maykinmedia
diff --git a/‎docs/configuration/admin_oidc.rst
+3-10 b/‎docs/configuration/admin_oidc.rst
+3-10
diff --git a/‎docs/configuration/digid_oidc.rst
+9-23 b/‎docs/configuration/digid_oidc.rst
+9-23
diff --git a/‎docs/configuration/eherkenning_oidc.rst
+8-22 b/‎docs/configuration/eherkenning_oidc.rst
+8-22
diff --git a/‎docs/configuration/eherkenning_saml.rst
+2-2 b/‎docs/configuration/eherkenning_saml.rst
+2-2
diff --git a/‎requirements/base.in
+1-1 b/‎requirements/base.in
+1-1
diff --git a/‎requirements/base.txt
+7-4 b/‎requirements/base.txt
+7-4
diff --git a/‎requirements/ci.txt
+6-3 b/‎requirements/ci.txt
+6-3
diff --git a/‎requirements/dev.txt
+6-3 b/‎requirements/dev.txt
+6-3
diff --git a/‎src/digid_eherkenning_oidc_generics/__init__.py b/‎src/digid_eherkenning_oidc_generics/__init__.py
diff --git a/‎src/digid_eherkenning_oidc_generics/admin.py
-69 b/‎src/digid_eherkenning_oidc_generics/admin.py
-69
diff --git a/‎src/digid_eherkenning_oidc_generics/apps.py
-7 b/‎src/digid_eherkenning_oidc_generics/apps.py
-7
@@ -36,7 +36,6 @@ All settings:
     ADMIN_OIDC_DEFAULT_GROUPS
     ADMIN_OIDC_GROUPS_CLAIM
     ADMIN_OIDC_MAKE_USERS_STAFF
-    ADMIN_OIDC_OIDC_EXEMPT_URLS
     ADMIN_OIDC_OIDC_NONCE_SIZE
     ADMIN_OIDC_OIDC_OP_AUTHORIZATION_ENDPOINT
     ADMIN_OIDC_OIDC_OP_DISCOVERY_ENDPOINT
@@ -65,12 +64,12 @@ Detailed Information
     Setting             claim mapping
     Description         Mapping from user-model fields to OIDC claims
     Possible values     Mapping: {'some_key': 'Some value'}
-    Default value       {'email': 'email', 'first_name': 'given_name', 'last_name': 'family_name'}
+    Default value       {'email': ['email'], 'first_name': ['given_name'], 'last_name': ['family_name']}
     
     Variable            ADMIN_OIDC_GROUPS_CLAIM
     Setting             groups claim
     Description         The name of the OIDC claim that holds the values to map to local user groups.
-    Possible values     string
+    Possible values     No information available
     Default value       roles
     
     Variable            ADMIN_OIDC_MAKE_USERS_STAFF
@@ -79,12 +78,6 @@ Detailed Information
     Possible values     True, False
     Default value       False
     
-    Variable            ADMIN_OIDC_OIDC_EXEMPT_URLS
-    Setting             URLs exempt from session renewal
-    Description         This is a list of absolute url paths, regular expressions for url paths, or Django view names. This plus the mozilla-django-oidc urls are exempted from the session renewal by the SessionRefresh middleware.
-    Possible values     string, comma-delimited ('foo,bar,baz')
-    Default value       
-    
     Variable            ADMIN_OIDC_OIDC_NONCE_SIZE
     Setting             Nonce size
     Description         Sets the length of the random string used for OpenID Connect nonce verification
@@ -190,5 +183,5 @@ Detailed Information
     Variable            ADMIN_OIDC_USERNAME_CLAIM
     Setting             username claim
     Description         The name of the OIDC claim that is used as the username
-    Possible values     string
+    Possible values     No information available
     Default value       sub
@@ -31,10 +31,8 @@ All settings:
 
 ::
 
+    DIGID_OIDC_BSN_CLAIM
     DIGID_OIDC_ENABLED
-    DIGID_OIDC_ERROR_MESSAGE_MAPPING
-    DIGID_OIDC_IDENTIFIER_CLAIM_NAME
-    DIGID_OIDC_OIDC_EXEMPT_URLS
     DIGID_OIDC_OIDC_KEYCLOAK_IDP_HINT
     DIGID_OIDC_OIