest):
+        # grab where the redirect next from the session and store it as a temporary
+        # attribute. in the event that the failure url needs to be overridden, we
+        # then have the value available even *after* mozilla_django_oidc has flushed
+        # the session.
+        self._redirect_next = request.session.get(_RETURN_URL_SESSION_KEY, "")
         return super().get(request)
 
     def get_error_message_parameters(
-        self, parameter: str, problem_code: str
+        self, error: str, error_description: str
     ) -> tuple[str, str]:
         """
         Return a tuple of the parameter type and the problem code.
         """
-        return (
-            parameter or BACKEND_OUTAGE_RESPONSE_PARAMETER,
-            problem_code or self.plugin_identifier,
+        from .plugin import (
+            DigiDMachtigenOIDCAuthentication,
+            DigiDOIDCAuthentication,
+            EHerkenningBewindvoeringOIDCAuthentication,
+            eHerkenningOIDCAuthentication,
+            get_config_to_plugin,
         )
 
+        config_to_plugin = get_config_to_plugin()
+        config_class = lookup_config(self.request)
+        assert issubclass(config_class, OpenIDConnectBaseConfig)
+        plugin = config_to_plugin[config_class]
+
+        match error, error_description, plugin:
+
+            case (
+                "access_denied",
+                "The user cancelled",
+                DigiDOIDCAuthentication() | DigiDMachtigenOIDCAuthentication(),
+            ):
+                return (DIGID_MESSAGE_PARAMETER, LOGIN_CANCELLED)
+
+            case (
+                "access_denied",
+                "The user cancelled",
+                eHerkenningOIDCAuthentication()
+                | EHerkenningBewindvoeringOIDCAuthentication(),
+            ):
+                eh_message_parameter = EH_MESSAGE_PARAMETER % {
+                    "plugin_id": plugin.identifier.split("_")[0]
+                }
+                return (eh_message_parameter, LOGIN_CANCELLED)
+
+            case _:
+                return (BACKEND_OUTAGE_RESPONSE_PARAMETER, plugin.identifier)
+
     @property
-    def failure_url(self):
+    def failure_url(self) -> str:
         """
-        On failure, redirect to the form with an appropriate error message
+        On failure, redirect to the form with an appropriate error message.
         """
-        f = furl(self._redirect_next or self.get_settings("LOGIN_REDIRECT_URL", "/"))
-        f = furl(f.args["next"])
+        # this is expected to be the auth plugin return url, set by the OIDCInit view
+        plugin_return_url = furl(
+            self._redirect_next or self.get_settings("LOGIN_REDIRECT_URL", "/")
+        )
+        # this URL is expected to have a ?next query param pointing back to the frontend
+        # where the form is rendered/embedded
+        _next = plugin_return_url.args["next"]
+        assert isinstance(_next, str)
+        form_url = furl(_next)
 
         parameter, problem_code = self.get_error_message_parameters(
-            self.request.GET.get("error", ""),
-            self.request.GET.get("error_description", ""),
+            error=self.request.GET.get("error", ""),
+            error_description=self.request.GET.get("error_description", ""),
         )
-        f.args[parameter] = problem_code
-
-        return f.url
-
-
-class DigiDOIDCAuthenticationCallbackView(
-    SoloConfigDigiDMixin, OIDCAuthenticationCallbackView
-):
-    plugin_identifier = "digid_oidc"
-    auth_backend_class = OIDCAuthenticationDigiDBackend
-
-    def get_error_message_parameters(
-        self, error: str, error_description: str
-    ) -> tuple[str, str]:
-        if error == "access_denied" and error_description == "The user cancelled":
-            return (DIGID_MESSAGE_PARAMETER, LOGIN_CANCELLED)
-
-        return (BACKEND_OUTAGE_RESPONSE_PARAMETER, self.plugin_identifier)
-
+        form_url.args[parameter] = problem_code
+        return form_url.url
 
-class eHerkenningOIDCAuthenticationCallbackView(
-    SoloConfigEHerkenningMixin, OIDCAuthenticationCallbackView
-):
-    plugin_identifier = "eherkenning_oidc"
-    auth_backend_class = OIDCAuthenticationEHerkenningBackend
 
-    def get_error_message_parameters(
-        self, error: str, error_description: str
-    ) -> tuple[str, str]:
-        if error == "access_denied" and error_description == "The user cancelled":
-            return (
-                MESSAGE_PARAMETER % {"plugin_id": self.plugin_identifier.split("_")[0]},
-                LOGIN_CANCELLED,
-            )
-
-        return (BACKEND_OUTAGE_RESPONSE_PARAMETER, self.plugin_identifier)
-
-
-class DigiDMachtigenOIDCAuthenticationCallbackView(
-    SoloConfigDigiDMachtigenMixin, OIDCAuthenticationCallbackView
-):
-    plugin_identifier = "digid_machtigen_oidc"
-    auth_backend_class = OIDCAuthenticationDigiDMachtigenBackend
-
-    def get_error_message_parameters(
-        self, error: str, error_description: str
-    ) -> tuple[str, str]:
-        if error == "access_denied" and error_description == "The user cancelled":
-            return (DIGID_MESSAGE_PARAMETER, LOGIN_CANCELLED)
-
-        return (BACKEND_OUTAGE_RESPONSE_PARAMETER, self.plugin_identifier)
-
-
-class EHerkenningBewindvoeringOIDCAuthenticationCallbackView(
-    SoloConfigEHerkenningBewindvoeringMixin, OIDCAuthenticationCallbackView
-):
-    plugin_identifier = "eherkenning_bewindvoering_oidc"
-    auth_backend_class = OIDCAuthenticationEHerkenningBewindvoeringBackend
-
-    def get_error_message_parameters(
-        self, error: str, error_description: str
-    ) -> tuple[str, str]:
-        if error == "access_denied" and error_description == "The user cancelled":
-            return (
-                MESSAGE_PARAMETER % {"plugin_id": self.plugin_identifier.split("_")[0]},
-                LOGIN_CANCELLED,
-            )
+digid_init = OIDCInit.as_view(
+    config_class=OFDigiDConfig,
+    allow_next_from_query=False,
+)
+digid_machtigen_init = OIDCInit.as_view(
+    config_class=OFDigiDMachtigenConfig,
+    allow_next_from_query=False,
+)
+eherkenning_init = OIDCInit.as_view(
+    config_class=OFEHerkenningConfig,
+    allow_next_from_query=False,
+)
+eherkenning_bewindvoering_init = OIDCInit.as_view(
+    config_class=OFEHerkenningBewindvoeringConfig,
+    allow_next_from_query=False,
+)
 
-        return (BACKEND_OUTAGE_RESPONSE_PARAMETER, self.plugin_identifier)
+callback_view = OIDCAuthenticationCallbackView.as_view()
diff --git a/src/openforms/authentication/contrib/org_oidc/backends.py b/src/openforms/authentication/contrib/org_oidc/backends.py
deleted file mode 100644
index cb0ce1fbb6..0000000000
--- a/src/openforms/authentication/contrib/org_oidc/backends.py
+++ /dev/null
@@ -1,12 +0,0 @@
-from mozilla_django_oidc_db.backends import (
-    OIDCAuthenticationBackend as _OIDCAuthenticationBackend,
-)
-
-from .mixins import SoloConfigMixin
-
-
-class OIDCAuthenticationBackend(SoloConfigMixin, _OIDCAuthenticationBackend):
-    @classmethod
-    def get_import_path(cls):
-        # needed for auth.login()/auth.logout()
-        return f"{cls.__module__}.{cls.__qualname__}"
diff --git a/src/openforms/authentication/contrib/org_oidc/migrations/0001_initial.py b/src/openforms/authentication/contrib/org_oidc/migrations/0001_initial.py
new file mode 100644
index 0000000000..fddcd47bc6
--- /dev/null
+++ b/src/openforms/authentication/contrib/org_oidc/migrations/0001_initial.py
@@ -0,0 +1,25 @@
+# Generated by Django 4.2.11 on 2024-05-23 15:22
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ("mozilla_django_oidc_db", "0002_migrate_to_claim_field"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="OrgOpenIDConnectConfig",
+            fields=[],
+            options={
+                "proxy": True,
+                "indexes": [],
+                "constraints": [],
+            },
+            bases=("mozilla_django_oidc_db.openidconnectconfig",),
+        ),
+    ]
diff --git a/src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/digid/__init__.py b/src/openforms/authentication/contrib/org_oidc/migrations/__init__.py
similarity index 100%
rename from src/openforms/authentication/contrib/digid_eherkenning_oidc/tests/digid/__init__.py
rename to src/openforms/authentication/contrib/org_oidc/migrations/__init__.py
diff --git a/src/openforms/authentication/contrib/org_oidc/mixins.py b/src/openforms/authentication/contrib/org_oidc/mixins.py
deleted file mode 100644
index 2d2d46384d..0000000000
--- a/src/openforms/authentication/contrib/org_oidc/mixins.py
+++ /dev/null
@@ -1,18 +0,0 @@
-from mozilla_django_oidc_db.mixins import SoloConfigMixin as _SoloConfigMixin
-from mozilla_django_oidc_db.models import OpenIDConnectConfig
-
-
-class SoloConfigMixin(_SoloConfigMixin):
-    config_class = OpenIDConnectConfig
-
-    plugin_identifier = "org-oidc"
-
-    # override some settings we don't want configurable
-    oidc_authentication_callback_url = "org-oidc:callback"
-    oidc_redirect_field_name = "next"
-
-    def get_settings(self, attr, *args):
-        attr_lowercase = attr.lower()
-        if hasattr(self, attr_lowercase):
-            return getattr(self, attr_lowercase)
-        return super().get_settings(attr, *args)
diff --git a/src/openforms/authentication/contrib/org_oidc/models.py b/src/openforms/authentication/contrib/org_oidc/models.py
new file mode 100644
index 0000000000..1eb079c201
--- /dev/null
+++ b/src/openforms/authentication/contrib/org_oidc/models.py
@@ -0,0 +1,30 @@
+import warnings
+
+from django.conf import settings
+from django.utils.functional import classproperty
+
+from mozilla_django_oidc_db.models import OpenIDConnectConfig
+
+
+class OrgOpenIDConnectConfig(OpenIDConnectConfig):
+    class Meta:
+        proxy = True
+
+    @classproperty
+    def oidcdb_check_idp_availability(cls) -> bool:
+        return True
+
+    @classproperty
+    def oidc_authentication_callback_url(cls) -> str:  # type: ignore
+        if settings.USE_LEGACY_ORG_OIDC_ENDPOINTS:
+            warnings.warn(
+                "Legacy DigiD-eHerkenning callback endpoints will be removed in 3.0",
+                DeprecationWarning,
+            )
+            return "org-oidc-callback"
+        return "oidc_authentication_callback"
+
+    def get_callback_view(self):
+        from .views import callback_view
+
+        return callback_view
diff --git a/src/openforms/authentication/contrib/org_oidc/plugin.py b/src/openforms/authentication/contrib/org_oidc/plugin.py
index bf143ef1e6..d92ab4293a 100644
--- a/src/openforms/authentication/contrib/org_oidc/plugin.py
+++ b/src/openforms/authentication/contrib/org_oidc/plugin.py
@@ -1,17 +1,28 @@
 from django.contrib import auth
 from django.http import HttpRequest, HttpResponseBadRequest, HttpResponseRedirect
 from django.templatetags.static import static
-from django.utils.translation import gettext_lazy as _
+from django.utils.translation import gettext, gettext_lazy as _
 
+from mozilla_django_oidc_db.views import OIDCInit
+
+from openforms.accounts.models import User
 from openforms.forms.models import Form
 from openforms.utils.urls import reverse_plus
 
 from ...base import BasePlugin, LoginLogo
 from ...constants import FORM_AUTH_SESSION_KEY, AuthAttribute, LogoAppearance
 from ...registry import register
+from .models import OrgOpenIDConnectConfig
+
+PLUGIN_IDENTIFIER = "org-oidc"
+
+oidc_init = OIDCInit.as_view(
+    config_class=OrgOpenIDConnectConfig,
+    allow_next_from_query=False,
+)
 
 
-@register("org-oidc")
+@register(PLUGIN_IDENTIFIER)
 class OIDCAuthentication(BasePlugin):
     """
     Authentication plugin using the global mozilla-django-oidc-db (as used for the admin)
@@ -21,34 +32,30 @@ class OIDCAuthentication(BasePlugin):
     provides_auth = AuthAttribute.employee_id
 
     def start_login(self, request: HttpRequest, form: Form, form_url: str):
-        auth_return_url = reverse_plus(
+        return_url = reverse_plus(
             "authentication:return",
             kwargs={"slug": form.slug, "plugin_id": self.identifier},
             request=request,
-            query={
-                "next": form_url,
-            },
-        )
-        redirect_url = reverse_plus(
-            "org-oidc:init",
-            request=request,
-            query={
-                "next": auth_return_url,
-            },
+            query={"next": form_url},
         )
         if request.user.is_authenticated:
             # logout user if logged in with other account
-            # this is relevant when staff users are already logged in, the OIDC state/redirects get confused,
-            #   and could send the user back to the admin instead of the form.
-            # this is likely because it picks a .success_url instead of session data
+            # this is relevant when staff users are already logged in, the OIDC
+            # state/redirects get confused, and could send the user back to the admin
+            # instead of the form. # this is likely because it picks a .success_url
+            # instead of session data
             auth.logout(request)
-        return HttpResponseRedirect(redirect_url)
+
+        response = oidc_init(request, return_url=return_url)
+        assert isinstance(response, HttpResponseRedirect)
+        return response
 
     def handle_return(self, request, form):
         """
         Redirect to form URL.
         """
         assert request.user.is_authenticated
+        assert isinstance(request.user, User)
 
         form_url = request.GET.get("next")
         if not form_url:
@@ -79,7 +86,7 @@ def logout(self, request: HttpRequest):
             assert not request.user.is_authenticated
 
     def get_label(self):
-        return _("OpenID Connect")
+        return gettext("OpenID Connect")
 
     def get_logo(self, request: HttpRequest) -> LoginLogo:
         return LoginLogo(
diff --git a/src/openforms/authentication/contrib/org_oidc/tests/base.py b/src/openforms/authentication/contrib/org_oidc/tests/base.py
new file mode 100644
index 0000000000..4b09c3cc40
--- /dev/null
+++ b/src/openforms/authentication/contrib/org_oidc/tests/base.py
@@ -0,0 +1,31 @@
+from functools import partial
+from pathlib import Path
+
+from django.test import override_settings
+
+from django_webtest import WebTest
+
+from openforms.utils.tests.keycloak import mock_oidc_db_config
+from openforms.utils.tests.vcr import OFVCRMixin
+
+TEST_FILES = (Path(__file__).parent / "data").resolve()
+
+
+mock_org_oidc_config = partial(
+    mock_oidc_db_config,
+    app_label="authentication_org_oidc",
+    model="OrgOpenIDConnectConfig",
+    id=1,  # required for the group queries because we're using in-memory objects
+    oidc_rp_scopes_list=["openid", "email", "profile"],
+    username_claim=["preferred_username"],
+    claim_mapping={
+        "email": ["email"],
+        "employee_id": ["preferred_username"],
+    },
+    groups_claim=["groups"],
+)
+
+
+@override_settings(CORS_ALLOW_ALL_ORIGINS=True, IS_HTTPS=True)
+class IntegrationTestsBase(OFVCRMixin, WebTest):
+    VCR_TEST_FILES = TEST_FILES
diff --git a/src/openforms/authentication/contrib/org_oidc/tests/data/vcr_cassettes/OrgOIDCCallbackTests/OrgOIDCCallbackTests.test_failing_claim_verification.yaml b/src/openforms/authentication/contrib/org_oidc/tests/data/vcr_cassettes/OrgOIDCCallbackTests/OrgOIDCCallbackTests.test_failing_claim_verification.yaml
new file mode 100644
index 0000000000..6fb7097c53
--- /dev/null
+++ b/src/openforms/authentication/contrib/org_oidc/tests/data/vcr_cassettes/OrgOIDCCallbackTests/OrgOIDCCallbackTests.test_failing_claim_verification.yaml
@@ -0,0 +1,371 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=openid+email+profile&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Forg-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n        <script type=\"module\">\n            import
+        { checkCookiesAndSetTimer } from \"/resources/1rz7o/login/keycloak/js/authChecker.js\";\n\n
+        \           checkCookiesAndSetTimer(\n              \"21409fca-22ee-4b5b-acb9-1af85993d2af\",\n
+        \             \"1Ny6e8qA11s\",\n              \"/realms/test/login-actions/restart?client_id=testid&tab_id=1Ny6e8qA11s&skip_logout=true\"\n
+        \           );\n        </script>\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       Sign in to your account\n\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-form\">\n
+        \         <div id=\"kc-form-wrapper\">\n                <form id=\"kc-form-login\"
+        onsubmit=\"login.disabled = true; return true;\" action=\"http://localhost:8080/realms/test/login-actions/authenticate?session_code=geH0fJZKQdbUzuM7JbByYOV8X8Z9ilYQTOs2GL--eac&amp;execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&amp;client_id=testid&amp;tab_id=1Ny6e8qA11s\"
+        method=\"post\">\n                        <div class=\"form-group\">\n                            <label
+        for=\"username\" class=\"pf-c-form__label pf-c-form__label-text\">Username
+        or email</label>\n\n                            <input tabindex=\"1\" id=\"username\"
+        class=\"pf-c-form-control\" name=\"username\" value=\"\"  type=\"text\" autofocus
+        autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n\n\n                        </div>\n\n                    <div
+        class=\"form-group\">\n                        <label for=\"password\" class=\"pf-c-form__label
+        pf-c-form__label-text\">Password</label>\n\n                        <div class=\"pf-c-input-group\">\n
+        \                           <input tabindex=\"2\" id=\"password\" class=\"pf-c-form-control\"
+        name=\"password\" type=\"password\" autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n                            <button class=\"pf-c-button
+        pf-m-control\" type=\"button\" aria-label=\"Show password\"\n                                    aria-controls=\"password\"
+        \ data-password-toggle\n                                    data-icon-show=\"fa
+        fa-eye\" data-icon-hide=\"fa fa-eye-slash\"\n                                    data-label-show=\"Show
+        password\" data-label-hide=\"Hide password\">\n                                <i
+        class=\"fa fa-eye\" aria-hidden=\"true\"></i>\n                            </button>\n
+        \                       </div>\n\n\n                    </div>\n\n                    <div
+        class=\"form-group login-pf-settings\">\n                        <div id=\"kc-form-options\">\n
+        \                           </div>\n                            <div class=\"\">\n
+        \                           </div>\n\n                      </div>\n\n                      <div
+        id=\"kc-form-buttons\" class=\"form-group\">\n                          <input
+        type=\"hidden\" id=\"id-hidden-input\" name=\"credentialId\" />\n                          <input
+        tabindex=\"4\" class=\"pf-c-button pf-m-primary pf-m-block btn-lg\" name=\"login\"
+        id=\"kc-login\" type=\"submit\" value=\"Sign In\"/>\n                      </div>\n
+        \               </form>\n            </div>\n        </div>\n        <script
+        type=\"module\" src=\"/resources/1rz7o/login/keycloak/js/passwordVisibility.js\"></script>\n\n\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - AUTH_SESSION_ID=21409fca-22ee-4b5b-acb9-1af85993d2af; Version=1; Path=/realms/test/;
+        SameSite=None; Secure; HttpOnly
+      - AUTH_SESSION_ID_LEGACY=21409fca-22ee-4b5b-acb9-1af85993d2af; Version=1; Path=/realms/test/;
+        HttpOnly
+      - KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9vcmctb2lkYy9jYWxsYmFjay8iLCJhY3QiOiJBVVRIRU5USUNBVEUiLCJub3RlcyI6eyJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJodHRwOi8vdGVzdHNlcnZlci9vcmctb2lkYy9jYWxsYmFjay8iLCJzdGF0ZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmciLCJub25jZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmcifX0.PVsoxNQ0-_nJN1HEGMJ6H1byID8wg96CZXFzWiaCgQk;
+        Version=1; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '4466'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: username=admin&password=admin&credentialId=&login=Sign+In
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '57'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      Cookie:
+      - AUTH_SESSION_ID_LEGACY=21409fca-22ee-4b5b-acb9-1af85993d2af; KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9vcmctb2lkYy9jYWxsYmFjay8iLCJhY3QiOiJBVVRIRU5USUNBVEUiLCJub3RlcyI6eyJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJodHRwOi8vdGVzdHNlcnZlci9vcmctb2lkYy9jYWxsYmFjay8iLCJzdGF0ZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmciLCJub25jZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmcifX0.PVsoxNQ0-_nJN1HEGMJ6H1byID8wg96CZXFzWiaCgQk
+      User-Agent:
+      - python-requests/2.32.2
+    method: POST
+    uri: http://localhost:8080/realms/test/login-actions/authenticate?session_code=geH0fJZKQdbUzuM7JbByYOV8X8Z9ilYQTOs2GL--eac&execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&client_id=testid&tab_id=1Ny6e8qA11s
+  response:
+    body:
+      string: ''
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Location:
+      - http://testserver/org-oidc/callback/?state=not-a-random-string&session_state=21409fca-22ee-4b5b-acb9-1af85993d2af&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest&code=3d18ef85-6e9e-4edf-af74-448e46a08359.21409fca-22ee-4b5b-acb9-1af85993d2af.adf4ad83-4550-4619-9231-73bd8d700f45
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - KEYCLOAK_LOCALE=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      - KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/; HttpOnly
+      - KC_AUTH_STATE=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/
+      - KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTg2NTU0NjYsImlhdCI6MTcxODYxOTQ2NiwianRpIjoiMjJiNDVlM2UtZGViOC00YjcwLTlhNjQtM2E3MTUwY2MxMDI4IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiNmRiMmRiODctZGUzMS00ZTMwLTlmMjUtY2VmZTVkYThiMTU0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiIyMTQwOWZjYS0yMmVlLTRiNWItYWNiOS0xYWY4NTk5M2QyYWYiLCJzaWQiOiIyMTQwOWZjYS0yMmVlLTRiNWItYWNiOS0xYWY4NTk5M2QyYWYiLCJzdGF0ZV9jaGVja2VyIjoiX0c0TkNKZjVYTVgwOE9XSjBmS2dSc2g5d3ZXNlAtaGs0WnpYNlpvNi1FRSJ9.DpIfsvg9MP97soD-1Vr7KQo2wsrNGGUrXiagvXoxTOE;
+        Version=1; Path=/realms/test/; SameSite=None; Secure; HttpOnly
+      - KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTg2NTU0NjYsImlhdCI6MTcxODYxOTQ2NiwianRpIjoiMjJiNDVlM2UtZGViOC00YjcwLTlhNjQtM2E3MTUwY2MxMDI4IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiNmRiMmRiODctZGUzMS00ZTMwLTlmMjUtY2VmZTVkYThiMTU0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiIyMTQwOWZjYS0yMmVlLTRiNWItYWNiOS0xYWY4NTk5M2QyYWYiLCJzaWQiOiIyMTQwOWZjYS0yMmVlLTRiNWItYWNiOS0xYWY4NTk5M2QyYWYiLCJzdGF0ZV9jaGVja2VyIjoiX0c0TkNKZjVYTVgwOE9XSjBmS2dSc2g5d3ZXNlAtaGs0WnpYNlpvNi1FRSJ9.DpIfsvg9MP97soD-1Vr7KQo2wsrNGGUrXiagvXoxTOE;
+        Version=1; Path=/realms/test/; HttpOnly
+      - KEYCLOAK_SESSION=test/6db2db87-de31-4e30-9f25-cefe5da8b154/21409fca-22ee-4b5b-acb9-1af85993d2af;
+        Version=1; Expires=Mon, 17-Jun-2024 20:17:46 GMT; Max-Age=36000; Path=/realms/test/;
+        SameSite=None; Secure
+      - KEYCLOAK_SESSION_LEGACY=test/6db2db87-de31-4e30-9f25-cefe5da8b154/21409fca-22ee-4b5b-acb9-1af85993d2af;
+        Version=1; Expires=Mon, 17-Jun-2024 20:17:46 GMT; Max-Age=36000; Path=/realms/test/
+      - KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '0'
+    status:
+      code: 302
+      message: Found
+- request:
+    body: client_id=testid&client_secret=7DB3KUAAizYCcmZufpHRVOcD0TOkNO3I&grant_type=authorization_code&code=3d18ef85-6e9e-4edf-af74-448e46a08359.21409fca-22ee-4b5b-acb9-1af85993d2af.adf4ad83-4550-4619-9231-73bd8d700f45&redirect_uri=http%3A%2F%2Ftestserver%2Forg-oidc%2Fcallback%2F
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '271'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      User-Agent:
+      - python-requests/2.32.2
+    method: POST
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/token
+  response:
+    body:
+      string: '{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTg2MTk3NjYsImlhdCI6MTcxODYxOTQ2NiwiYXV0aF90aW1lIjoxNzE4NjE5NDY2LCJqdGkiOiJjODIyMjNlZC03Yzc4LTQzMGMtOWUxZC02ZGMwY2I5N2FkNzMiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNmRiMmRiODctZGUzMS00ZTMwLTlmMjUtY2VmZTVkYThiMTU0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6IjIxNDA5ZmNhLTIyZWUtNGI1Yi1hY2I5LTFhZjg1OTkzZDJhZiIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgZ3JvdXBzIGJzbiIsInNpZCI6IjIxNDA5ZmNhLTIyZWUtNGI1Yi1hY2I5LTFhZjg1OTkzZDJhZiIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJncm91cHMiOlsiUmVnaXN0cmVlcmRlcnMiLCJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl0sInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiZW1haWwiOiJhZG1pbkBleGFtcGxlLmNvbSJ9.X4GEqnD5FZWP_VCa4rwIOe2RZ1a3ddItOEjka_fnkx2F2qB6epkpiiM2eGH49pbhvctnvWT5GLj19XZw4NQUI-wygrMwIf7zNB5MLAh8TOew0kzujoltQKo6WgjwIUY2DrH4TyyrmBMuMqZ5NHSFwBlwnchOJSKQCo-zt0RmpMTqVFm74vCp_J-TQ8Ba_mgGVdP3oTUvTbk-D0716IJepji6vgK8Sla3WmvHVMgWDzLal9kmsx6CwqPQHnGcsHGi3O053tZu8k-5q3HnucwAMVy8MlcHfzfz0rgULWR2ZKtWNwn8xCPQ-3aQNgiskqNC4X5fvkaUk3KMVbULmTKS-g","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTg2MjEyNjYsImlhdCI6MTcxODYxOTQ2NiwianRpIjoiNWU1OGIwZDMtOTU0Mi00NzBiLWJkY2ItZGQ5NWQxYjM1MzQxIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiNmRiMmRiODctZGUzMS00ZTMwLTlmMjUtY2VmZTVkYThiMTU0IiwidHlwIjoiUmVmcmVzaCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiIyMTQwOWZjYS0yMmVlLTRiNWItYWNiOS0xYWY4NTk5M2QyYWYiLCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIGt2ayBncm91cHMgYnNuIiwic2lkIjoiMjE0MDlmY2EtMjJlZS00YjViLWFjYjktMWFmODU5OTNkMmFmIn0.c-wrpZzKZM_q1AV3djPbmNkiq7KouYlR8AK6FWNOt40","token_type":"Bearer","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTg2MTk3NjYsImlhdCI6MTcxODYxOTQ2NiwiYXV0aF90aW1lIjoxNzE4NjE5NDY2LCJqdGkiOiIyNmY5OGM2Yi0wOWFkLTRkYzctYWRlNy03ZGVlNzdiY2UyOTIiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJ0ZXN0aWQiLCJzdWIiOiI2ZGIyZGI4Ny1kZTMxLTRlMzAtOWYyNS1jZWZlNWRhOGIxNTQiLCJ0eXAiOiJJRCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiIyMTQwOWZjYS0yMmVlLTRiNWItYWNiOS0xYWY4NTk5M2QyYWYiLCJhdF9oYXNoIjoiSjZIdXNSRHAwcWY5R1pmcUVnenV1ZyIsImFjciI6IjEiLCJzaWQiOiIyMTQwOWZjYS0yMmVlLTRiNWItYWNiOS0xYWY4NTk5M2QyYWYiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiZ3JvdXBzIjpbIlJlZ2lzdHJlZXJkZXJzIiwiZGVmYXVsdC1yb2xlcy10ZXN0Iiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhZG1pbiIsImVtYWlsIjoiYWRtaW5AZXhhbXBsZS5jb20ifQ.nXX0tUqTUVeUPnDK5QRpMPwYK5u8j-eOdsOKuhdHMyG_FhKyPlYl_Ghi6obexUt_z66AY7soHuNgd8dNAxsEvJg2OSsLqQOCQHDUPXufP1K4ZOlap1YMd4ttLEMXd3v_oOdqSmQrIYQPWMhjRymwha2ZXX0TI1xK0H2TtgivV92Uyoq_7r6Xl3qmKNIGgMWjXnQp7jPklVfOoQfAELaW9b0wywzecr_Zmce1Y7E3j_Xq5zjwUEWoqU5JoiQ0RW06AsVCY3f1YkjXMltbioe7BZwJOBzT7Psva0No3NwsuFc_9BvVy_px2abnfessynQnCv93F_bsh25U0IzBpDy_xg","not-before-policy":0,"session_state":"21409fca-22ee-4b5b-acb9-1af85993d2af","scope":"openid
+        email profile kvk groups bsn"}'
+    headers:
+      Cache-Control:
+      - no-store
+      Content-Type:
+      - application/json
+      Pragma:
+      - no-cache
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '3698'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Authorization:
+      - Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTg2MTk3NjYsImlhdCI6MTcxODYxOTQ2NiwiYXV0aF90aW1lIjoxNzE4NjE5NDY2LCJqdGkiOiJjODIyMjNlZC03Yzc4LTQzMGMtOWUxZC02ZGMwY2I5N2FkNzMiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNmRiMmRiODctZGUzMS00ZTMwLTlmMjUtY2VmZTVkYThiMTU0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6IjIxNDA5ZmNhLTIyZWUtNGI1Yi1hY2I5LTFhZjg1OTkzZDJhZiIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgZ3JvdXBzIGJzbiIsInNpZCI6IjIxNDA5ZmNhLTIyZWUtNGI1Yi1hY2I5LTFhZjg1OTkzZDJhZiIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJncm91cHMiOlsiUmVnaXN0cmVlcmRlcnMiLCJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl0sInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiZW1haWwiOiJhZG1pbkBleGFtcGxlLmNvbSJ9.X4GEqnD5FZWP_VCa4rwIOe2RZ1a3ddItOEjka_fnkx2F2qB6epkpiiM2eGH49pbhvctnvWT5GLj19XZw4NQUI-wygrMwIf7zNB5MLAh8TOew0kzujoltQKo6WgjwIUY2DrH4TyyrmBMuMqZ5NHSFwBlwnchOJSKQCo-zt0RmpMTqVFm74vCp_J-TQ8Ba_mgGVdP3oTUvTbk-D0716IJepji6vgK8Sla3WmvHVMgWDzLal9kmsx6CwqPQHnGcsHGi3O053tZu8k-5q3HnucwAMVy8MlcHfzfz0rgULWR2ZKtWNwn8xCPQ-3aQNgiskqNC4X5fvkaUk3KMVbULmTKS-g
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/userinfo
+  response:
+    body:
+      string: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJzdWIiOiI2ZGIyZGI4Ny1kZTMxLTRlMzAtOWYyNS1jZWZlNWRhOGIxNTQiLCJhdWQiOiJ0ZXN0aWQiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwiZ3JvdXBzIjpbIlJlZ2lzdHJlZXJkZXJzIiwiZGVmYXVsdC1yb2xlcy10ZXN0Iiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhZG1pbiIsImVtYWlsIjoiYWRtaW5AZXhhbXBsZS5jb20ifQ.vx4dCJ-Y-PEzjy8p7CNPB3yy0TyV_QugOHRbiV6UY3qHtZUnZqSsJD991QUostcYECuyTHefqfRtdCbvSJcPWI4ucosY65vshUMBtQeahsFOgNwWp2BvCkALJmEya4H_gh63vVlVZ2ZOSpWpah6eV2PNhiiYWD-Y9qEuLMzwngNvp5hna30BiRKAEsStB7izjE5pGECqkQm7pxCeZWHU81Lbh5fSo_2XvcGZ1Z-tf6DN95Oz4ers9YrG6dKSuh-HciY1zhv7mcee_tlJaeKjITue6r06163oKdjsYKRpiR4bLQ9256KafoxmU6O0IIlpkQhmtXrmaFSg0XyBYU8qcQ
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/jwt
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '813'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+version: 1
diff --git a/src/openforms/authentication/contrib/org_oidc/tests/data/vcr_cassettes/OrgOIDCCallbackTests/OrgOIDCCallbackTests.test_logout_clears_session.yaml b/src/openforms/authentication/contrib/org_oidc/tests/data/vcr_cassettes/OrgOIDCCallbackTests/OrgOIDCCallbackTests.test_logout_clears_session.yaml
new file mode 100644
index 0000000000..f56c42ccdb
--- /dev/null
+++ b/src/openforms/authentication/contrib/org_oidc/tests/data/vcr_cassettes/OrgOIDCCallbackTests/OrgOIDCCallbackTests.test_logout_clears_session.yaml
@@ -0,0 +1,371 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=openid+email+profile&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Forg-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n        <script type=\"module\">\n            import
+        { checkCookiesAndSetTimer } from \"/resources/1rz7o/login/keycloak/js/authChecker.js\";\n\n
+        \           checkCookiesAndSetTimer(\n              \"94e938cf-5713-4a8a-8949-6199dd3c7060\",\n
+        \             \"FBfqZdNCHlE\",\n              \"/realms/test/login-actions/restart?client_id=testid&tab_id=FBfqZdNCHlE&skip_logout=true\"\n
+        \           );\n        </script>\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       Sign in to your account\n\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-form\">\n
+        \         <div id=\"kc-form-wrapper\">\n                <form id=\"kc-form-login\"
+        onsubmit=\"login.disabled = true; return true;\" action=\"http://localhost:8080/realms/test/login-actions/authenticate?session_code=FoJaNyMsk4dhREemdWfeyDNDJWEseKlnopSUUeAjJyw&amp;execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&amp;client_id=testid&amp;tab_id=FBfqZdNCHlE\"
+        method=\"post\">\n                        <div class=\"form-group\">\n                            <label
+        for=\"username\" class=\"pf-c-form__label pf-c-form__label-text\">Username
+        or email</label>\n\n                            <input tabindex=\"1\" id=\"username\"
+        class=\"pf-c-form-control\" name=\"username\" value=\"\"  type=\"text\" autofocus
+        autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n\n\n                        </div>\n\n                    <div
+        class=\"form-group\">\n                        <label for=\"password\" class=\"pf-c-form__label
+        pf-c-form__label-text\">Password</label>\n\n                        <div class=\"pf-c-input-group\">\n
+        \                           <input tabindex=\"2\" id=\"password\" class=\"pf-c-form-control\"
+        name=\"password\" type=\"password\" autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n                            <button class=\"pf-c-button
+        pf-m-control\" type=\"button\" aria-label=\"Show password\"\n                                    aria-controls=\"password\"
+        \ data-password-toggle\n                                    data-icon-show=\"fa
+        fa-eye\" data-icon-hide=\"fa fa-eye-slash\"\n                                    data-label-show=\"Show
+        password\" data-label-hide=\"Hide password\">\n                                <i
+        class=\"fa fa-eye\" aria-hidden=\"true\"></i>\n                            </button>\n
+        \                       </div>\n\n\n                    </div>\n\n                    <div
+        class=\"form-group login-pf-settings\">\n                        <div id=\"kc-form-options\">\n
+        \                           </div>\n                            <div class=\"\">\n
+        \                           </div>\n\n                      </div>\n\n                      <div
+        id=\"kc-form-buttons\" class=\"form-group\">\n                          <input
+        type=\"hidden\" id=\"id-hidden-input\" name=\"credentialId\" />\n                          <input
+        tabindex=\"4\" class=\"pf-c-button pf-m-primary pf-m-block btn-lg\" name=\"login\"
+        id=\"kc-login\" type=\"submit\" value=\"Sign In\"/>\n                      </div>\n
+        \               </form>\n            </div>\n        </div>\n        <script
+        type=\"module\" src=\"/resources/1rz7o/login/keycloak/js/passwordVisibility.js\"></script>\n\n\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - AUTH_SESSION_ID=94e938cf-5713-4a8a-8949-6199dd3c7060; Version=1; Path=/realms/test/;
+        SameSite=None; Secure; HttpOnly
+      - AUTH_SESSION_ID_LEGACY=94e938cf-5713-4a8a-8949-6199dd3c7060; Version=1; Path=/realms/test/;
+        HttpOnly
+      - KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9vcmctb2lkYy9jYWxsYmFjay8iLCJhY3QiOiJBVVRIRU5USUNBVEUiLCJub3RlcyI6eyJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJodHRwOi8vdGVzdHNlcnZlci9vcmctb2lkYy9jYWxsYmFjay8iLCJzdGF0ZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmciLCJub25jZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmcifX0.PVsoxNQ0-_nJN1HEGMJ6H1byID8wg96CZXFzWiaCgQk;
+        Version=1; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '4466'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: username=admin&password=admin&credentialId=&login=Sign+In
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '57'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      Cookie:
+      - AUTH_SESSION_ID_LEGACY=94e938cf-5713-4a8a-8949-6199dd3c7060; KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9vcmctb2lkYy9jYWxsYmFjay8iLCJhY3QiOiJBVVRIRU5USUNBVEUiLCJub3RlcyI6eyJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJodHRwOi8vdGVzdHNlcnZlci9vcmctb2lkYy9jYWxsYmFjay8iLCJzdGF0ZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmciLCJub25jZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmcifX0.PVsoxNQ0-_nJN1HEGMJ6H1byID8wg96CZXFzWiaCgQk
+      User-Agent:
+      - python-requests/2.32.2
+    method: POST
+    uri: http://localhost:8080/realms/test/login-actions/authenticate?session_code=FoJaNyMsk4dhREemdWfeyDNDJWEseKlnopSUUeAjJyw&execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&client_id=testid&tab_id=FBfqZdNCHlE
+  response:
+    body:
+      string: ''
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Location:
+      - http://testserver/org-oidc/callback/?state=not-a-random-string&session_state=94e938cf-5713-4a8a-8949-6199dd3c7060&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest&code=b5b35b66-98a6-4d20-8f86-5f05b3032ddd.94e938cf-5713-4a8a-8949-6199dd3c7060.adf4ad83-4550-4619-9231-73bd8d700f45
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - KEYCLOAK_LOCALE=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      - KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/; HttpOnly
+      - KC_AUTH_STATE=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/
+      - KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTg2NTU0NjcsImlhdCI6MTcxODYxOTQ2NywianRpIjoiMzYwZmM3NWItNTk0My00MzA2LTg3MDYtYzViZDRhZGU4MGY3IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiNmRiMmRiODctZGUzMS00ZTMwLTlmMjUtY2VmZTVkYThiMTU0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiI5NGU5MzhjZi01NzEzLTRhOGEtODk0OS02MTk5ZGQzYzcwNjAiLCJzaWQiOiI5NGU5MzhjZi01NzEzLTRhOGEtODk0OS02MTk5ZGQzYzcwNjAiLCJzdGF0ZV9jaGVja2VyIjoic2Q2RWpseTFONGsycUZRM1Zsem9XN3FSUUZuSkJWSWlrZjVCX3EzbHliUSJ9.gE9M6x3HgJw1iJ18teNC5wU81sKwQz2Dva75Kp1z-xw;
+        Version=1; Path=/realms/test/; SameSite=None; Secure; HttpOnly
+      - KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTg2NTU0NjcsImlhdCI6MTcxODYxOTQ2NywianRpIjoiMzYwZmM3NWItNTk0My00MzA2LTg3MDYtYzViZDRhZGU4MGY3IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiNmRiMmRiODctZGUzMS00ZTMwLTlmMjUtY2VmZTVkYThiMTU0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiI5NGU5MzhjZi01NzEzLTRhOGEtODk0OS02MTk5ZGQzYzcwNjAiLCJzaWQiOiI5NGU5MzhjZi01NzEzLTRhOGEtODk0OS02MTk5ZGQzYzcwNjAiLCJzdGF0ZV9jaGVja2VyIjoic2Q2RWpseTFONGsycUZRM1Zsem9XN3FSUUZuSkJWSWlrZjVCX3EzbHliUSJ9.gE9M6x3HgJw1iJ18teNC5wU81sKwQz2Dva75Kp1z-xw;
+        Version=1; Path=/realms/test/; HttpOnly
+      - KEYCLOAK_SESSION=test/6db2db87-de31-4e30-9f25-cefe5da8b154/94e938cf-5713-4a8a-8949-6199dd3c7060;
+        Version=1; Expires=Mon, 17-Jun-2024 20:17:47 GMT; Max-Age=36000; Path=/realms/test/;
+        SameSite=None; Secure
+      - KEYCLOAK_SESSION_LEGACY=test/6db2db87-de31-4e30-9f25-cefe5da8b154/94e938cf-5713-4a8a-8949-6199dd3c7060;
+        Version=1; Expires=Mon, 17-Jun-2024 20:17:47 GMT; Max-Age=36000; Path=/realms/test/
+      - KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '0'
+    status:
+      code: 302
+      message: Found
+- request:
+    body: client_id=testid&client_secret=7DB3KUAAizYCcmZufpHRVOcD0TOkNO3I&grant_type=authorization_code&code=b5b35b66-98a6-4d20-8f86-5f05b3032ddd.94e938cf-5713-4a8a-8949-6199dd3c7060.adf4ad83-4550-4619-9231-73bd8d700f45&redirect_uri=http%3A%2F%2Ftestserver%2Forg-oidc%2Fcallback%2F
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '271'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      User-Agent:
+      - python-requests/2.32.2
+    method: POST
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/token
+  response:
+    body:
+      string: '{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTg2MTk3NjcsImlhdCI6MTcxODYxOTQ2NywiYXV0aF90aW1lIjoxNzE4NjE5NDY3LCJqdGkiOiIzNTZjNTU3Yy1hMTE4LTQwMjItYjJiMy04NTU3MzEzYzQ5M2IiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNmRiMmRiODctZGUzMS00ZTMwLTlmMjUtY2VmZTVkYThiMTU0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6Ijk0ZTkzOGNmLTU3MTMtNGE4YS04OTQ5LTYxOTlkZDNjNzA2MCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgZ3JvdXBzIGJzbiIsInNpZCI6Ijk0ZTkzOGNmLTU3MTMtNGE4YS04OTQ5LTYxOTlkZDNjNzA2MCIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJncm91cHMiOlsiUmVnaXN0cmVlcmRlcnMiLCJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl0sInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiZW1haWwiOiJhZG1pbkBleGFtcGxlLmNvbSJ9.q4ofWD-sgmuBm3fJJ2KYL0Py6IMkzxyAlK2EofrU3AZsp7aPc749KpLg1E1QRMeV6HIQClXQw87DT5RfF6b6u310716GTJQS5_xo3xsSCnOSjDCmbSExSDYcnaigh8l18G1WJM2AvypD0rbwwZNcJuZHkRIH85B317j5lOA9cx0jncYR--IKQ_XkFtY_mLoa_e-JXA3ZI_G06ry_AaYk4uZNY8bOI9K_6oOT4toZzqjZf5uIWSN1n8snMBqtxGPum9vCYafhV05gcCHRHiVaD3v-FVkmIUsvuJaF7n1ltU-moQEI315tV2QSk6PvQIiQNFDKQM9oYMrxkYon4r_YCQ","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTg2MjEyNjcsImlhdCI6MTcxODYxOTQ2NywianRpIjoiN2ZlNmU4N2ItMmIzMC00NTZjLWJiNGEtMTZiNzZlZjI5ZDdhIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiNmRiMmRiODctZGUzMS00ZTMwLTlmMjUtY2VmZTVkYThiMTU0IiwidHlwIjoiUmVmcmVzaCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiI5NGU5MzhjZi01NzEzLTRhOGEtODk0OS02MTk5ZGQzYzcwNjAiLCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIGt2ayBncm91cHMgYnNuIiwic2lkIjoiOTRlOTM4Y2YtNTcxMy00YThhLTg5NDktNjE5OWRkM2M3MDYwIn0.FN8xZ6scIMxv5mnLtvj1CFWwYZsBaWov15LhMDWzCTI","token_type":"Bearer","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTg2MTk3NjcsImlhdCI6MTcxODYxOTQ2NywiYXV0aF90aW1lIjoxNzE4NjE5NDY3LCJqdGkiOiJjYTZhYjYyMS1lYmQxLTQ0MzAtYjVhNS1jYmQzNGFmY2ExMmQiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJ0ZXN0aWQiLCJzdWIiOiI2ZGIyZGI4Ny1kZTMxLTRlMzAtOWYyNS1jZWZlNWRhOGIxNTQiLCJ0eXAiOiJJRCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiI5NGU5MzhjZi01NzEzLTRhOGEtODk0OS02MTk5ZGQzYzcwNjAiLCJhdF9oYXNoIjoiUlhfT0Z3eXd6UlJEOTZaODRzak0wUSIsImFjciI6IjEiLCJzaWQiOiI5NGU5MzhjZi01NzEzLTRhOGEtODk0OS02MTk5ZGQzYzcwNjAiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiZ3JvdXBzIjpbIlJlZ2lzdHJlZXJkZXJzIiwiZGVmYXVsdC1yb2xlcy10ZXN0Iiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhZG1pbiIsImVtYWlsIjoiYWRtaW5AZXhhbXBsZS5jb20ifQ.XO1TGW2w4iHybMdSej1wDlmcvqr6UoJAXrAJWsDMODCSVVL2q4WNGra4gMEad1nxJ3HKy3HJwNCNaYmK58ZnMl-Z6qqodtwt7tZ3OXcDFuxPGxL2b3va3UH06GYBWNtadEFBEbeYaxJDnJ1ClL1gNi88jsHlvCAOWvL8ct8BvmP8s2xWIeDyxtiiFKpmEPkU8IvBJSLtjBcvhs3owgleaHFzFikP92sIwnnvlcnS4scG56RAf0fthia7GqP-rnSOZV-J09i2TrCuEoMBErC5a5DpHOH3Y4EOZA5mV8REvtBPWKqMtSE-TU6YlPrszyTIokMx37yh1mNbaICiHr8G3A","not-before-policy":0,"session_state":"94e938cf-5713-4a8a-8949-6199dd3c7060","scope":"openid
+        email profile kvk groups bsn"}'
+    headers:
+      Cache-Control:
+      - no-store
+      Content-Type:
+      - application/json
+      Pragma:
+      - no-cache
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '3698'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Authorization:
+      - Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTg2MTk3NjcsImlhdCI6MTcxODYxOTQ2NywiYXV0aF90aW1lIjoxNzE4NjE5NDY3LCJqdGkiOiIzNTZjNTU3Yy1hMTE4LTQwMjItYjJiMy04NTU3MzEzYzQ5M2IiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNmRiMmRiODctZGUzMS00ZTMwLTlmMjUtY2VmZTVkYThiMTU0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6Ijk0ZTkzOGNmLTU3MTMtNGE4YS04OTQ5LTYxOTlkZDNjNzA2MCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgZ3JvdXBzIGJzbiIsInNpZCI6Ijk0ZTkzOGNmLTU3MTMtNGE4YS04OTQ5LTYxOTlkZDNjNzA2MCIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJncm91cHMiOlsiUmVnaXN0cmVlcmRlcnMiLCJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl0sInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiZW1haWwiOiJhZG1pbkBleGFtcGxlLmNvbSJ9.q4ofWD-sgmuBm3fJJ2KYL0Py6IMkzxyAlK2EofrU3AZsp7aPc749KpLg1E1QRMeV6HIQClXQw87DT5RfF6b6u310716GTJQS5_xo3xsSCnOSjDCmbSExSDYcnaigh8l18G1WJM2AvypD0rbwwZNcJuZHkRIH85B317j5lOA9cx0jncYR--IKQ_XkFtY_mLoa_e-JXA3ZI_G06ry_AaYk4uZNY8bOI9K_6oOT4toZzqjZf5uIWSN1n8snMBqtxGPum9vCYafhV05gcCHRHiVaD3v-FVkmIUsvuJaF7n1ltU-moQEI315tV2QSk6PvQIiQNFDKQM9oYMrxkYon4r_YCQ
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/userinfo
+  response:
+    body:
+      string: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJzdWIiOiI2ZGIyZGI4Ny1kZTMxLTRlMzAtOWYyNS1jZWZlNWRhOGIxNTQiLCJhdWQiOiJ0ZXN0aWQiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwiZ3JvdXBzIjpbIlJlZ2lzdHJlZXJkZXJzIiwiZGVmYXVsdC1yb2xlcy10ZXN0Iiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhZG1pbiIsImVtYWlsIjoiYWRtaW5AZXhhbXBsZS5jb20ifQ.vx4dCJ-Y-PEzjy8p7CNPB3yy0TyV_QugOHRbiV6UY3qHtZUnZqSsJD991QUostcYECuyTHefqfRtdCbvSJcPWI4ucosY65vshUMBtQeahsFOgNwWp2BvCkALJmEya4H_gh63vVlVZ2ZOSpWpah6eV2PNhiiYWD-Y9qEuLMzwngNvp5hna30BiRKAEsStB7izjE5pGECqkQm7pxCeZWHU81Lbh5fSo_2XvcGZ1Z-tf6DN95Oz4ers9YrG6dKSuh-HciY1zhv7mcee_tlJaeKjITue6r06163oKdjsYKRpiR4bLQ9256KafoxmU6O0IIlpkQhmtXrmaFSg0XyBYU8qcQ
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/jwt
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '813'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+version: 1
diff --git a/src/openforms/authentication/contrib/org_oidc/tests/data/vcr_cassettes/OrgOIDCCallbackTests/OrgOIDCCallbackTests.test_redirects_after_successful_auth.yaml b/src/openforms/authentication/contrib/org_oidc/tests/data/vcr_cassettes/OrgOIDCCallbackTests/OrgOIDCCallbackTests.test_redirects_after_successful_auth.yaml
new file mode 100644
index 0000000000..8abd1bf137
--- /dev/null
+++ b/src/openforms/authentication/contrib/org_oidc/tests/data/vcr_cassettes/OrgOIDCCallbackTests/OrgOIDCCallbackTests.test_redirects_after_successful_auth.yaml
@@ -0,0 +1,371 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=openid+email+profile&client_id=testid&redirect_uri=http%3A%2F%2Ftestserver%2Forg-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n        <script type=\"module\">\n            import
+        { checkCookiesAndSetTimer } from \"/resources/1rz7o/login/keycloak/js/authChecker.js\";\n\n
+        \           checkCookiesAndSetTimer(\n              \"1b6bc28c-116c-48ff-a1d6-4bb7bb5fcf4b\",\n
+        \             \"xTw7RWpE_iw\",\n              \"/realms/test/login-actions/restart?client_id=testid&tab_id=xTw7RWpE_iw&skip_logout=true\"\n
+        \           );\n        </script>\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       Sign in to your account\n\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-form\">\n
+        \         <div id=\"kc-form-wrapper\">\n                <form id=\"kc-form-login\"
+        onsubmit=\"login.disabled = true; return true;\" action=\"http://localhost:8080/realms/test/login-actions/authenticate?session_code=jhqkJzjDgj-jlabYBghyCO9l9yobat4bGu_mOk8nFGw&amp;execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&amp;client_id=testid&amp;tab_id=xTw7RWpE_iw\"
+        method=\"post\">\n                        <div class=\"form-group\">\n                            <label
+        for=\"username\" class=\"pf-c-form__label pf-c-form__label-text\">Username
+        or email</label>\n\n                            <input tabindex=\"1\" id=\"username\"
+        class=\"pf-c-form-control\" name=\"username\" value=\"\"  type=\"text\" autofocus
+        autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n\n\n                        </div>\n\n                    <div
+        class=\"form-group\">\n                        <label for=\"password\" class=\"pf-c-form__label
+        pf-c-form__label-text\">Password</label>\n\n                        <div class=\"pf-c-input-group\">\n
+        \                           <input tabindex=\"2\" id=\"password\" class=\"pf-c-form-control\"
+        name=\"password\" type=\"password\" autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n                            <button class=\"pf-c-button
+        pf-m-control\" type=\"button\" aria-label=\"Show password\"\n                                    aria-controls=\"password\"
+        \ data-password-toggle\n                                    data-icon-show=\"fa
+        fa-eye\" data-icon-hide=\"fa fa-eye-slash\"\n                                    data-label-show=\"Show
+        password\" data-label-hide=\"Hide password\">\n                                <i
+        class=\"fa fa-eye\" aria-hidden=\"true\"></i>\n                            </button>\n
+        \                       </div>\n\n\n                    </div>\n\n                    <div
+        class=\"form-group login-pf-settings\">\n                        <div id=\"kc-form-options\">\n
+        \                           </div>\n                            <div class=\"\">\n
+        \                           </div>\n\n                      </div>\n\n                      <div
+        id=\"kc-form-buttons\" class=\"form-group\">\n                          <input
+        type=\"hidden\" id=\"id-hidden-input\" name=\"credentialId\" />\n                          <input
+        tabindex=\"4\" class=\"pf-c-button pf-m-primary pf-m-block btn-lg\" name=\"login\"
+        id=\"kc-login\" type=\"submit\" value=\"Sign In\"/>\n                      </div>\n
+        \               </form>\n            </div>\n        </div>\n        <script
+        type=\"module\" src=\"/resources/1rz7o/login/keycloak/js/passwordVisibility.js\"></script>\n\n\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - AUTH_SESSION_ID=1b6bc28c-116c-48ff-a1d6-4bb7bb5fcf4b; Version=1; Path=/realms/test/;
+        SameSite=None; Secure; HttpOnly
+      - AUTH_SESSION_ID_LEGACY=1b6bc28c-116c-48ff-a1d6-4bb7bb5fcf4b; Version=1; Path=/realms/test/;
+        HttpOnly
+      - KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9vcmctb2lkYy9jYWxsYmFjay8iLCJhY3QiOiJBVVRIRU5USUNBVEUiLCJub3RlcyI6eyJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJodHRwOi8vdGVzdHNlcnZlci9vcmctb2lkYy9jYWxsYmFjay8iLCJzdGF0ZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmciLCJub25jZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmcifX0.PVsoxNQ0-_nJN1HEGMJ6H1byID8wg96CZXFzWiaCgQk;
+        Version=1; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '4466'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: username=admin&password=admin&credentialId=&login=Sign+In
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '57'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      Cookie:
+      - AUTH_SESSION_ID_LEGACY=1b6bc28c-116c-48ff-a1d6-4bb7bb5fcf4b; KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vdGVzdHNlcnZlci9vcmctb2lkYy9jYWxsYmFjay8iLCJhY3QiOiJBVVRIRU5USUNBVEUiLCJub3RlcyI6eyJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJodHRwOi8vdGVzdHNlcnZlci9vcmctb2lkYy9jYWxsYmFjay8iLCJzdGF0ZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmciLCJub25jZSI6Im5vdC1hLXJhbmRvbS1zdHJpbmcifX0.PVsoxNQ0-_nJN1HEGMJ6H1byID8wg96CZXFzWiaCgQk
+      User-Agent:
+      - python-requests/2.32.2
+    method: POST
+    uri: http://localhost:8080/realms/test/login-actions/authenticate?session_code=jhqkJzjDgj-jlabYBghyCO9l9yobat4bGu_mOk8nFGw&execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&client_id=testid&tab_id=xTw7RWpE_iw
+  response:
+    body:
+      string: ''
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Location:
+      - http://testserver/org-oidc/callback/?state=not-a-random-string&session_state=1b6bc28c-116c-48ff-a1d6-4bb7bb5fcf4b&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest&code=f045d507-e425-45fa-b1f4-d0376792320b.1b6bc28c-116c-48ff-a1d6-4bb7bb5fcf4b.adf4ad83-4550-4619-9231-73bd8d700f45
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - KEYCLOAK_LOCALE=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      - KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/; HttpOnly
+      - KC_AUTH_STATE=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/
+      - KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTg2NTU0NjYsImlhdCI6MTcxODYxOTQ2NiwianRpIjoiODBjNDM4ZWUtZGFkYS00OTFmLWFiYTktMjdhZTc5MGYxMmQ1IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiNmRiMmRiODctZGUzMS00ZTMwLTlmMjUtY2VmZTVkYThiMTU0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiIxYjZiYzI4Yy0xMTZjLTQ4ZmYtYTFkNi00YmI3YmI1ZmNmNGIiLCJzaWQiOiIxYjZiYzI4Yy0xMTZjLTQ4ZmYtYTFkNi00YmI3YmI1ZmNmNGIiLCJzdGF0ZV9jaGVja2VyIjoiamRGWVJGTHd2UnYxa2t5Mk9lM2JzZkNCSWJwaVhNLU5NdFBRdVRGbmFjMCJ9.9I-mUw8bQrod1Ai1a9kmeKElZuQGc2cfvbrH00DEbo8;
+        Version=1; Path=/realms/test/; SameSite=None; Secure; HttpOnly
+      - KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTg2NTU0NjYsImlhdCI6MTcxODYxOTQ2NiwianRpIjoiODBjNDM4ZWUtZGFkYS00OTFmLWFiYTktMjdhZTc5MGYxMmQ1IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiNmRiMmRiODctZGUzMS00ZTMwLTlmMjUtY2VmZTVkYThiMTU0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiIxYjZiYzI4Yy0xMTZjLTQ4ZmYtYTFkNi00YmI3YmI1ZmNmNGIiLCJzaWQiOiIxYjZiYzI4Yy0xMTZjLTQ4ZmYtYTFkNi00YmI3YmI1ZmNmNGIiLCJzdGF0ZV9jaGVja2VyIjoiamRGWVJGTHd2UnYxa2t5Mk9lM2JzZkNCSWJwaVhNLU5NdFBRdVRGbmFjMCJ9.9I-mUw8bQrod1Ai1a9kmeKElZuQGc2cfvbrH00DEbo8;
+        Version=1; Path=/realms/test/; HttpOnly
+      - KEYCLOAK_SESSION=test/6db2db87-de31-4e30-9f25-cefe5da8b154/1b6bc28c-116c-48ff-a1d6-4bb7bb5fcf4b;
+        Version=1; Expires=Mon, 17-Jun-2024 20:17:46 GMT; Max-Age=36000; Path=/realms/test/;
+        SameSite=None; Secure
+      - KEYCLOAK_SESSION_LEGACY=test/6db2db87-de31-4e30-9f25-cefe5da8b154/1b6bc28c-116c-48ff-a1d6-4bb7bb5fcf4b;
+        Version=1; Expires=Mon, 17-Jun-2024 20:17:46 GMT; Max-Age=36000; Path=/realms/test/
+      - KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '0'
+    status:
+      code: 302
+      message: Found
+- request:
+    body: client_id=testid&client_secret=7DB3KUAAizYCcmZufpHRVOcD0TOkNO3I&grant_type=authorization_code&code=f045d507-e425-45fa-b1f4-d0376792320b.1b6bc28c-116c-48ff-a1d6-4bb7bb5fcf4b.adf4ad83-4550-4619-9231-73bd8d700f45&redirect_uri=http%3A%2F%2Ftestserver%2Forg-oidc%2Fcallback%2F
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '271'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      User-Agent:
+      - python-requests/2.32.2
+    method: POST
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/token
+  response:
+    body:
+      string: '{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTg2MTk3NjYsImlhdCI6MTcxODYxOTQ2NiwiYXV0aF90aW1lIjoxNzE4NjE5NDY2LCJqdGkiOiJlNWZlMGY0Ny1iODU4LTQ1MTktOGRiYi1lYzcwOTM5MmU2ZGIiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNmRiMmRiODctZGUzMS00ZTMwLTlmMjUtY2VmZTVkYThiMTU0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6IjFiNmJjMjhjLTExNmMtNDhmZi1hMWQ2LTRiYjdiYjVmY2Y0YiIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgZ3JvdXBzIGJzbiIsInNpZCI6IjFiNmJjMjhjLTExNmMtNDhmZi1hMWQ2LTRiYjdiYjVmY2Y0YiIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJncm91cHMiOlsiUmVnaXN0cmVlcmRlcnMiLCJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl0sInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiZW1haWwiOiJhZG1pbkBleGFtcGxlLmNvbSJ9.fIneplc6raa75jQjieY37KZKajgJVqyQpcRpMTba3QNA-yrvL8NtALhRwqTCFtZsmsP9hvqRrzCpiwy-PrvkcSw6i526TMAevD840YxnHpd5wv6DfcWEncHl18n3adZuxubAqSG9CTnS_G3QFW_DCyMxkDDM10J_hEuFqdUOOV6DGJPPCwnUrOyRwTLY0mA2qbAkeflEftXLZJ2NcKpX-owEsJtVyzyPeGvbiRQEx5Gt5FF9ODUog27FLkxJ8N3mt9YVbyTqrrjR9YY4zZrKsyLz88LackCs_reCxp5Ihb344G7qkDF3BDO19MoCFFdA0AS8bNVr8GPPEp7V4e8XeQ","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTg2MjEyNjYsImlhdCI6MTcxODYxOTQ2NiwianRpIjoiMzVjMDY0ZTgtZGNjZC00MjgwLThiOTMtMTNkM2UwYWZmOTE3IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiNmRiMmRiODctZGUzMS00ZTMwLTlmMjUtY2VmZTVkYThiMTU0IiwidHlwIjoiUmVmcmVzaCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiIxYjZiYzI4Yy0xMTZjLTQ4ZmYtYTFkNi00YmI3YmI1ZmNmNGIiLCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIGt2ayBncm91cHMgYnNuIiwic2lkIjoiMWI2YmMyOGMtMTE2Yy00OGZmLWExZDYtNGJiN2JiNWZjZjRiIn0.KdiWK1x-lAZpLdO2fOKkt27pyNvw8anUBw9gy_4S_Nk","token_type":"Bearer","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTg2MTk3NjYsImlhdCI6MTcxODYxOTQ2NiwiYXV0aF90aW1lIjoxNzE4NjE5NDY2LCJqdGkiOiJjMmZkYmM1NS02MjM5LTQ4YWEtOGMyNC1kNjdhOGZiZTIwYjkiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJ0ZXN0aWQiLCJzdWIiOiI2ZGIyZGI4Ny1kZTMxLTRlMzAtOWYyNS1jZWZlNWRhOGIxNTQiLCJ0eXAiOiJJRCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiIxYjZiYzI4Yy0xMTZjLTQ4ZmYtYTFkNi00YmI3YmI1ZmNmNGIiLCJhdF9oYXNoIjoiUllaUHNpRC1uRk8xMmRaZ08xanhfQSIsImFjciI6IjEiLCJzaWQiOiIxYjZiYzI4Yy0xMTZjLTQ4ZmYtYTFkNi00YmI3YmI1ZmNmNGIiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiZ3JvdXBzIjpbIlJlZ2lzdHJlZXJkZXJzIiwiZGVmYXVsdC1yb2xlcy10ZXN0Iiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhZG1pbiIsImVtYWlsIjoiYWRtaW5AZXhhbXBsZS5jb20ifQ.GvMenUspM--Mybpz5wiFQNhDYJE9wgYpYxb56VylBPL-N0DhOhaT84uu0JgXduTeKi6G3WRJV6HycOm_eNPHOhE5TWMsxG5zkGwDiUApFUdaxpQf_IP30ZVHXGOsi7DyVCknnZy2_Y71-k8PrfNGOMoh4AkkcgMogI8Caeuq3dqUGmPo2d1aU1jF2NQISP33Zr5qIVJQYSrQPK4waynnXXShSNn-DRdA5jkRIygZcOuyWiIfSBJYSBbrVQGSSC7a5qrHBtDPD7xe8f1pZK9hxaK-WiyUmQYn2n4TTkAy5OkI0vOF9oc7SLH5kxFeFLUTHCqShilgTenH1uIatjjNBA","not-before-policy":0,"session_state":"1b6bc28c-116c-48ff-a1d6-4bb7bb5fcf4b","scope":"openid
+        email profile kvk groups bsn"}'
+    headers:
+      Cache-Control:
+      - no-store
+      Content-Type:
+      - application/json
+      Pragma:
+      - no-cache
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '3698'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Authorization:
+      - Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTg2MTk3NjYsImlhdCI6MTcxODYxOTQ2NiwiYXV0aF90aW1lIjoxNzE4NjE5NDY2LCJqdGkiOiJlNWZlMGY0Ny1iODU4LTQ1MTktOGRiYi1lYzcwOTM5MmU2ZGIiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNmRiMmRiODctZGUzMS00ZTMwLTlmMjUtY2VmZTVkYThiMTU0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6IjFiNmJjMjhjLTExNmMtNDhmZi1hMWQ2LTRiYjdiYjVmY2Y0YiIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgZ3JvdXBzIGJzbiIsInNpZCI6IjFiNmJjMjhjLTExNmMtNDhmZi1hMWQ2LTRiYjdiYjVmY2Y0YiIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJncm91cHMiOlsiUmVnaXN0cmVlcmRlcnMiLCJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl0sInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiZW1haWwiOiJhZG1pbkBleGFtcGxlLmNvbSJ9.fIneplc6raa75jQjieY37KZKajgJVqyQpcRpMTba3QNA-yrvL8NtALhRwqTCFtZsmsP9hvqRrzCpiwy-PrvkcSw6i526TMAevD840YxnHpd5wv6DfcWEncHl18n3adZuxubAqSG9CTnS_G3QFW_DCyMxkDDM10J_hEuFqdUOOV6DGJPPCwnUrOyRwTLY0mA2qbAkeflEftXLZJ2NcKpX-owEsJtVyzyPeGvbiRQEx5Gt5FF9ODUog27FLkxJ8N3mt9YVbyTqrrjR9YY4zZrKsyLz88LackCs_reCxp5Ihb344G7qkDF3BDO19MoCFFdA0AS8bNVr8GPPEp7V4e8XeQ
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/userinfo
+  response:
+    body:
+      string: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJzdWIiOiI2ZGIyZGI4Ny1kZTMxLTRlMzAtOWYyNS1jZWZlNWRhOGIxNTQiLCJhdWQiOiJ0ZXN0aWQiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwiZ3JvdXBzIjpbIlJlZ2lzdHJlZXJkZXJzIiwiZGVmYXVsdC1yb2xlcy10ZXN0Iiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhZG1pbiIsImVtYWlsIjoiYWRtaW5AZXhhbXBsZS5jb20ifQ.vx4dCJ-Y-PEzjy8p7CNPB3yy0TyV_QugOHRbiV6UY3qHtZUnZqSsJD991QUostcYECuyTHefqfRtdCbvSJcPWI4ucosY65vshUMBtQeahsFOgNwWp2BvCkALJmEya4H_gh63vVlVZ2ZOSpWpah6eV2PNhiiYWD-Y9qEuLMzwngNvp5hna30BiRKAEsStB7izjE5pGECqkQm7pxCeZWHU81Lbh5fSo_2XvcGZ1Z-tf6DN95Oz4ers9YrG6dKSuh-HciY1zhv7mcee_tlJaeKjITue6r06163oKdjsYKRpiR4bLQ9256KafoxmU6O0IIlpkQhmtXrmaFSg0XyBYU8qcQ
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/jwt
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '813'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+version: 1
diff --git a/src/openforms/authentication/contrib/org_oidc/tests/data/vcr_cassettes/OrgOIDCInitTests/OrgOIDCInitTests.test_idp_availability_check.yaml b/src/openforms/authentication/contrib/org_oidc/tests/data/vcr_cassettes/OrgOIDCInitTests/OrgOIDCInitTests.test_idp_availability_check.yaml
new file mode 100644
index 0000000000..d512781a71
--- /dev/null
+++ b/src/openforms/authentication/contrib/org_oidc/tests/data/vcr_cassettes/OrgOIDCInitTests/OrgOIDCInitTests.test_idp_availability_check.yaml
@@ -0,0 +1,26 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/i-dont-exist
+  response:
+    body:
+      string: '{"error":"Unable to find matching target resource method"}'
+    headers:
+      Content-Type:
+      - application/json
+      content-length:
+      - '58'
+    status:
+      code: 404
+      message: Not Found
+version: 1
diff --git a/src/openforms/authentication/contrib/org_oidc/tests/data/vcr_cassettes/OrgOIDCInitTests/OrgOIDCInitTests.test_start_flow_logs_out_existing_user.yaml b/src/openforms/authentication/contrib/org_oidc/tests/data/vcr_cassettes/OrgOIDCInitTests/OrgOIDCInitTests.test_start_flow_logs_out_existing_user.yaml
new file mode 100644
index 0000000000..d14e754130
--- /dev/null
+++ b/src/openforms/authentication/contrib/org_oidc/tests/data/vcr_cassettes/OrgOIDCInitTests/OrgOIDCInitTests.test_start_flow_logs_out_existing_user.yaml
@@ -0,0 +1,59 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+version: 1
diff --git a/src/openforms/authentication/contrib/org_oidc/tests/data/vcr_cassettes/OrgOIDCInitTests/OrgOIDCInitTests.test_start_flow_redirects_to_oidc_provider.yaml b/src/openforms/authentication/contrib/org_oidc/tests/data/vcr_cassettes/OrgOIDCInitTests/OrgOIDCInitTests.test_start_flow_redirects_to_oidc_provider.yaml
new file mode 100644
index 0000000000..d14e754130
--- /dev/null
+++ b/src/openforms/authentication/contrib/org_oidc/tests/data/vcr_cassettes/OrgOIDCInitTests/OrgOIDCInitTests.test_start_flow_redirects_to_oidc_provider.yaml
@@ -0,0 +1,59 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+version: 1
diff --git a/src/openforms/authentication/contrib/org_oidc/tests/test_auth_flow_callbacks.py b/src/openforms/authentication/contrib/org_oidc/tests/test_auth_flow_callbacks.py
new file mode 100644
index 0000000000..aa63fef47f
--- /dev/null
+++ b/src/openforms/authentication/contrib/org_oidc/tests/test_auth_flow_callbacks.py
@@ -0,0 +1,105 @@
+"""
+Test the authentication flow for a form.
+
+These tests use VCR. When re-recording, making sure to:
+
+.. code-block:: bash
+
+    cd docker
+    docker compose -f docker-compose.keycloak.yml up
+
+to bring up a Keycloak instance.
+"""
+
+from django.contrib.auth.models import Group
+from django.test import override_settings
+
+from furl import furl
+
+from openforms.accounts.models import User
+from openforms.authentication.constants import FORM_AUTH_SESSION_KEY, AuthAttribute
+from openforms.authentication.tests.utils import URLsHelper
+from openforms.authentication.views import BACKEND_OUTAGE_RESPONSE_PARAMETER
+from openforms.forms.tests.factories import FormFactory
+from openforms.utils.tests.keycloak import keycloak_login
+from openforms.utils.urls import reverse_plus
+
+from .base import IntegrationTestsBase, mock_org_oidc_config
+
+
+@override_settings(BASE_URL="http://testserver")
+class OrgOIDCCallbackTests(IntegrationTestsBase):
+    """
+    Test the return/callback side after authenticating with the identity provider.
+    """
+
+    @classmethod
+    def setUpTestData(cls):
+        super().setUpTestData()
+
+        # grab user group (from default_groups fixture)
+        assert Group.objects.filter(
+            name__iexact="Registreerders"
+        ).exists(), "Group with required permissions is missing"
+
+    @mock_org_oidc_config()
+    def test_redirects_after_successful_auth(self):
+        form = FormFactory.create(authentication_backends=["org-oidc"])
+        url_helper = URLsHelper(form=form)
+        start_url = url_helper.get_auth_start(plugin_id="org-oidc")
+        start_response = self.app.get(start_url)
+
+        # simulate login to Keycloak
+        redirect_uri = keycloak_login(
+            start_response["Location"], username="admin", password="admin"
+        )
+
+        # complete the login flow on our end
+        callback_response = self.app.get(redirect_uri, auto_follow=True)
+
+        self.assertEqual(callback_response.status_code, 200)
+        self.assertTrue(callback_response.context["user"].is_authenticated)
+
+        with self.subTest("redirect state"):
+            subject_url = reverse_plus(
+                "authentication:registrator-subject",
+                kwargs={"slug": form.slug},
+                query={"next": url_helper.frontend_start},
+            )
+            self.assertEqual(callback_response.request.url, subject_url)
+
+        with self.subTest("created user"):
+            self.assertEqual(User.objects.count(), 1)
+            user = User.objects.get()
+            self.assertEqual(user.username, "admin")
+            self.assertEqual(user.email, "admin@example.com")
+            self.assertEqual(user.employee_id, "admin")
+
+        # check our session data
+        self.assertIn(FORM_AUTH_SESSION_KEY, self.app.session)
+        s = self.app.session[FORM_AUTH_SESSION_KEY]
+        self.assertEqual(s["plugin"], "org-oidc")
+        self.assertEqual(s["attribute"], AuthAttribute.employee_id)
+        self.assertEqual(s["value"], "admin")
+
+    @mock_org_oidc_config(username_claim=["absent-claim"])
+    def test_failing_claim_verification(self):
+        form = FormFactory.create(authentication_backends=["org-oidc"])
+        url_helper = URLsHelper(form=form)
+        start_url = url_helper.get_auth_start(plugin_id="org-oidc")
+        start_response = self.app.get(start_url)
+        # simulate login to Keycloak
+        redirect_uri = keycloak_login(
+            start_response["Location"], username="admin", password="admin"
+        )
+
+        # complete the login flow on our end
+        callback_response = self.app.get(redirect_uri, auto_follow=True)
+
+        # XXX: shouldn't this be "digid" so that the correct error message is rendered?
+        # Query: ?_digid-message=error
+        expected_url = furl(url_helper.frontend_start).add(
+            {BACKEND_OUTAGE_RESPONSE_PARAMETER: "org-oidc"}
+        )
+        self.assertEqual(callback_response.request.url, str(expected_url))
+        self.assertNotIn(FORM_AUTH_SESSION_KEY, self.app.session)
diff --git a/src/openforms/authentication/contrib/org_oidc/tests/test_auth_flow_init.py b/src/openforms/authentication/contrib/org_oidc/tests/test_auth_flow_init.py
new file mode 100644
index 0000000000..1c6883b187
--- /dev/null
+++ b/src/openforms/authentication/contrib/org_oidc/tests/test_auth_flow_init.py
@@ -0,0 +1,86 @@
+"""
+Test the authentication flow for a form.
+
+These tests use VCR. When re-recording, making sure to:
+
+.. code-block:: bash
+
+    cd docker
+    docker compose -f docker-compose.keycloak.yml up
+
+to bring up a Keycloak instance.
+"""
+
+from django.contrib.auth import get_user
+from django.urls import reverse, reverse_lazy
+
+from furl import furl
+
+from openforms.accounts.tests.factories import StaffUserFactory
+from openforms.authentication.tests.utils import URLsHelper
+from openforms.authentication.views import BACKEND_OUTAGE_RESPONSE_PARAMETER
+from openforms.forms.tests.factories import FormFactory
+
+from .base import IntegrationTestsBase, mock_org_oidc_config
+
+
+class OrgOIDCInitTests(IntegrationTestsBase):
+    """
+    Test the outbound part of OIDC-based organisation user authentication.
+    """
+
+    CALLBACK_URL = f"http://testserver{reverse_lazy('org-oidc-callback')}"
+
+    @mock_org_oidc_config()
+    def test_start_flow_redirects_to_oidc_provider(self):
+        form = FormFactory.create(authentication_backends=["org-oidc"])
+        start_url = URLsHelper(form=form).get_auth_start(plugin_id="org-oidc")
+
+        response = self.app.get(start_url)
+
+        self.assertEqual(response.status_code, 302)
+        redirect_target = furl(response["Location"])
+        query_params = redirect_target.query.params
+        self.assertEqual(redirect_target.host, "localhost")
+        self.assertEqual(redirect_target.port, 8080)
+        self.assertEqual(
+            redirect_target.path,
+            "/realms/test/protocol/openid-connect/auth",
+        )
+        self.assertEqual(query_params["scope"], "openid email profile")
+        self.assertEqual(query_params["client_id"], "testid")
+        self.assertEqual(query_params["redirect_uri"], self.CALLBACK_URL)
+
+    @mock_org_oidc_config(
+        oidc_op_authorization_endpoint="http://localhost:8080/i-dont-exist"
+    )
+    def test_idp_availability_check(self):
+        form = FormFactory.create(authentication_backends=["org-oidc"])
+        url_helper = URLsHelper(form=form)
+        start_url = url_helper.get_auth_start(plugin_id="org-oidc")
+
+        response = self.app.get(start_url)
+
+        self.assertEqual(response.status_code, 302)
+        redirect_url = furl(response["Location"])
+        self.assertEqual(redirect_url.host, "testserver")
+        self.assertEqual(redirect_url.path, url_helper.form_path)
+        query_params = redirect_url.query.params
+        self.assertEqual(query_params[BACKEND_OUTAGE_RESPONSE_PARAMETER], "org-oidc")
+
+    @mock_org_oidc_config()
+    def test_start_flow_logs_out_existing_user(self):
+        user = StaffUserFactory.create()
+        self.app.get(reverse("admin:index"), user=user)
+        form = FormFactory.create(authentication_backends=["org-oidc"])
+        start_url = URLsHelper(form=form).get_auth_start(plugin_id="org-oidc")
+        with self.subTest("verify auth state before test"):
+            user = get_user(self.app)  # type: ignore
+            self.assertTrue(user.is_authenticated)
+            self.assertFalse(user.is_anonymous)
+
+        self.app.get(start_url)
+
+        user = get_user(self.app)  # type: ignore
+        self.assertFalse(user.is_authenticated)
+        self.assertTrue(user.is_anonymous)
diff --git a/src/openforms/authentication/contrib/org_oidc/tests/test_auth_flow_logout.py b/src/openforms/authentication/contrib/org_oidc/tests/test_auth_flow_logout.py
new file mode 100644
index 0000000000..b23ba58011
--- /dev/null
+++ b/src/openforms/authentication/contrib/org_oidc/tests/test_auth_flow_logout.py
@@ -0,0 +1,78 @@
+"""
+Test the authentication flow for a form.
+
+These tests use VCR. When re-recording, making sure to:
+
+.. code-block:: bash
+
+    cd docker
+    docker compose -f docker-compose.keycloak.yml up
+
+to bring up a Keycloak instance.
+"""
+
+import uuid
+
+from django.contrib import auth
+from django.contrib.auth.models import AnonymousUser
+from django.test import override_settings
+
+from rest_framework.test import APIRequestFactory
+
+from openforms.authentication.registry import register
+from openforms.authentication.tests.utils import URLsHelper
+from openforms.forms.tests.factories import FormFactory
+from openforms.utils.tests.keycloak import keycloak_login
+
+from ..plugin import PLUGIN_IDENTIFIER
+from .base import IntegrationTestsBase, mock_org_oidc_config
+
+
+@override_settings(BASE_URL="http://testserver")
+class OrgOIDCCallbackTests(IntegrationTestsBase):
+    """
+    Test the return/callback side after authenticating with the identity provider.
+    """
+
+    def _do_keycloak_login(self, start_url: str) -> None:
+        start_response = self.app.get(start_url)
+        redirect_uri = keycloak_login(
+            start_response["Location"], username="admin", password="admin"
+        )
+        callback_response = self.app.get(redirect_uri, auto_follow=True)
+
+        assert callback_response.status_code == 200
+
+    def _do_plugin_logout(self, user) -> None:
+        request = APIRequestFactory().delete(
+            f"/api/v2/authentication/{uuid.uuid4()}/session"
+        )
+        request.user = user
+        request.session = self.app.session  # type: ignore
+        plugin = register[PLUGIN_IDENTIFIER]
+        plugin.logout(request)
+        if not isinstance(request.session, dict):
+            request.session.save()
+
+    @mock_org_oidc_config()
+    def test_logout_clears_session(self):
+        form = FormFactory.create(authentication_backends=[PLUGIN_IDENTIFIER])
+        url_helper = URLsHelper(form=form)
+        start_url = url_helper.get_auth_start(plugin_id=PLUGIN_IDENTIFIER)
+        self._do_keycloak_login(start_url)
+        user = auth.get_user(self.app)  # type: ignore
+        self.assertTrue(user.is_authenticated)
+
+        self._do_plugin_logout(user)
+
+        session = self.app.session
+        self.assertEqual(list(session.keys()), [])
+        self.assertFalse(auth.get_user(self.app).is_authenticated)  # type: ignore
+
+    @mock_org_oidc_config()
+    def test_logout_without_any_session(self):
+        self._do_plugin_logout(user=AnonymousUser())
+
+        session = self.app.session
+        self.assertEqual(list(session.keys()), [])
+        self.assertFalse(auth.get_user(self.app).is_authenticated)  # type: ignore
diff --git a/src/openforms/authentication/contrib/org_oidc/tests/test_auth_logout.py b/src/openforms/authentication/contrib/org_oidc/tests/test_auth_logout.py
deleted file mode 100644
index 00825df969..0000000000
--- a/src/openforms/authentication/contrib/org_oidc/tests/test_auth_logout.py
+++ /dev/null
@@ -1,59 +0,0 @@
-from unittest.mock import patch
-
-from django.contrib import auth
-from django.test import RequestFactory, TestCase
-
-from mozilla_django_oidc_db.models import OpenIDConnectConfig
-
-from openforms.accounts.tests.factories import StaffUserFactory
-
-from ..backends import OIDCAuthenticationBackend
-from ..plugin import OIDCAuthentication
-
-
-class PluginLogoutTest(TestCase):
-    @patch(
-        "mozilla_django_oidc_db.models.OpenIDConnectConfig.get_solo",
-        return_value=OpenIDConnectConfig(),
-    )
-    def test_logout_empty_session(self, mock_get_solo):
-        backend = OIDCAuthenticationBackend()
-        user = StaffUserFactory()
-        self.client.force_login(user, backend=backend.get_import_path())
-
-        plugin = OIDCAuthentication("org-oidc")
-
-        request = RequestFactory().post("/dummy")
-        request.session = self.client.session
-        request.user = user
-
-        plugin.logout(request)
-
-        self.assertEqual(list(request.session.keys()), [])
-        self.assertFalse(auth.get_user(self.client).is_authenticated)
-
-    @patch(
-        "mozilla_django_oidc_db.models.OpenIDConnectConfig.get_solo",
-        return_value=OpenIDConnectConfig(),
-    )
-    def test_logout_session(self, mock_get_solo):
-        backend = OIDCAuthenticationBackend()
-        user = StaffUserFactory()
-        self.client.force_login(user, backend=backend.get_import_path())
-
-        plugin = OIDCAuthentication("org-oidc")
-
-        session = self.client.session
-        session["oidc_id_token"] = "xyz"
-        session["oidc_login_next"] = "xyz"
-        session["oidc_states"] = "xyz"
-        session.save()
-
-        request = RequestFactory().post("/dummy")
-        request.session = session
-        request.user = user
-
-        plugin.logout(request)
-
-        self.assertEqual(list(request.session.keys()), [])
-        self.assertFalse(auth.get_user(self.client).is_authenticated)
diff --git a/src/openforms/authentication/contrib/org_oidc/tests/test_auth_plugin.py b/src/openforms/authentication/contrib/org_oidc/tests/test_auth_plugin.py
deleted file mode 100644
index 6170a9faa3..0000000000
--- a/src/openforms/authentication/contrib/org_oidc/tests/test_auth_plugin.py
+++ /dev/null
@@ -1,58 +0,0 @@
-from unittest.mock import patch
-
-from django.urls import reverse
-
-from rest_framework import status
-from rest_framework.test import APITestCase
-
-from openforms.accounts.tests.factories import UserFactory
-from openforms.config.models import GlobalConfiguration
-
-
-class OrgOIDCAuthPluginEndpointTests(APITestCase):
-    @classmethod
-    def setUpTestData(cls):
-        super().setUpTestData()
-
-        cls.user = UserFactory.create(is_staff=True)
-
-    def setUp(self):
-        super().setUp()
-
-        self.client.force_authenticate(user=self.user)
-
-    @patch("openforms.plugins.plugin.GlobalConfiguration.get_solo")
-    def test_plugin_list_org_oidc_enabled(self, mock_get_solo):
-        mock_get_solo.return_value = GlobalConfiguration(
-            plugin_configuration={
-                "authentication": {
-                    "org-oidc": {"enabled": True},
-                },
-            }
-        )
-
-        endpoint = reverse("api:authentication-plugin-list")
-
-        response = self.client.get(endpoint)
-        self.assertEqual(response.status_code, status.HTTP_200_OK)
-
-        plugin_names = [p["id"] for p in response.data]
-        self.assertIn("org-oidc", plugin_names)
-
-    @patch("openforms.plugins.plugin.GlobalConfiguration.get_solo")
-    def test_plugin_list_org_oidc_not_enabled(self, mock_get_solo):
-        mock_get_solo.return_value = GlobalConfiguration(
-            plugin_configuration={
-                "authentication": {
-                    "org-oidc": {"enabled": False},
-                },
-            }
-        )
-
-        endpoint = reverse("api:authentication-plugin-list")
-
-        response = self.client.get(endpoint)
-        self.assertEqual(response.status_code, status.HTTP_200_OK)
-
-        plugin_names = [p["id"] for p in response.data]
-        self.assertNotIn("org-oidc", plugin_names)
diff --git a/src/openforms/authentication/contrib/org_oidc/tests/test_auth_procedure.py b/src/openforms/authentication/contrib/org_oidc/tests/test_auth_procedure.py
deleted file mode 100644
index b410571080..0000000000
--- a/src/openforms/authentication/contrib/org_oidc/tests/test_auth_procedure.py
+++ /dev/null
@@ -1,408 +0,0 @@
-from unittest.mock import patch
-
-from django.contrib import auth
-from django.contrib.auth import get_user
-from django.contrib.auth.models import Group
-from django.test import TestCase, override_settings
-from django.urls import reverse
-
-import requests_mock
-from furl import furl
-from mozilla_django_oidc_db.models import OpenIDConnectConfig
-from rest_framework import status
-
-from openforms.accounts.models import User
-from openforms.accounts.tests.factories import UserFactory
-from openforms.forms.tests.factories import FormFactory
-from openforms.utils.urls import reverse_plus
-
-from ....constants import FORM_AUTH_SESSION_KEY, AuthAttribute
-from ....views import BACKEND_OUTAGE_RESPONSE_PARAMETER
-
-default_config = dict(
-    enabled=True,
-    oidc_rp_client_id="testclient",
-    oidc_rp_client_secret="secret",
-    oidc_rp_sign_algo="RS256",
-    oidc_rp_scopes_list=["openid", "email", "profile"],
-    oidc_op_jwks_endpoint="http://provider.com/auth/realms/master/protocol/openid-connect/certs",
-    oidc_op_authorization_endpoint="http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-    oidc_op_token_endpoint="http://provider.com/auth/realms/master/protocol/openid-connect/token",
-    oidc_op_user_endpoint="http://provider.com/auth/realms/master/protocol/openid-connect/userinfo",
-    username_claim="sub",
-    make_users_staff=True,
-)
-
-
-@override_settings(CORS_ALLOW_ALL_ORIGINS=True, IS_HTTPS=True)
-class OrgOIDCTests(TestCase):
-    @classmethod
-    def setUpTestData(cls):
-        super().setUpTestData()
-        cls.form = FormFactory.create(
-            generate_minimal_setup=True, authentication_backends=["org-oidc"]
-        )
-
-    @patch(
-        "mozilla_django_oidc_db.models.OpenIDConnectConfig.get_solo",
-        return_value=OpenIDConnectConfig(**default_config),
-    )
-    def test_redirect_to_org_oidc(self, *m):
-        login_url = reverse(
-            "authentication:start",
-            kwargs={"slug": self.form.slug, "plugin_id": "org-oidc"},
-        )
-
-        form_path = reverse("core:form-detail", kwargs={"slug": self.form.slug})
-        form_url = str(furl(f"http://testserver{form_path}").set({"_start": "1"}))
-        start_url = furl(login_url).set({"next": form_url})
-        response = self.client.get(start_url)
-
-        self.assertEqual(status.HTTP_302_FOUND, response.status_code)
-
-        parsed = furl(response.url)
-        query_params = parsed.query.params
-
-        self.assertEqual(parsed.host, "testserver")
-        self.assertEqual(parsed.path, reverse("org-oidc:oidc_authentication_init"))
-
-        parsed = furl(query_params["next"])
-        query_params = parsed.query.params
-
-        self.assertEqual(
-            parsed.path,
-            reverse(
-                "authentication:return",
-                kwargs={"slug": self.form.slug, "plugin_id": "org-oidc"},
-            ),
-        )
-        self.assertEqual(query_params["next"], form_url)
-
-        with requests_mock.Mocker() as m:
-            m.get(
-                "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-                status_code=200,
-            )
-            response = self.client.get(response.url)
-
-        self.assertEqual(status.HTTP_302_FOUND, response.status_code)
-
-        parsed = furl(response.url)
-        query_params = parsed.query.params
-
-        self.assertEqual(parsed.host, "provider.com")
-        self.assertEqual(
-            parsed.path, "/auth/realms/master/protocol/openid-connect/auth"
-        )
-        self.assertEqual(query_params["scope"], "openid email profile")
-        self.assertEqual(query_params["client_id"], "testclient")
-        self.assertEqual(
-            query_params["redirect_uri"],
-            f"http://testserver{reverse('org-oidc:oidc_authentication_callback')}",
-        )
-
-        parsed = furl(self.client.session["oidc_login_next"])
-        query_params = parsed.query.params
-
-        self.assertEqual(
-            parsed.path,
-            reverse(
-                "authentication:return",
-                kwargs={"slug": self.form.slug, "plugin_id": "org-oidc"},
-            ),
-        )
-        self.assertEqual(query_params["next"], form_url)
-
-    @patch(
-        "mozilla_django_oidc_db.models.OpenIDConnectConfig.get_solo",
-        return_value=OpenIDConnectConfig(**default_config),
-    )
-    def test_redirect_to_org_oidc_internal_server_error(self, *m):
-        login_url = reverse(
-            "authentication:start",
-            kwargs={"slug": self.form.slug, "plugin_id": "org-oidc"},
-        )
-
-        form_path = reverse("core:form-detail", kwargs={"slug": self.form.slug})
-        form_url = str(furl(f"http://testserver{form_path}").set({"_start": "1"}))
-        start_url = furl(login_url).set({"next": form_url})
-        response = self.client.get(start_url)
-
-        self.assertEqual(status.HTTP_302_FOUND, response.status_code)
-
-        with requests_mock.Mocker() as m:
-            m.get(
-                "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-                status_code=500,
-            )
-            response = self.client.get(response.url)
-
-        parsed = furl(response.url)
-        query_params = parsed.query.params
-
-        self.assertEqual(parsed.host, "testserver")
-        self.assertEqual(parsed.path, form_path)
-        self.assertEqual(query_params["of-auth-problem"], "org-oidc")
-
-    @patch(
-        "mozilla_django_oidc_db.models.OpenIDConnectConfig.get_solo",
-        return_value=OpenIDConnectConfig(**default_config),
-    )
-    def test_redirect_to_org_oidc_callback_error(self, *m):
-        form_path = reverse("core:form-detail", kwargs={"slug": self.form.slug})
-        form_url = f"http://testserver{form_path}"
-        redirect_form_url = furl(form_url).set({"_start": "1"})
-        redirect_url = furl(
-            reverse(
-                "authentication:return",
-                kwargs={"slug": self.form.slug, "plugin_id": "org-oidc"},
-            )
-        ).set({"next": redirect_form_url})
-
-        session = self.client.session
-        session["of_redirect_next"] = redirect_url.url
-        session.save()
-
-        with patch(
-            "openforms.authentication.contrib.org_oidc.backends.OIDCAuthenticationBackend.verify_claims",
-            return_value=False,
-        ):
-            response = self.client.get(reverse("org-oidc:callback"))
-
-        self.assertEqual(response.status_code, status.HTTP_302_FOUND)
-
-        parsed = furl(response.url)
-        query_params = parsed.query.params
-
-        self.assertEqual(parsed.path, form_path)
-        self.assertEqual(query_params["_start"], "1")
-        self.assertEqual(query_params[BACKEND_OUTAGE_RESPONSE_PARAMETER], "org-oidc")
-
-    @override_settings(CORS_ALLOW_ALL_ORIGINS=False, CORS_ALLOWED_ORIGINS=[])
-    @patch(
-        "mozilla_django_oidc_db.models.OpenIDConnectConfig.get_solo",
-        return_value=OpenIDConnectConfig(**default_config),
-    )
-    def test_redirect_to_disallowed_domain(self, *m):
-        form_url = "http://example.com"
-        start_url = reverse_plus(
-            "org-oidc:oidc_authentication_init",
-            query={"next": form_url},
-        )
-        response = self.client.get(start_url)
-
-        self.assertEqual(status.HTTP_400_BAD_REQUEST, response.status_code)
-
-    @override_settings(
-        CORS_ALLOW_ALL_ORIGINS=False,
-        CORS_ALLOWED_ORIGINS=["http://example.com", "http://testserver"],
-    )
-    @patch(
-        "mozilla_django_oidc_db.models.OpenIDConnectConfig.get_solo",
-        return_value=OpenIDConnectConfig(**default_config),
-    )
-    def test_redirect_to_allowed_domain(self, *m):
-        login_url = reverse(
-            "authentication:start",
-            kwargs={"slug": self.form.slug, "plugin_id": "org-oidc"},
-        )
-
-        form_url = "http://example.com"
-        start_url = furl(login_url).set({"next": form_url})
-        response = self.client.get(start_url)
-
-        self.assertEqual(status.HTTP_302_FOUND, response.status_code)
-
-        parsed = furl(response.url)
-        query_params = parsed.query.params
-
-        self.assertEqual(parsed.host, "testserver")
-        self.assertEqual(parsed.path, reverse("org-oidc:oidc_authentication_init"))
-
-        parsed = furl(query_params["next"])
-        query_params = parsed.query.params
-
-        self.assertEqual(
-            parsed.path,
-            reverse(
-                "authentication:return",
-                kwargs={"slug": self.form.slug, "plugin_id": "org-oidc"},
-            ),
-        )
-        self.assertEqual(query_params["next"], form_url)
-
-        with requests_mock.Mocker() as m:
-            m.get(
-                "http://provider.com/auth/realms/master/protocol/openid-connect/auth",
-                status_code=200,
-            )
-            response = self.client.get(response.url)
-
-        self.assertEqual(status.HTTP_302_FOUND, response.status_code)
-
-        parsed = furl(response.url)
-        query_params = parsed.query.params
-
-        self.assertEqual(parsed.host, "provider.com")
-        self.assertEqual(
-            parsed.path, "/auth/realms/master/protocol/openid-connect/auth"
-        )
-        self.assertEqual(query_params["scope"], "openid email profile")
-        self.assertEqual(query_params["client_id"], "testclient")
-        self.assertEqual(
-            query_params["redirect_uri"],
-            f"http://testserver{reverse('org-oidc:oidc_authentication_callback')}",
-        )
-
-    @override_settings(
-        CORS_ALLOW_ALL_ORIGINS=False, CORS_ALLOWED_ORIGINS=["http://example.com"]
-    )
-    @patch(
-        "mozilla_django_oidc_db.models.OpenIDConnectConfig.get_solo",
-        return_value=OpenIDConnectConfig(**default_config),
-    )
-    def test_start_view_logs_out_current_user_if_any(self, *m):
-        other_user = UserFactory()
-        self.client.force_login(other_user)
-
-        start_url = reverse_plus(
-            "authentication:start",
-            kwargs={"slug": self.form.slug, "plugin_id": "org-oidc"},
-            query={"next": "http://example.com"},
-        )
-        response = self.client.get(start_url)
-        self.assertEqual(response.status_code, 302)
-
-        user = get_user(self.client)
-        self.assertFalse(user.is_authenticated)
-        self.assertTrue(user.is_anonymous)
-
-    @patch(
-        "openforms.authentication.contrib.org_oidc.backends.OIDCAuthenticationBackend.get_userinfo"
-    )
-    @patch(
-        "openforms.authentication.contrib.org_oidc.backends.OIDCAuthenticationBackend.store_tokens"
-    )
-    @patch(
-        "openforms.authentication.contrib.org_oidc.backends.OIDCAuthenticationBackend.verify_token"
-    )
-    @patch(
-        "openforms.authentication.contrib.org_oidc.backends.OIDCAuthenticationBackend.get_token"
-    )
-    @patch("mozilla_django_oidc_db.models.OpenIDConnectConfig.get_solo")
-    @override_settings(BASE_URL="http://testserver")
-    def test_callback_url_creates_logged_in_django_user(
-        self,
-        mock_get_solo,
-        mock_get_token,
-        mock_verify_token,
-        mock_store_tokens,
-        mock_get_userinfo,
-    ):
-        self.assertFalse(User.objects.exists())
-
-        mock_get_solo.return_value = OpenIDConnectConfig(
-            **{
-                **default_config,
-                **{
-                    "id": 1,
-                    "username_claim": "arbitrary_employee_id_claim",
-                    "claim_mapping": {
-                        "email": "email",
-                        "last_name": "family_name",
-                        "first_name": "given_name",
-                        "employee_id": "arbitrary_employee_id_claim",
-                    },
-                    "groups_claim": "arbitrary_groups",
-                },
-            }
-        )
-        mock_get_token.return_value = {
-            "id_token": "mock-id-token",
-            "access_token": "mock-access-token",
-        }
-        user_claims = {
-            "sub": "arbitrary_employee_id_claim",
-            "email": "admin@example.com",
-            "given_name": "John",
-            "family_name": "Doe",
-            "arbitrary_employee_id_claim": "my_id_value",
-            "arbitrary_groups": ["Registreerders"],
-        }
-        mock_verify_token.return_value = user_claims
-        mock_get_userinfo.return_value = user_claims
-        mock_store_tokens.return_value = {"whatever": 1}
-
-        # grab user group (from default_groups fixture)
-        group = Group.objects.get(name__iexact="Registreerders")
-
-        # setup our form and urls
-        form_url = reverse_plus("core:form-detail", kwargs={"slug": self.form.slug})
-
-        handle_return_url = reverse_plus(
-            "authentication:return",
-            kwargs={"slug": self.form.slug, "plugin_id": "org-oidc"},
-            query={"next": form_url},
-        )
-
-        # go through mock OIDC
-        callback_url = reverse_plus("org-oidc:oidc_authentication_callback")
-
-        session = self.client.session
-        session["oidc_states"] = {"mock": {"nonce": "nonce"}}
-        session["oidc_login_next"] = handle_return_url
-        session.save()
-
-        # check oidc callback view
-        callback_response = self.client.get(
-            callback_url, {"code": "mock", "state": "mock"}
-        )
-
-        self.assertRedirects(
-            callback_response, handle_return_url, fetch_redirect_response=False
-        )
-        self.assertEqual(status.HTTP_302_FOUND, callback_response.status_code)
-
-        mock_get_token.assert_called_once()
-        mock_verify_token.assert_called_once()
-        mock_store_tokens.assert_called_once()
-        mock_get_userinfo.assert_called_once()
-
-        # we got our user
-        user = User.objects.get()
-        self.assertTrue(user.is_staff)
-        self.assertTrue(user.username, "some_username")
-        self.assertTrue(user.email, "admin@example.com")
-        self.assertTrue(user.first_name, "John")
-        self.assertTrue(user.last_name, "Doe")
-        self.assertTrue(user.employee_id, "my_id_value")
-        # note: assertQuerysetEqual doesn't check primary keys, so can't detect duplicate objects
-        self.assertEqual(user.groups.get().pk, group.pk)
-
-        # check plugins handle_return() response
-        return_response = self.client.get(handle_return_url)
-
-        subject_url = reverse_plus(
-            "authentication:registrator-subject",
-            kwargs={"slug": self.form.slug},
-            query={"next": form_url},
-        )
-
-        self.assertRedirects(
-            return_response, subject_url, fetch_redirect_response=False
-        )
-        self.assertEqual(status.HTTP_302_FOUND, return_response.status_code)
-
-        # check our session data
-        self.assertIn(FORM_AUTH_SESSION_KEY, self.client.session)
-        s = self.client.session[FORM_AUTH_SESSION_KEY]
-        self.assertEqual(s["plugin"], "org-oidc")
-        self.assertEqual(s["attribute"], AuthAttribute.employee_id)
-        self.assertEqual(s["value"], "my_id_value")
-
-        # django user logged in
-        self.assertTrue(auth.get_user(self.client).is_authenticated)
-
-        # check the registrator subject response
-        subject_response = self.client.get(subject_url)
-        self.assertEqual(status.HTTP_200_OK, subject_response.status_code)
diff --git a/src/openforms/authentication/contrib/org_oidc/tests/test_configuration.py b/src/openforms/authentication/contrib/org_oidc/tests/test_configuration.py
new file mode 100644
index 0000000000..f20ab036a9
--- /dev/null
+++ b/src/openforms/authentication/contrib/org_oidc/tests/test_configuration.py
@@ -0,0 +1,36 @@
+from django.test import TestCase, override_settings
+from django.urls import reverse
+
+from mozilla_django_oidc_db.views import OIDCInit
+
+from ..models import OrgOpenIDConnectConfig
+
+
+class CallbackURLConfigurationTests(TestCase):
+    """
+    Test the legacy and new behaviour for the OIDC Redirect URIs for each config.
+    """
+
+    def setUp(self):
+        super().setUp()
+
+        self.addCleanup(OrgOpenIDConnectConfig.clear_cache)
+
+    def test_default_settings_backwards_compatible(self):
+        # use an init view to decouple the implementation details from the
+        # desired behaviour.
+        view = OIDCInit(config_class=OrgOpenIDConnectConfig)
+
+        url = reverse(view.get_settings("OIDC_AUTHENTICATION_CALLBACK_URL"))
+
+        self.assertEqual(url, "/org-oidc/callback/")
+
+    @override_settings(USE_LEGACY_ORG_OIDC_ENDPOINTS=False)
+    def test_new_behaviour(self):
+        # use an init view to decouple the implementation details from the
+        # desired behaviour.
+        view = OIDCInit(config_class=OrgOpenIDConnectConfig)
+
+        url = reverse(view.get_settings("OIDC_AUTHENTICATION_CALLBACK_URL"))
+
+        self.assertEqual(url, "/auth/oidc/callback/")
diff --git a/src/openforms/authentication/contrib/org_oidc/urls.py b/src/openforms/authentication/contrib/org_oidc/urls.py
index 667f97344b..0dd4dcdcb4 100644
--- a/src/openforms/authentication/contrib/org_oidc/urls.py
+++ b/src/openforms/authentication/contrib/org_oidc/urls.py
@@ -1,21 +1,9 @@
 from django.urls import path
 
-from mozilla_django_oidc.urls import urlpatterns
-
-from .views import OIDCAuthenticationCallbackView, OIDCAuthenticationRequestView
-
-app_name = "org-oidc"
-
+from mozilla_django_oidc_db.views import OIDCCallbackView
 
+# XXX: sort out callback endpoints
+# deprecated
 urlpatterns = [
-    path(
-        "callback/",
-        OIDCAuthenticationCallbackView.as_view(),
-        name="callback",
-    ),
-    path(
-        "authenticate/",
-        OIDCAuthenticationRequestView.as_view(),
-        name="init",
-    ),
-] + urlpatterns
+    path("callback/", OIDCCallbackView.as_view(), name="org-oidc-callback"),
+]
diff --git a/src/openforms/authentication/contrib/org_oidc/views.py b/src/openforms/authentication/contrib/org_oidc/views.py
index 6cfd432950..a8963ec761 100644
--- a/src/openforms/authentication/contrib/org_oidc/views.py
+++ b/src/openforms/authentication/contrib/org_oidc/views.py
@@ -1,65 +1,56 @@
-import logging
+from django.http import HttpRequest
+from django.urls import reverse
 
-from django.contrib import auth
-from django.core.exceptions import DisallowedRedirect
-from django.http import HttpResponseRedirect
-
-import requests
 from furl import furl
-from mozilla_django_oidc.views import (
-    OIDCAuthenticationRequestView as _OIDCAuthenticationRequestView,
-    get_next_url,
-)
-
-from openforms.authentication.contrib.digid_eherkenning_oidc.views import (
-    OIDCAuthenticationCallbackView as _OIDCAuthenticationCallbackView,
+from mozilla_django_oidc_db.views import (
+    _OIDC_ERROR_SESSION_KEY,
+    _RETURN_URL_SESSION_KEY,
+    AdminCallbackView,
 )
 
 from ...views import BACKEND_OUTAGE_RESPONSE_PARAMETER
-from .backends import OIDCAuthenticationBackend
-from .mixins import SoloConfigMixin
+from .plugin import PLUGIN_IDENTIFIER
 
-logger = logging.getLogger(__name__)
 
+class CallbackView(AdminCallbackView):
+    """
+    Apply the integrity error catching behaviour from AdminCallbackView.
 
-class OIDCAuthenticationRequestView(SoloConfigMixin, _OIDCAuthenticationRequestView):
-    def get(self, request):
-        redirect_field_name = self.get_settings("OIDC_REDIRECT_FIELD_NAME", "next")
-        next_url = get_next_url(request, redirect_field_name)
-        if not next_url:
-            raise DisallowedRedirect
+    Potential integrity constraint errors are caught, and login failures redirect the
+    user back to the public frontend (SDK).
+    """
 
-        try:
-            # Verify that the identity provider endpoint can be reached
-            response = requests.get(self.OIDC_OP_AUTH_ENDPOINT)
-            if response.status_code > 400:
-                response.raise_for_status()
-        except Exception as e:
-            logger.exception(
-                "authentication exception during 'start_login()' of plugin '%(plugin_id)s'",
-                {"plugin_id": self.plugin_identifier},
-                exc_info=e,
-            )
-            # append failure parameter and return to form
-            f = furl(next_url)
-            failure_url = f.args["next"]
-
-            f = furl(failure_url)
-            f.args[BACKEND_OUTAGE_RESPONSE_PARAMETER] = self.plugin_identifier
-            return HttpResponseRedirect(f.url)
+    _redirect_next: str
 
+    def get(self, request: HttpRequest):
+        # grab where the redirect next from the session and store it as a temporary
+        # attribute. in the event that the failure url needs to be overridden, we
+        # then have the value available even *after* mozilla_django_oidc has flushed
+        # the session.
+        self._redirect_next = request.session.get(_RETURN_URL_SESSION_KEY, "")
         return super().get(request)
 
+    @property
+    def failure_url(self) -> str:
+        """
+        On failure, redirect to the form with an appropriate error message.
+        """
+        # handle integrity and validation errors by redirecting the user to the admin
+        # failure view.
+        if _OIDC_ERROR_SESSION_KEY in self.request.session:
+            return reverse("admin-oidc-error")
+
+        # this is expected to be the auth plugin return url, set by the OIDCInit view
+        plugin_return_url = furl(
+            self._redirect_next or self.get_settings("LOGIN_REDIRECT_URL", "/")
+        )
+        # this URL is expected to have a ?next query param pointing back to the frontend
+        # where the form is rendered/embedded
+        _next = plugin_return_url.args["next"]
+        assert isinstance(_next, str)
+        form_url = furl(_next)
+        form_url.args[BACKEND_OUTAGE_RESPONSE_PARAMETER] = PLUGIN_IDENTIFIER
+        return form_url.url
 
-class OIDCAuthenticationCallbackView(SoloConfigMixin, _OIDCAuthenticationCallbackView):
-    # TODO figure out how we want to reuse the patched OIDCAuthenticationCallbackView from digid_eherkenning (and digid_eherkenning_generics)
-    #  or possibly move it to mozilla_oidc_db
-    auth_backend_class = OIDCAuthenticationBackend
 
-    def login_success(self):
-        # override again because our base class removed the .login()
-        auth.login(
-            self.request, self.user, backend=OIDCAuthenticationBackend.get_import_path()
-        )
-        assert self.user.is_authenticated
-        return super().login_success()
+callback_view = CallbackView.as_view()
diff --git a/src/openforms/authentication/tests/utils.py b/src/openforms/authentication/tests/utils.py
index bc3ac56c60..7d880ed3b3 100644
--- a/src/openforms/authentication/tests/utils.py
+++ b/src/openforms/authentication/tests/utils.py
@@ -5,22 +5,34 @@
 from openforms.forms.models import Form
 
 
-def get_start_form_url(form: Form, host: str = "") -> str:
-    form_path = reverse("core:form-detail", kwargs={"slug": form.slug})
-    if not host:
-        host = "http://testserver"
-    form_url = furl(f"{host}{form_path}").set({"_start": "1"})
-    return str(form_url)
-
-
-def get_start_url(form: Form, plugin_id: str, host: str = "") -> str:
+class URLsHelper:
     """
-    Build the authentication start URL as constructed by the SDK.
+    Small helper to get the right frontend URLs for authentication flows.
     """
-    login_url = reverse(
-        "authentication:start",
-        kwargs={"slug": form.slug, "plugin_id": plugin_id},
-    )
-    form_url = get_start_form_url(form, host=host)
-    start_url = furl(login_url).set({"next": form_url})
-    return str(start_url)
+
+    def __init__(self, form: Form, host: str = "http://testserver"):
+        self.form = form
+        self.host = host
+
+    @property
+    def form_path(self) -> str:
+        return reverse("core:form-detail", kwargs={"slug": self.form.slug})
+
+    @property
+    def frontend_start(self) -> str:
+        """
+        Compute the frontend URL that will trigger a submissions start.
+        """
+        form_url = furl(f"{self.host}{self.form_path}").set({"_start": "1"})
+        return str(form_url)
+
+    def get_auth_start(self, plugin_id: str) -> str:
+        """
+        Compute the authentication start URL for the specified plugin ID.
+        """
+        login_url = reverse(
+            "authentication:start",
+            kwargs={"slug": self.form.slug, "plugin_id": plugin_id},
+        )
+        start_url = furl(login_url).set({"next": self.frontend_start})
+        return str(start_url)
diff --git a/src/openforms/authentication/views.py b/src/openforms/authentication/views.py
index 8d9a42ed66..afe3d46ec4 100644
--- a/src/openforms/authentication/views.py
+++ b/src/openforms/authentication/views.py
@@ -1,4 +1,5 @@
 import logging
+import warnings
 
 from django.contrib.auth.mixins import PermissionRequiredMixin, UserPassesTestMixin
 from django.core.exceptions import PermissionDenied
@@ -127,6 +128,7 @@ def _validate_co_sign_submission(self, plugin: BasePlugin) -> Submission | None:
                 "Presence of this parameter marks a flow as a co-sign flow."
             ),
             required=False,
+            deprecated=True,
         ),
         OpenApiParameter(
             name="Location",
@@ -341,6 +343,10 @@ def _handle_return(self, request: Request, slug: str, plugin_id: str):
     def _handle_co_sign(self, form: Form, plugin: BasePlugin) -> None:
         co_sign_submission = self._validate_co_sign_submission(plugin)
         if co_sign_submission is not None:
+            warnings.warn(
+                "Legacy co-sign is deprecated and will be removed in Open Forms 3.0",
+                DeprecationWarning,
+            )
             logger.debug("Co-sign authentication detected, invoking plugin handler.")
             co_sign_data = {
                 **plugin.handle_co_sign(self.request, form),
diff --git a/src/openforms/conf/base.py b/src/openforms/conf/base.py
index 798f311079..11f3a09b2e 100644
--- a/src/openforms/conf/base.py
+++ b/src/openforms/conf/base.py
@@ -104,14 +104,6 @@
             "IGNORE_EXCEPTIONS": True,
         },
     },
-    "oidc": {
-        "BACKEND": "django_redis.cache.RedisCache",
-        "LOCATION": f"redis://{config('CACHE_OIDC', 'localhost:6379/0')}",
-        "OPTIONS": {
-            "CLIENT_CLASS": "django_redis.client.DefaultClient",
-            "IGNORE_EXCEPTIONS": True,
-        },
-    },
     # TODO: rename to 'redis-locks' and get rid of portalocker in favour of plain
     # redis locks?
     "portalocker": {
@@ -187,7 +179,7 @@
     "stuf.stuf_zds",
     "mozilla_django_oidc",
     "mozilla_django_oidc_db",
-    "digid_eherkenning_oidc_generics",
+    "digid_eherkenning.oidc",
     "django_filters",
     "csp",
     "cspreports",
@@ -503,11 +495,14 @@
 
 # Allow logging in with both username+password and email+password
 AUTHENTICATION_BACKENDS = [
+    # Put the fake backend first, as it (on success) only puts information in the session
+    # and it's quite easy to shortcut.
+    "openforms.authentication.contrib.digid_eherkenning_oidc.backends.DigiDEHerkenningOIDCBackend",
+    # Real backends
     "axes.backends.AxesBackend",
     "openforms.accounts.backends.UserModelEmailBackend",
     "django.contrib.auth.backends.ModelBackend",
     "mozilla_django_oidc_db.backends.OIDCAuthenticationBackend",
-    "openforms.authentication.contrib.org_oidc.backends.OIDCAuthenticationBackend",
 ]
 
 SESSION_COOKIE_NAME = "openforms_sessionid"
@@ -622,6 +617,20 @@
 ESCAPE_REGISTRATION_OUTPUT = config("ESCAPE_REGISTRATION_OUTPUT", default=False)
 DISABLE_SENDING_HIDDEN_FIELDS = config("DISABLE_SENDING_HIDDEN_FIELDS", default=False)
 
+LOG_OUTGOING_REQUESTS_MAX_AGE = config(
+    "LOG_OUTGOING_REQUESTS_MAX_AGE", default=7
+)  # number of days
+
+# TODO: convert to feature flags so that newly deployed instances get the new behaviour
+# while staying backwards compatible for existing instances
+USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS = config(
+    "USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS",
+    default=True,
+)
+USE_LEGACY_ORG_OIDC_ENDPOINTS = config(
+    "USE_LEGACY_ORG_OIDC_ENDPOINTS",
+    default=True,
+)
 
 ##############################
 #                            #
@@ -692,7 +701,6 @@
 # auth, avoiding having some set up MFA again in the project.
 MAYKIN_2FA_ALLOW_MFA_BYPASS_BACKENDS = [
     "mozilla_django_oidc_db.backends.OIDCAuthenticationBackend",
-    "openforms.authentication.contrib.org_oidc.backends.OIDCAuthenticationBackend",
 ]
 
 #
@@ -1004,12 +1012,18 @@
 COOKIE_CONSENT_NAME = "cookie_consent"
 
 #
-# Mozilla Django OIDC DB settings
+# Mozilla Django OIDC (DB) settings
 #
 OIDC_AUTHENTICATE_CLASS = "mozilla_django_oidc_db.views.OIDCAuthenticationRequestView"
+# DeprecationWarning
+# XXX: remove in Open Forms 3.0
+_USE_LEGACY_OIDC_ENDPOINTS = config("USE_LEGACY_OIDC_ENDPOINTS", default=True)
+OIDC_AUTHENTICATION_CALLBACK_URL = (
+    "legacy_oidc:oidc_authentication_callback"
+    if _USE_LEGACY_OIDC_ENDPOINTS
+    else "oidc_authentication_callback"
+)
 OIDC_CALLBACK_CLASS = "mozilla_django_oidc_db.views.OIDCCallbackView"
-MOZILLA_DJANGO_OIDC_DB_CACHE = "oidc"
-MOZILLA_DJANGO_OIDC_DB_CACHE_TIMEOUT = 5 * 60
 
 # ID token is required to enable OIDC logout
 OIDC_STORE_ID_TOKEN = True
@@ -1140,11 +1154,6 @@
 LOG_OUTGOING_REQUESTS_EMIT_BODY = True
 LOG_OUTGOING_REQUESTS_MAX_CONTENT_LENGTH = 524_288  # 0.5MB
 
-# Custom settings
-LOG_OUTGOING_REQUESTS_MAX_AGE = config(
-    "LOG_OUTGOING_REQUESTS_MAX_AGE", default=7
-)  # number of days
-
 #
 # DJANGO-FLAGS - manage feature flags.
 #
diff --git a/src/openforms/conf/docker.py b/src/openforms/conf/docker.py
index 43250324e6..5808e1d205 100644
--- a/src/openforms/conf/docker.py
+++ b/src/openforms/conf/docker.py
@@ -9,7 +9,6 @@
 os.environ.setdefault("LOG_STDOUT", "yes")
 os.environ.setdefault("CACHE_DEFAULT", "redis:6379/0")
 os.environ.setdefault("CACHE_AXES", "redis:6379/0")
-os.environ.setdefault("CACHE_OIDC", "redis:6379/0")
 os.environ.setdefault("CACHE_PORTALOCKER", "redis:6379/0")
 
 # # Strongly suggested to not use this, but explicitly list the allowed hosts. It is
diff --git a/src/openforms/conf/production.py b/src/openforms/conf/production.py
index 8451ea97ad..fbaec9340a 100644
--- a/src/openforms/conf/production.py
+++ b/src/openforms/conf/production.py
@@ -10,7 +10,6 @@
 # NOTE: watch out for multiple projects using the same cache!
 os.environ.setdefault("CACHE_DEFAULT", "127.0.0.1:6379/2")
 os.environ.setdefault("CACHE_AXES", "127.0.0.1:6379/4")
-os.environ.setdefault("CACHE_OIDC", "127.0.0.1:6379/6")
 os.environ.setdefault("CACHE_PORTALOCKER", "127.0.0.1:6379/8")
 
 from .base import *  # noqa isort:skip
diff --git a/src/openforms/conf/staging.py b/src/openforms/conf/staging.py
index c42f2d3696..4d2e480bee 100644
--- a/src/openforms/conf/staging.py
+++ b/src/openforms/conf/staging.py
@@ -9,7 +9,6 @@
 # NOTE: watch out for multiple projects using the same cache!
 os.environ.setdefault("CACHE_DEFAULT", "127.0.0.1:6379/1")
 os.environ.setdefault("CACHE_AXES", "127.0.0.1:6379/3")
-os.environ.setdefault("CACHE_OIDC", "127.0.0.1:6379/5")
 os.environ.setdefault("CACHE_PORTALOCKER", "127.0.0.1:6379/7")
 
 from .production import *  # noqa isort:skip
diff --git a/src/openforms/fixtures/default_admin_index.json b/src/openforms/fixtures/default_admin_index.json
index e8f4bcead9..cca83d7d0a 100644
--- a/src/openforms/fixtures/default_admin_index.json
+++ b/src/openforms/fixtures/default_admin_index.json
@@ -179,20 +179,20 @@
                 "eherkenningconfiguration"
             ],
             [
-                "digid_eherkenning_oidc_generics",
-                "openidconnectdigidmachtigenconfig"
+                "digid_eherkenning_oidc",
+                "ofdigidconfig"
             ],
             [
-                "digid_eherkenning_oidc_generics",
-                "openidconnecteherkenningbewindvoeringconfig"
+                "digid_eherkenning_oidc",
+                "ofdigidmachtigenconfig"
             ],
             [
-                "digid_eherkenning_oidc_generics",
-                "openidconnecteherkenningconfig"
+                "digid_eherkenning_oidc",
+                "ofeherkenningbewindvoeringconfig"
             ],
             [
-                "digid_eherkenning_oidc_generics",
-                "openidconnectpublicconfig"
+                "digid_eherkenning_oidc",
+                "ofeherkenningconfig"
             ],
             [
                 "django_camunda",
diff --git a/src/openforms/tests/data/vcr_cassettes/OIDCRegistratorSubjectHaalCentraalPrefillIntegrationTest/OIDCRegistratorSubjectHaalCentraalPrefillIntegrationTest.test_flow.yaml b/src/openforms/tests/data/vcr_cassettes/OIDCRegistratorSubjectHaalCentraalPrefillIntegrationTest/OIDCRegistratorSubjectHaalCentraalPrefillIntegrationTest.test_flow.yaml
new file mode 100644
index 0000000000..0a539d2789
--- /dev/null
+++ b/src/openforms/tests/data/vcr_cassettes/OIDCRegistratorSubjectHaalCentraalPrefillIntegrationTest/OIDCRegistratorSubjectHaalCentraalPrefillIntegrationTest.test_flow.yaml
@@ -0,0 +1,371 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       We are sorry...\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-error-message\">\n
+        \           <p class=\"instruction\">Invalid Request</p>\n        </div>\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '1573'
+    status:
+      code: 400
+      message: Bad Request
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/auth?response_type=code&scope=openid+email+profile&client_id=testid&redirect_uri=http%3A%2F%2Fexample.com%2Forg-oidc%2Fcallback%2F&state=not-a-random-string&nonce=not-a-random-string
+  response:
+    body:
+      string: "<!DOCTYPE html>\n<html class=\"login-pf\">\n\n<head>\n    <meta charset=\"utf-8\">\n
+        \   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"
+        />\n    <meta name=\"robots\" content=\"noindex, nofollow\">\n\n            <meta
+        name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n    <title>Sign
+        in to test</title>\n    <link rel=\"icon\" href=\"/resources/1rz7o/login/keycloak/img/favicon.ico\"
+        />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/@patternfly/patternfly/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/common/keycloak/lib/pficon/pficon.css\"
+        rel=\"stylesheet\" />\n            <link href=\"/resources/1rz7o/login/keycloak/css/login.css\"
+        rel=\"stylesheet\" />\n        <script type=\"module\">\n            import
+        { checkCookiesAndSetTimer } from \"/resources/1rz7o/login/keycloak/js/authChecker.js\";\n\n
+        \           checkCookiesAndSetTimer(\n              \"7602d0f0-6118-4e76-891f-adc44ac8dd8c\",\n
+        \             \"dTO26rxbqmk\",\n              \"/realms/test/login-actions/restart?client_id=testid&tab_id=dTO26rxbqmk&skip_logout=true\"\n
+        \           );\n        </script>\n</head>\n\n<body class=\"\">\n<div class=\"login-pf-page\">\n
+        \   <div id=\"kc-header\" class=\"login-pf-page-header\">\n        <div id=\"kc-header-wrapper\"\n
+        \            class=\"\">test</div>\n    </div>\n    <div class=\"card-pf\">\n
+        \       <header class=\"login-pf-header\">\n                <h1 id=\"kc-page-title\">
+        \       Sign in to your account\n\n</h1>\n      </header>\n      <div id=\"kc-content\">\n
+        \       <div id=\"kc-content-wrapper\">\n\n\n        <div id=\"kc-form\">\n
+        \         <div id=\"kc-form-wrapper\">\n                <form id=\"kc-form-login\"
+        onsubmit=\"login.disabled = true; return true;\" action=\"http://localhost:8080/realms/test/login-actions/authenticate?session_code=q0bbj9dA-2ANDyXpLlC50NGHbNmnAewmiL2CsG3KFFs&amp;execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&amp;client_id=testid&amp;tab_id=dTO26rxbqmk\"
+        method=\"post\">\n                        <div class=\"form-group\">\n                            <label
+        for=\"username\" class=\"pf-c-form__label pf-c-form__label-text\">Username
+        or email</label>\n\n                            <input tabindex=\"1\" id=\"username\"
+        class=\"pf-c-form-control\" name=\"username\" value=\"\"  type=\"text\" autofocus
+        autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n\n\n                        </div>\n\n                    <div
+        class=\"form-group\">\n                        <label for=\"password\" class=\"pf-c-form__label
+        pf-c-form__label-text\">Password</label>\n\n                        <div class=\"pf-c-input-group\">\n
+        \                           <input tabindex=\"2\" id=\"password\" class=\"pf-c-form-control\"
+        name=\"password\" type=\"password\" autocomplete=\"off\"\n                                   aria-invalid=\"\"\n
+        \                           />\n                            <button class=\"pf-c-button
+        pf-m-control\" type=\"button\" aria-label=\"Show password\"\n                                    aria-controls=\"password\"
+        \ data-password-toggle\n                                    data-icon-show=\"fa
+        fa-eye\" data-icon-hide=\"fa fa-eye-slash\"\n                                    data-label-show=\"Show
+        password\" data-label-hide=\"Hide password\">\n                                <i
+        class=\"fa fa-eye\" aria-hidden=\"true\"></i>\n                            </button>\n
+        \                       </div>\n\n\n                    </div>\n\n                    <div
+        class=\"form-group login-pf-settings\">\n                        <div id=\"kc-form-options\">\n
+        \                           </div>\n                            <div class=\"\">\n
+        \                           </div>\n\n                      </div>\n\n                      <div
+        id=\"kc-form-buttons\" class=\"form-group\">\n                          <input
+        type=\"hidden\" id=\"id-hidden-input\" name=\"credentialId\" />\n                          <input
+        tabindex=\"4\" class=\"pf-c-button pf-m-primary pf-m-block btn-lg\" name=\"login\"
+        id=\"kc-login\" type=\"submit\" value=\"Sign In\"/>\n                      </div>\n
+        \               </form>\n            </div>\n        </div>\n        <script
+        type=\"module\" src=\"/resources/1rz7o/login/keycloak/js/passwordVisibility.js\"></script>\n\n\n\n\n\n
+        \       </div>\n      </div>\n\n    </div>\n  </div>\n</body>\n</html>\n"
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Language:
+      - en
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Content-Type:
+      - text/html;charset=utf-8
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - AUTH_SESSION_ID=7602d0f0-6118-4e76-891f-adc44ac8dd8c; Version=1; Path=/realms/test/;
+        SameSite=None; Secure; HttpOnly
+      - AUTH_SESSION_ID_LEGACY=7602d0f0-6118-4e76-891f-adc44ac8dd8c; Version=1; Path=/realms/test/;
+        HttpOnly
+      - KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vZXhhbXBsZS5jb20vb3JnLW9pZGMvY2FsbGJhY2svIiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovL2V4YW1wbGUuY29tL29yZy1vaWRjL2NhbGxiYWNrLyIsInN0YXRlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyJ9fQ.Gh5tsot6g5xFfd-CPdrSdfVuce-rrmiou1HGFbYFSEY;
+        Version=1; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '4466'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: username=admin&password=admin&credentialId=&login=Sign+In
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '57'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      Cookie:
+      - AUTH_SESSION_ID_LEGACY=7602d0f0-6118-4e76-891f-adc44ac8dd8c; KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJjaWQiOiJ0ZXN0aWQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vZXhhbXBsZS5jb20vb3JnLW9pZGMvY2FsbGJhY2svIiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9yZWFsbXMvdGVzdCIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovL2V4YW1wbGUuY29tL29yZy1vaWRjL2NhbGxiYWNrLyIsInN0YXRlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyJ9fQ.Gh5tsot6g5xFfd-CPdrSdfVuce-rrmiou1HGFbYFSEY
+      User-Agent:
+      - python-requests/2.32.2
+    method: POST
+    uri: http://localhost:8080/realms/test/login-actions/authenticate?session_code=q0bbj9dA-2ANDyXpLlC50NGHbNmnAewmiL2CsG3KFFs&execution=d8b8778e-a545-45d4-8f72-fd69facf4b72&client_id=testid&tab_id=dTO26rxbqmk
+  response:
+    body:
+      string: ''
+    headers:
+      Cache-Control:
+      - no-store, must-revalidate, max-age=0
+      Content-Security-Policy:
+      - frame-src 'self'; frame-ancestors 'self'; object-src 'none';
+      Location:
+      - http://example.com/org-oidc/callback/?state=not-a-random-string&session_state=7602d0f0-6118-4e76-891f-adc44ac8dd8c&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest&code=0c731757-e839-421f-b981-cbde9172382c.7602d0f0-6118-4e76-891f-adc44ac8dd8c.adf4ad83-4550-4619-9231-73bd8d700f45
+      Referrer-Policy:
+      - no-referrer
+      Set-Cookie:
+      - KEYCLOAK_LOCALE=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      - KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/; HttpOnly
+      - KC_AUTH_STATE=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
+        Path=/realms/test/
+      - KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTg2NTcyMDEsImlhdCI6MTcxODYyMTIwMSwianRpIjoiYTY5MmFiNjctNzUzYS00OTg4LThkY2MtNDYzMzNjOTk3NGI2IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiNmRiMmRiODctZGUzMS00ZTMwLTlmMjUtY2VmZTVkYThiMTU0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiI3NjAyZDBmMC02MTE4LTRlNzYtODkxZi1hZGM0NGFjOGRkOGMiLCJzaWQiOiI3NjAyZDBmMC02MTE4LTRlNzYtODkxZi1hZGM0NGFjOGRkOGMiLCJzdGF0ZV9jaGVja2VyIjoiY21xcnBFQU5acEwwRV9qYW52UzZKWVFPdjhXZlgyek5QX0NZSWxrQXd3MCJ9.P3wa8evmGFwjV_xUhzNxSYP3cvBC_bDt3RCsqXW6Acw;
+        Version=1; Path=/realms/test/; SameSite=None; Secure; HttpOnly
+      - KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTg2NTcyMDEsImlhdCI6MTcxODYyMTIwMSwianRpIjoiYTY5MmFiNjctNzUzYS00OTg4LThkY2MtNDYzMzNjOTk3NGI2IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiNmRiMmRiODctZGUzMS00ZTMwLTlmMjUtY2VmZTVkYThiMTU0IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiI3NjAyZDBmMC02MTE4LTRlNzYtODkxZi1hZGM0NGFjOGRkOGMiLCJzaWQiOiI3NjAyZDBmMC02MTE4LTRlNzYtODkxZi1hZGM0NGFjOGRkOGMiLCJzdGF0ZV9jaGVja2VyIjoiY21xcnBFQU5acEwwRV9qYW52UzZKWVFPdjhXZlgyek5QX0NZSWxrQXd3MCJ9.P3wa8evmGFwjV_xUhzNxSYP3cvBC_bDt3RCsqXW6Acw;
+        Version=1; Path=/realms/test/; HttpOnly
+      - KEYCLOAK_SESSION=test/6db2db87-de31-4e30-9f25-cefe5da8b154/7602d0f0-6118-4e76-891f-adc44ac8dd8c;
+        Version=1; Expires=Mon, 17-Jun-2024 20:46:41 GMT; Max-Age=36000; Path=/realms/test/;
+        SameSite=None; Secure
+      - KEYCLOAK_SESSION_LEGACY=test/6db2db87-de31-4e30-9f25-cefe5da8b154/7602d0f0-6118-4e76-891f-adc44ac8dd8c;
+        Version=1; Expires=Mon, 17-Jun-2024 20:46:41 GMT; Max-Age=36000; Path=/realms/test/
+      - KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
+        00:00:10 GMT; Max-Age=0; Path=/realms/test/; HttpOnly
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Robots-Tag:
+      - none
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '0'
+    status:
+      code: 302
+      message: Found
+- request:
+    body: client_id=testid&client_secret=7DB3KUAAizYCcmZufpHRVOcD0TOkNO3I&grant_type=authorization_code&code=0c731757-e839-421f-b981-cbde9172382c.7602d0f0-6118-4e76-891f-adc44ac8dd8c.adf4ad83-4550-4619-9231-73bd8d700f45&redirect_uri=http%3A%2F%2Fexample.com%2Forg-oidc%2Fcallback%2F
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '272'
+      Content-Type:
+      - application/x-www-form-urlencoded
+      User-Agent:
+      - python-requests/2.32.2
+    method: POST
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/token
+  response:
+    body:
+      string: '{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTg2MjE1MDIsImlhdCI6MTcxODYyMTIwMiwiYXV0aF90aW1lIjoxNzE4NjIxMjAxLCJqdGkiOiJiMjBkMTVmMS0yNmZjLTRlMmEtODhmYS0wOGZhNTQ3ODBlNWYiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNmRiMmRiODctZGUzMS00ZTMwLTlmMjUtY2VmZTVkYThiMTU0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6Ijc2MDJkMGYwLTYxMTgtNGU3Ni04OTFmLWFkYzQ0YWM4ZGQ4YyIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgZ3JvdXBzIGJzbiIsInNpZCI6Ijc2MDJkMGYwLTYxMTgtNGU3Ni04OTFmLWFkYzQ0YWM4ZGQ4YyIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJncm91cHMiOlsiUmVnaXN0cmVlcmRlcnMiLCJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl0sInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiZW1haWwiOiJhZG1pbkBleGFtcGxlLmNvbSJ9.OHAB_tiseDRl7w3jLzjGSUhfqrs_GLu3cJmjVWConm7sNZv0lyuWkhZb3jXCg6wcV8Y8QS90FLmVbM3qAWU7SLoJIDPZfyr3XOnuNtzMKPI13LUxxXFx655M7DxSi97nIK5C7pky1ChILyzZWvPJW8RBoFvJhLJhKT8MrqyOo-fhCE7JmpbXAtIRlMrqNUNbyAvHY8CfrVZsjdEZnLFRYJ7zOxGQqmd1_2uKeCJrEJyWxSS2hVEetcAEB5a6Fj61_7Wex48YLK-KwCQdTgYpv3JVw3y6HCdmf_XQ1kFl_wB2GVsrZbHW0LWfmoBySQZAthK8UtLOUsw44ymvnKD3nA","expires_in":300,"refresh_expires_in":1799,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzE1ZTA1MS02Y2RiLTQ4Y2MtYjRmNC1mMDcyMmM4MWY5ZDMifQ.eyJleHAiOjE3MTg2MjMwMDEsImlhdCI6MTcxODYyMTIwMiwianRpIjoiNzBjM2JmNTAtYTFhMC00Y2Y3LTg2ZGUtMmZiOGU0NGU2ODVjIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0Iiwic3ViIjoiNmRiMmRiODctZGUzMS00ZTMwLTlmMjUtY2VmZTVkYThiMTU0IiwidHlwIjoiUmVmcmVzaCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiI3NjAyZDBmMC02MTE4LTRlNzYtODkxZi1hZGM0NGFjOGRkOGMiLCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIGt2ayBncm91cHMgYnNuIiwic2lkIjoiNzYwMmQwZjAtNjExOC00ZTc2LTg5MWYtYWRjNDRhYzhkZDhjIn0.O6Z8SH7YSHbnp2qOvGaCryOrN0vGuI87quE7xWkplvI","token_type":"Bearer","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTg2MjE1MDIsImlhdCI6MTcxODYyMTIwMiwiYXV0aF90aW1lIjoxNzE4NjIxMjAxLCJqdGkiOiJhMzQ0NjFkOC00ZWZlLTQ0ZmMtOWIyYS1iZDQ5YWMxMTgyNWQiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJ0ZXN0aWQiLCJzdWIiOiI2ZGIyZGI4Ny1kZTMxLTRlMzAtOWYyNS1jZWZlNWRhOGIxNTQiLCJ0eXAiOiJJRCIsImF6cCI6InRlc3RpZCIsIm5vbmNlIjoibm90LWEtcmFuZG9tLXN0cmluZyIsInNlc3Npb25fc3RhdGUiOiI3NjAyZDBmMC02MTE4LTRlNzYtODkxZi1hZGM0NGFjOGRkOGMiLCJhdF9oYXNoIjoiX19zWTdxVVVRLTB4QnZ1Z1BzZlZNQSIsImFjciI6IjEiLCJzaWQiOiI3NjAyZDBmMC02MTE4LTRlNzYtODkxZi1hZGM0NGFjOGRkOGMiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiZ3JvdXBzIjpbIlJlZ2lzdHJlZXJkZXJzIiwiZGVmYXVsdC1yb2xlcy10ZXN0Iiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhZG1pbiIsImVtYWlsIjoiYWRtaW5AZXhhbXBsZS5jb20ifQ.feryIJUdewFDR8M89ECdkn-kIGY554CApQ9z5tA_L9IQNsVZq9k4IKd62OFwfT3iPfWwriW7uftRVcYtrKlYdeKb7POF9WeCfrWm2YtkFPkyVSE5LMgFFfR56sQbZ_hPItdButuuqO_gLeFduznRaap4ym0Pew3NNf0Ad82P3ZsoG5JANW8GNQOaGtQklMDT1XuWHU6TYaCgWtq9c8v2BVhoRpUghxR5B_6Ms4S894qz855KvbRAW3_bmBNM5EgLakWN_eyUrSM4AwTmrhUkPBEqyhMBf5xOKhNg-lBkGGhlwi4GpCbOoz1aJ_MjVQR47IAB6ld9FPeDR9d-rIR4SA","not-before-policy":0,"session_state":"7602d0f0-6118-4e76-891f-adc44ac8dd8c","scope":"openid
+        email profile kvk groups bsn"}'
+    headers:
+      Cache-Control:
+      - no-store
+      Content-Type:
+      - application/json
+      Pragma:
+      - no-cache
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '3698'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Authorization:
+      - Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJleHAiOjE3MTg2MjE1MDIsImlhdCI6MTcxODYyMTIwMiwiYXV0aF90aW1lIjoxNzE4NjIxMjAxLCJqdGkiOiJiMjBkMTVmMS0yNmZjLTRlMmEtODhmYS0wOGZhNTQ3ODBlNWYiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL3Rlc3QiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNmRiMmRiODctZGUzMS00ZTMwLTlmMjUtY2VmZTVkYThiMTU0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdGlkIiwibm9uY2UiOiJub3QtYS1yYW5kb20tc3RyaW5nIiwic2Vzc2lvbl9zdGF0ZSI6Ijc2MDJkMGYwLTYxMTgtNGU3Ni04OTFmLWFkYzQ0YWM4ZGQ4YyIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEyNy4wLjAuMTo4MDAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSBrdmsgZ3JvdXBzIGJzbiIsInNpZCI6Ijc2MDJkMGYwLTYxMTgtNGU3Ni04OTFmLWFkYzQ0YWM4ZGQ4YyIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJncm91cHMiOlsiUmVnaXN0cmVlcmRlcnMiLCJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl0sInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiZW1haWwiOiJhZG1pbkBleGFtcGxlLmNvbSJ9.OHAB_tiseDRl7w3jLzjGSUhfqrs_GLu3cJmjVWConm7sNZv0lyuWkhZb3jXCg6wcV8Y8QS90FLmVbM3qAWU7SLoJIDPZfyr3XOnuNtzMKPI13LUxxXFx655M7DxSi97nIK5C7pky1ChILyzZWvPJW8RBoFvJhLJhKT8MrqyOo-fhCE7JmpbXAtIRlMrqNUNbyAvHY8CfrVZsjdEZnLFRYJ7zOxGQqmd1_2uKeCJrEJyWxSS2hVEetcAEB5a6Fj61_7Wex48YLK-KwCQdTgYpv3JVw3y6HCdmf_XQ1kFl_wB2GVsrZbHW0LWfmoBySQZAthK8UtLOUsw44ymvnKD3nA
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/userinfo
+  response:
+    body:
+      string: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0VU5RQWN2VWN2LURGVU94XzRPMWd0MTNPZEpTb3RxRUtQWnVyczJ2UVc4In0.eyJzdWIiOiI2ZGIyZGI4Ny1kZTMxLTRlMzAtOWYyNS1jZWZlNWRhOGIxNTQiLCJhdWQiOiJ0ZXN0aWQiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy90ZXN0IiwiZ3JvdXBzIjpbIlJlZ2lzdHJlZXJkZXJzIiwiZGVmYXVsdC1yb2xlcy10ZXN0Iiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhZG1pbiIsImVtYWlsIjoiYWRtaW5AZXhhbXBsZS5jb20ifQ.vx4dCJ-Y-PEzjy8p7CNPB3yy0TyV_QugOHRbiV6UY3qHtZUnZqSsJD991QUostcYECuyTHefqfRtdCbvSJcPWI4ucosY65vshUMBtQeahsFOgNwWp2BvCkALJmEya4H_gh63vVlVZ2ZOSpWpah6eV2PNhiiYWD-Y9qEuLMzwngNvp5hna30BiRKAEsStB7izjE5pGECqkQm7pxCeZWHU81Lbh5fSo_2XvcGZ1Z-tf6DN95Oz4ers9YrG6dKSuh-HciY1zhv7mcee_tlJaeKjITue6r06163oKdjsYKRpiR4bLQ9256KafoxmU6O0IIlpkQhmtXrmaFSg0XyBYU8qcQ
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/jwt
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '813'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate, br
+      Connection:
+      - keep-alive
+      User-Agent:
+      - python-requests/2.32.2
+    method: GET
+    uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+  response:
+    body:
+      string: '{"keys":[{"kid":"4UNQAcvUcv-DFUOx_4O1gt13OdJSotqEKPZurs2vQW8","kty":"RSA","alg":"RS256","use":"sig","n":"2DOZ0qHie73SuFVR7civrl6r82YUiAghfzaMowjCg0o06AF--2lIS7vNV_PbsVVznPAAMqVrNG-8CcevEzvVZMQD9nH4DI7xlOxK0lrYu8rmMeSfOvXVbBVsWBZe0jnGNukZqjwmRE5__ttJdxPfIBT5-2L6mguQbDfhSUEEdIW7y7UfOXvqLqEcBtoIEB-ORKDTUIQwGZM5mSCy-cY3cHvvZfZVgaUUy5NvujPRXTMje4n_hG0KfEV-40G9qC2_Xvx4EooJzBZ6FSThiWhCpwhIvzcQqB6M9lHW7nU6wADhYPNCa2OKWvphwZ_zbrF4B9dmS6Zli5rBvbox9Hh45w","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMLTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgzmdKh4nu90rhVUe3Ir65eq/NmFIgIIX82jKMIwoNKNOgBfvtpSEu7zVfz27FVc5zwADKlazRvvAnHrxM71WTEA/Zx+AyO8ZTsStJa2LvK5jHknzr11WwVbFgWXtI5xjbpGao8JkROf/7bSXcT3yAU+fti+poLkGw34UlBBHSFu8u1Hzl76i6hHAbaCBAfjkSg01CEMBmTOZkgsvnGN3B772X2VYGlFMuTb7oz0V0zI3uJ/4RtCnxFfuNBvagtv178eBKKCcwWehUk4YloQqcISL83EKgejPZR1u51OsAA4WDzQmtjilr6YcGf826xeAfXZkumZYuawb26MfR4eOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsnQG/Yi2g1XTCJn74hWv9MjxVAaZb4gBAc2AWm5VgAjhFEM9h6x6m1mQkq7JM4rIdAj8jw55Ok9CBVBIqq4G4cME3eUvVytkj2lC9zcRoAivjjZF2HPg7zNPa2TTR50asmHPRokppV6gewO/C+o5as+4P2zqDXBh61aRd/9kdQfkg14LBbH5/dYccAuvUqlTYC4IEPCvVmBNC1xsMjf0vohvoSjm9vL2bfqG/RJH0ScdCjOd5d2zju4/e2oVdluWm+vzKBQplc7tVMuKpn6LcLmVHiGNAl+EBIZH+WVLlTx0D1+kbHZsfLYG53lQg2LsvurRbWyF/a5fVM/oLTn5ag=="],"x5t":"H5xfs1pRtvX0HyVTskx7eTXx88U","x5t#S256":"XurVtKAIEyc4w9HCGOhnjoRHnYu4d9HCn_5YHmkScJg"},{"kid":"TV3Tl5jIY1nrJLSb53UKEubLR5gYiq9slq1SsDDg1HU","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"pNvU3ecpVHbJT4bCOEpw6cnV1yi65tB3I0bRF2ilLVOY944QRAGnjBBECPIzNbgqavghYp1j75F2nq6_ny1CYfoaxTV2iDpRUw8_f7sliYbl8FrLLat0S25ItlZrg5TEJHObvOqlG2_nXoeH36MRWwNhms2uCqfhn5VgtenIzpQIBolnM7zzGp21NvdJ1C_ZAUzkXC-l3oQ-BXTtpEVM4h2KpYh4gfZJWCbYij5d1e1YApKD6V61_Cs3Oa2OY7CAUyq5kgAWJZFDB6CpzIr226u3bV7F9RbrQu3Ybc_Lv33EwykscLznKWZY2Mbs3Iz_rFNv3sVX_vHpH4DHWlKu7Q","e":"AQAB","x5c":["MIIClzCCAX8CBgGNeYaMlzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTI0MDIwNTEzNDYxN1oXDTM0MDIwNTEzNDc1N1owDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTb1N3nKVR2yU+GwjhKcOnJ1dcouubQdyNG0RdopS1TmPeOEEQBp4wQRAjyMzW4Kmr4IWKdY++Rdp6uv58tQmH6GsU1dog6UVMPP3+7JYmG5fBayy2rdEtuSLZWa4OUxCRzm7zqpRtv516Hh9+jEVsDYZrNrgqn4Z+VYLXpyM6UCAaJZzO88xqdtTb3SdQv2QFM5Fwvpd6EPgV07aRFTOIdiqWIeIH2SVgm2Io+XdXtWAKSg+letfwrNzmtjmOwgFMquZIAFiWRQwegqcyK9turt21exfUW60Lt2G3Py799xMMpLHC85ylmWNjG7NyM/6xTb97FV/7x6R+Ax1pSru0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQGJHeTYSMvp0yndbIn7DLohO9lom5nRrx/bLyb7TiRfogyJEF6rQZ66CAkQFk5eMF878fsHTuMVjtmXVBnhojhVmK91HwjsNQu/8xR6QMXNKJQMvHR245vwUGxlWRw/36ObM1D7QjCd/q+FonpBEY4m5Y6Uz1U0HR2Cbh0E2afVlPLeV+F0LKrlyVMdIaWBGWftCGIKDAHaG/PD66zbAKtxerv2fBIDq100WHPhd57BZxX+2aGJp1IaRDgkxV0E/CjEy3+Knd8xbAgUSW0Tl6OTC75exIvlbzeluEBe0wlapAb7WvBKYsipSW8G8Ey7tjoolDT4AU82EaKUPstiMnA=="],"x5t":"AlfHDI0FOPQpt3RBAILt0dtW1yw","x5t#S256":"a7bhm8-JsnfY7bL_m8Yl72hgmp5516VZlFcVloKzk08"}]}'
+    headers:
+      Cache-Control:
+      - no-cache
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-XSS-Protection:
+      - 1; mode=block
+      content-length:
+      - '2909'
+    status:
+      code: 200
+      message: OK
+version: 1
diff --git a/src/openforms/tests/test_registrator_prefill.py b/src/openforms/tests/test_registrator_prefill.py
index 9002e1bb14..daea5d4d87 100644
--- a/src/openforms/tests/test_registrator_prefill.py
+++ b/src/openforms/tests/test_registrator_prefill.py
@@ -1,3 +1,4 @@
+from pathlib import Path
 from unittest.mock import patch
 
 from django.contrib.auth.models import Group
@@ -5,8 +6,6 @@
 
 import requests_mock
 from django_webtest import WebTest
-from furl import furl
-from mozilla_django_oidc_db.models import OpenIDConnectConfig
 from rest_framework import status
 from zgw_consumers.test.factories import ServiceFactory
 
@@ -16,13 +15,21 @@
     REGISTRATOR_SUBJECT_SESSION_KEY,
     AuthAttribute,
 )
+from openforms.authentication.contrib.org_oidc.plugin import PLUGIN_IDENTIFIER
+from openforms.authentication.contrib.org_oidc.tests.base import mock_org_oidc_config
+from openforms.authentication.tests.utils import URLsHelper
 from openforms.contrib.haal_centraal.models import HaalCentraalConfig
 from openforms.contrib.haal_centraal.tests.utils import load_json_mock
-from openforms.forms.tests.factories import FormStepFactory
+from openforms.forms.tests.factories import FormFactory
 from openforms.prefill.contrib.haalcentraal_brp.constants import AttributesV1
 from openforms.submissions.models import Submission
+from openforms.utils.tests.concurrent import mock_parallel_executor
+from openforms.utils.tests.keycloak import keycloak_login
+from openforms.utils.tests.vcr import OFVCRMixin
 from openforms.utils.urls import reverse_plus
 
+TEST_FILES = (Path(__file__).parent / "data").resolve()
+
 CONFIGURATION = {
     "display": "form",
     "components": [
@@ -60,204 +67,128 @@
     BASE_URL="http://example.com",
     ALLOWED_HOSTS=["example.com", "testserver"],
 )
-class OIDCRegistratorSubjectHaalCentraalPrefillIntegrationTest(WebTest):
+class OIDCRegistratorSubjectHaalCentraalPrefillIntegrationTest(OFVCRMixin, WebTest):
     """
     Here we test the full flow of an employee using OIDC to login to a form,
     enter a clients BSN, start the form and have the prefill machinery add data about the client
     """
 
+    VCR_TEST_FILES = TEST_FILES
+
     csrf_checks = False
+    extra_environ = {"HTTP_HOST": "example.com"}
 
+    @mock_org_oidc_config(enabled=True, make_users_staff=True)
     @patch(
-        "openforms.authentication.contrib.org_oidc.backends.OIDCAuthenticationBackend.get_userinfo"
+        "openforms.contrib.haal_centraal.models.HaalCentraalConfig.get_solo",
+        return_value=HaalCentraalConfig(
+            brp_personen_service=ServiceFactory.build(api_root="https://personen/api/")
+        ),
     )
-    @patch(
-        "openforms.authentication.contrib.org_oidc.backends.OIDCAuthenticationBackend.store_tokens"
-    )
-    @patch(
-        "openforms.authentication.contrib.org_oidc.backends.OIDCAuthenticationBackend.verify_token"
-    )
-    @patch(
-        "openforms.authentication.contrib.org_oidc.backends.OIDCAuthenticationBackend.get_token"
-    )
-    @patch("mozilla_django_oidc_db.models.OpenIDConnectConfig.get_solo")
-    @patch("openforms.contrib.haal_centraal.models.HaalCentraalConfig.get_solo")
-    @patch("openforms.logging.logevent._create_log")
-    def test_flow(
-        self,
-        mock_create_log,
-        mock_haalcentraal_solo,
-        mock_get_solo,
-        mock_get_token,
-        mock_verify_token,
-        mock_store_tokens,
-        mock_get_userinfo,
-    ):
-        self.assertFalse(User.objects.exists())
-
-        hc_brp_service = ServiceFactory.build(api_root="https://personen/api/")
-        mock_haalcentraal_solo.return_value = HaalCentraalConfig(
-            brp_personen_service=hc_brp_service
+    @mock_parallel_executor()
+    def test_flow(self, mock_haalcentraal_solo):
+        assert not User.objects.exists()
+        # group returned by Keycloak and set up with correct permissions
+        assert Group.objects.filter(name__iexact="Registreerders").exists()
+
+        form = FormFactory.create(
+            generate_minimal_setup=True,
+            formstep__form_definition__configuration=CONFIGURATION,
+            formstep__form_definition__login_required=True,
+            authentication_backends=[PLUGIN_IDENTIFIER],
+            name="My form",
+            slug="my-form",
         )
-
-        mock_get_solo.return_value = OpenIDConnectConfig(
-            **{
-                **default_config,
-                **{
-                    "id": 1,
-                    "username_claim": "arbitrary_employee_id_claim",
-                    "claim_mapping": {
-                        "email": "email",
-                        "last_name": "family_name",
-                        "first_name": "given_name",
-                        "employee_id": "arbitrary_employee_id_claim",
-                    },
-                    "groups_claim": "arbitrary_groups",
-                },
-            }
+        url_helper = URLsHelper(form=form, host="http://example.com")
+        start_url = url_helper.get_auth_start(plugin_id=PLUGIN_IDENTIFIER)
+        start_response = self.app.get(start_url)
+
+        # simulate login to Keycloak
+        redirect_uri = keycloak_login(
+            start_response["Location"],
+            username="admin",
+            password="admin",
+            host="http://example.com",
         )
-        mock_get_token.return_value = {
-            "id_token": "mock-id-token",
-            "access_token": "mock-access-token",
-        }
-        user_claims = {
-            "sub": "arbitrary_employee_id_claim",
-            "email": "admin@testserver",
-            "given_name": "John",
-            "family_name": "Doe",
-            "arbitrary_employee_id_claim": "my_id_value",
-            "arbitrary_groups": ["Registreerders"],
-        }
-        mock_verify_token.return_value = user_claims
-        mock_get_userinfo.return_value = user_claims
-        mock_store_tokens.return_value = {"whatever": 1}
 
-        # grab user group (from default_groups fixture)
-        group = Group.objects.get(name__iexact="Registreerders")
+        # complete the login flow on our end
+        registrator_subject_page = self.app.get(redirect_uri, auto_follow=True)
 
-        # setup our form and urls
-        form_step = FormStepFactory.create(
-            form_definition__configuration=CONFIGURATION,
-            form_definition__login_required=True,
-            form__authentication_backends=["org-oidc"],
-            form__name="My Form",
-            form__slug="my-form",
-        )
-        form = form_step.form
-        form_url = reverse_plus("core:form-detail", kwargs={"slug": form.slug})
-
-        # start of flow begins by browsing the authentication:start view
-        auth_start_url = reverse_plus(
-            "authentication:start",
-            kwargs={"slug": form.slug, "plugin_id": "org-oidc"},
-        )
-
-        auth_start_response = self.app.get(
-            auth_start_url, {"next": form_url}, status=302
-        )
-        # redirect to the OIDC request view
-        auth_start_response.follow(status=302)
-
-        # at this point the user would redirect to the OIDC provider and return to our callback
-        handle_return_url = reverse_plus(
-            "authentication:return",
-            kwargs={"slug": form.slug, "plugin_id": "org-oidc"},
-            query={"next": form_url},
-        )
+        with self.subTest("user created"):
+            user = User.objects.get()
+            self.assertEqual(user.username, "admin")
+            self.assertTrue(user.is_staff)
 
-        oidc_callback_url = reverse_plus("org-oidc:oidc_authentication_callback")
-
-        session = self.app.session
-        session["oidc_states"] = {"mock": {"nonce": "nonce"}}
-        session["oidc_login_next"] = handle_return_url
-        session.save()
-
-        # access the oidc callback view
-        oidc_callback_response = self.app.get(
-            oidc_callback_url, {"code": "mock", "state": "mock"}
-        )
-
-        # oidc machinery worked
-        mock_get_token.assert_called_once()
-        mock_verify_token.assert_called_once()
-        mock_store_tokens.assert_called_once()
-        mock_get_userinfo.assert_called_once()
-
-        # a user was created
-        user = User.objects.get()
-        self.assertTrue(user.employee_id, "my_id_value")
-        # note: assertQuerysetEqual doesn't check primary keys, so can't detect duplicate objects
-        self.assertEqual(user.groups.get().pk, group.pk)
-
-        # redirects from oidc callback, via the plugin return view, to the registrator_subject form
-        return_response = oidc_callback_response.follow(status=302)
-        registrator_subject_form_response = return_response.follow(status=200)
+        with self.subTest("registrator subject page"):
+            self.assertTemplateUsed(
+                registrator_subject_page,
+                "of_authentication/registrator_subject_info.html",
+            )
 
+        registrator_subject_form = registrator_subject_page.forms["registrator-subject"]
         # fill in the BSN in the form registrator-subject
-        registrator_subject_form = registrator_subject_form_response.forms[
-            "registrator-subject"
-        ]
         registrator_subject_form["mode"].select("citizen")
         registrator_subject_form["bsn"] = "999990676"
 
         form_response = registrator_subject_form.submit(status=302).follow(status=200)
-
-        # back at the form
-        # TODO webtest doesn't redirect/forward the hostname as expected, so just check path
-        self.assertEqual(furl(form_response.request.url).path, furl(form_url).path)
-
-        # check our session data
-        self.assertIn(FORM_AUTH_SESSION_KEY, self.app.session)
-        s = self.app.session[FORM_AUTH_SESSION_KEY]
-        self.assertEqual(s["plugin"], "org-oidc")
-        self.assertEqual(s["attribute"], AuthAttribute.employee_id)
-        self.assertEqual(s["value"], "my_id_value")
-
-        self.assertIn(REGISTRATOR_SUBJECT_SESSION_KEY, self.app.session)
-        s = self.app.session[REGISTRATOR_SUBJECT_SESSION_KEY]
-        self.assertEqual(s["attribute"], AuthAttribute.bsn)
-        self.assertEqual(s["value"], "999990676")
-
-        # fake a submit
-        form_api_url = reverse_plus(
-            "api:form-detail", kwargs={"uuid_or_slug": form.uuid}
-        )
-
-        body = {
-            "form": form_api_url,
-            "formUrl": form_url,
-        }
-
-        with requests_mock.Mocker(real_http=False) as m:
-            m.get(
-                "https://personen/api/ingeschrevenpersonen/999990676",
-                status_code=200,
-                json=load_json_mock("ingeschrevenpersonen.v1.json"),
+        # XXX webtest makes the host http://testserver, which is different from our
+        # BASE_URL setting.
+        self.assertEqual(form_response.request.url, url_helper.frontend_start)
+
+        with self.subTest("session state before submission start"):
+            # check our session data
+            self.assertIn(FORM_AUTH_SESSION_KEY, self.app.session)
+            s = self.app.session[FORM_AUTH_SESSION_KEY]
+            self.assertEqual(s["plugin"], "org-oidc")
+            self.assertEqual(s["attribute"], AuthAttribute.employee_id)
+            self.assertEqual(s["value"], "admin")
+
+            self.assertIn(REGISTRATOR_SUBJECT_SESSION_KEY, self.app.session)
+            s = self.app.session[REGISTRATOR_SUBJECT_SESSION_KEY]
+            self.assertEqual(s["attribute"], AuthAttribute.bsn)
+            self.assertEqual(s["value"], "999990676")
+
+        with self.subTest("start submission with prefill"):
+            # fake a submit
+            form_api_url = reverse_plus(
+                "api:form-detail", kwargs={"uuid_or_slug": form.uuid}
             )
 
-            response = self.app.post_json(
-                reverse_plus("api:submission-list"),
-                body,
-                status=201,
-            )
+            with requests_mock.Mocker(real_http=False) as m:
+                m.get(
+                    "https://personen/api/ingeschrevenpersonen/999990676",
+                    status_code=200,
+                    json=load_json_mock("ingeschrevenpersonen.v1.json"),
+                )
+
+                response = self.app.post_json(
+                    reverse_plus("api:submission-list"),
+                    {
+                        "form": form_api_url,
+                        "formUrl": url_helper.frontend_start,
+                    },
+                    status=201,
+                )
 
-        self.assertEqual(response.status_code, status.HTTP_201_CREATED)
-        submission = Submission.objects.get()
-        state = submission.load_submission_value_variables_state()
+            self.assertEqual(response.status_code, status.HTTP_201_CREATED)
+            submission = Submission.objects.get()
+            state = submission.load_submission_value_variables_state()
 
-        vars = state.get_prefill_variables()
+            variables = state.get_prefill_variables()
 
-        self.assertEqual(len(vars), 1)
-        self.assertEqual(vars[0].key, "voornamen")
+            self.assertEqual(len(variables), 1)
+            self.assertEqual(variables[0].key, "voornamen")
 
-        # check we got the name from the haalcentraal JSON mock
-        self.assertEqual(vars[0].value, "Cornelia Francisca")
+            # check we got the name from the haalcentraal JSON mock
+            self.assertEqual(variables[0].value, "Cornelia Francisca")
 
-        # test registrator data
-        self.assertEqual(submission.auth_info.value, "999990676")
-        self.assertEqual(submission.auth_info.plugin, "registrator")
-        self.assertEqual(submission.auth_info.attribute, AuthAttribute.bsn)
+            # test registrator data
+            self.assertEqual(submission.auth_info.value, "999990676")
+            self.assertEqual(submission.auth_info.plugin, "registrator")
+            self.assertEqual(submission.auth_info.attribute, AuthAttribute.bsn)
 
-        self.assertEqual(submission.registrator.value, "my_id_value")
-        self.assertEqual(submission.registrator.plugin, "org-oidc")
-        self.assertEqual(submission.registrator.attribute, AuthAttribute.employee_id)
+            self.assertEqual(submission.registrator.value, "admin")
+            self.assertEqual(submission.registrator.plugin, "org-oidc")
+            self.assertEqual(
+                submission.registrator.attribute, AuthAttribute.employee_id
+            )
diff --git a/src/openforms/urls.py b/src/openforms/urls.py
index 46e31d89cb..7617089845 100644
--- a/src/openforms/urls.py
+++ b/src/openforms/urls.py
@@ -19,6 +19,26 @@
 admin.site.index_title = _("Welcome to the Open Forms admin")
 admin.site.enable_nav_sidebar = False
 
+# DeprecationWarning
+# TODO: remove in Open Forms 3.0 - these are moved to /auth/oidc/*
+_legacy_oidc_urls = [
+    path(
+        "",
+        include("openforms.authentication.contrib.digid_eherkenning_oidc.legacy_urls"),
+    ),
+    path(
+        "org-oidc/",
+        include("openforms.authentication.contrib.org_oidc.urls"),
+    ),
+    # still included so that URL reversing for the authentication request view works
+    path("oidc/", include("mozilla_django_oidc.urls")),  # moved to /auth/oidc
+    # included with namespace for backwards compatibility reasons
+    path(
+        "oidc/",
+        include(([path("", include("mozilla_django_oidc.urls"))], "legacy_oidc")),
+    ),
+]
+
 urlpatterns = [
     path("admin/", include("openforms.admin.urls")),
     path(
@@ -34,6 +54,8 @@
     path("cookies/", include("cookie_consent.urls")),
     path("tinymce/", decorator_include(login_required, "tinymce.urls")),  # type: ignore
     path("api/", include("openforms.api.urls", namespace="api")),
+    *_legacy_oidc_urls,
+    path("auth/oidc/", include("mozilla_django_oidc.urls")),
     path("auth/", include("openforms.authentication.urls", namespace="authentication")),
     path(
         "appointments/",
@@ -44,32 +66,6 @@
         "submissions/",
         include("openforms.submissions.urls", namespace="submissions"),
     ),
-    path("oidc/", include("mozilla_django_oidc.urls")),
-    path("org-oidc/", include("openforms.authentication.contrib.org_oidc.urls")),
-    path(
-        "digid-oidc/",
-        include(
-            "openforms.authentication.contrib.digid_eherkenning_oidc.digid_urls",
-        ),
-    ),
-    path(
-        "eherkenning-oidc/",
-        include(
-            "openforms.authentication.contrib.digid_eherkenning_oidc.eherkenning_urls",
-        ),
-    ),
-    path(
-        "digid-machtigen-oidc/",
-        include(
-            "openforms.authentication.contrib.digid_eherkenning_oidc.digid_machtigen_urls",
-        ),
-    ),
-    path(
-        "eherkenning-bewindvoering-oidc/",
-        include(
-            "openforms.authentication.contrib.digid_eherkenning_oidc.eherkenning_bewindvoering_urls",
-        ),
-    ),
     path("payment/", include("openforms.payments.urls", namespace="payments")),
     # NOTE: we dont use the User creation feature so don't enable all the mock views
     path("digid/", include("openforms.authentication.contrib.digid.urls")),
diff --git a/src/openforms/utils/tests/concurrent.py b/src/openforms/utils/tests/concurrent.py
new file mode 100644
index 0000000000..eff2bb1e8f
--- /dev/null
+++ b/src/openforms/utils/tests/concurrent.py
@@ -0,0 +1,38 @@
+from concurrent.futures import Executor, Future
+from contextlib import contextmanager
+from unittest.mock import patch
+
+
+class _DummyThreadPoolExecutor(Executor):
+    def __init__(self, max_workers=None):
+        self._max_workers = max_workers
+
+    def submit(self, fn, *args, **kwargs):
+        future = Future()
+        try:
+            result = fn(*args, **kwargs)
+        except Exception as exc:
+            future.set_exception(exc)
+        else:
+            future.set_result(result)
+        return future
+
+
+@contextmanager
+def mock_parallel_executor():
+    """
+    Mock the zgw_consumers.concurrent.parallel helper to not use real threads.
+
+    Useful for tests where queries are done in the tasks submitted to the pool - these
+    changes cannot be rolled back since the test DB transaction is not aware of the
+    extra DB transactions in the tests. This in turn leads to broken test isolation.
+    """
+    executor_patcher = patch(
+        "zgw_consumers.concurrent.futures.ThreadPoolExecutor",
+        new=_DummyThreadPoolExecutor,
+    )
+    conn_patcher = patch(
+        "zgw_consumers.concurrent.close_db_connections", return_value=None
+    )
+    with executor_patcher, conn_patcher:
+        yield
diff --git a/src/openforms/utils/tests/keycloak.py b/src/openforms/utils/tests/keycloak.py
new file mode 100644
index 0000000000..257ab10337
--- /dev/null
+++ b/src/openforms/utils/tests/keycloak.py
@@ -0,0 +1,99 @@
+"""
+Keycloak helpers taken from mozilla-django-oidc-db::tests/utils.py & pytest fixtures.
+
+These help dealing with/stubbing out OpenID Provider configuration.
+
+The Keycloak client ID/secret and URLs are set up for the config in
+docker/docker-compose.keycloak.yml. See the README.md in docker/keycloak/ for more
+information.
+"""
+
+from contextlib import contextmanager, nullcontext
+from unittest.mock import patch
+
+from django.apps import apps
+
+from pyquery import PyQuery as pq
+from requests import Session
+
+KEYCLOAK_BASE_URL = "http://localhost:8080/realms/test/protocol/openid-connect"
+
+
+def keycloak_login(
+    login_url: str,
+    username: str = "testuser",
+    password: str = "testuser",
+    host: str = "http://testserver/",
+    session: Session | None = None,
+) -> str:
+    """
+    Test helper to perform a keycloak login.
+
+    :param login_url: A login URL for keycloak with all query string parameters. E.g.
+        `client.get(reverse("login"))["Location"]`.
+    :returns: The redirect URI to consume in the django application, with the ``code``
+        ``state`` query parameters. Consume this with ``response = client.get(url)``.
+    """
+    cm = Session() if session is None else nullcontext(session)
+    with cm as session:
+        login_page = session.get(login_url)
+        assert login_page.status_code == 200
+
+        # process keycloak's login form and submit the username + password to
+        # authenticate
+        document = pq(login_page.text)
+        login_form = document("form#kc-form-login")
+        submit_url = login_form.attr("action")
+        assert isinstance(submit_url, str)
+        login_response = session.post(
+            submit_url,
+            data={
+                "username": username,
+                "password": password,
+                "credentialId": "",
+                "login": "Sign In",
+            },
+            allow_redirects=False,
+        )
+
+        assert login_response.status_code == 302
+        assert (redirect_uri := login_response.headers["Location"]).startswith(host)
+
+        return redirect_uri
+
+
+@contextmanager
+def mock_oidc_db_config(app_label: str, model: str, **overrides):
+    """
+    Bundle all the required mocks.
+
+    This context manager deliberately prevents the mocked things from being injected in
+    the test method signature.
+    """
+    defaults = {
+        "enabled": True,
+        "oidc_rp_client_id": "testid",
+        "oidc_rp_client_secret": "7DB3KUAAizYCcmZufpHRVOcD0TOkNO3I",
+        "oidc_rp_sign_algo": "RS256",
+        "oidc_rp_scopes_list": ["openid"],
+        "oidc_op_jwks_endpoint": f"{KEYCLOAK_BASE_URL}/certs",
+        "oidc_op_authorization_endpoint": f"{KEYCLOAK_BASE_URL}/auth",
+        "oidc_op_token_endpoint": f"{KEYCLOAK_BASE_URL}/token",
+        "oidc_op_user_endpoint": f"{KEYCLOAK_BASE_URL}/userinfo",
+    }
+    field_values = {**defaults, **overrides}
+    model_cls = apps.get_model(app_label, model)
+    with (
+        # bypass django-solo queries + cache hits
+        patch(
+            f"{model_cls.__module__}.{model}.get_solo",
+            return_value=model_cls(**field_values),
+        ),
+        # mock the state & nonce random value generation so we get predictable URLs to
+        # match with VCR
+        patch(
+            "mozilla_django_oidc.views.get_random_string",
+            return_value="not-a-random-string",
+        ),
+    ):
+        yield
diff --git a/src/openforms/utils/tests/test_migrations.py b/src/openforms/utils/tests/test_migrations.py
index bd7afce819..ab7b0a6f12 100644
--- a/src/openforms/utils/tests/test_migrations.py
+++ b/src/openforms/utils/tests/test_migrations.py
@@ -1,11 +1,12 @@
 from django.core.management import call_command
 from django.db import connection
 from django.db.migrations.executor import MigrationExecutor
-from django.test import TransactionTestCase, override_settings
+from django.test import TransactionTestCase, override_settings, tag
 
 unset = object()
 
 
+@tag("migrations")
 class TestMigrations(TransactionTestCase):
     """
     Test the effect of applying a migration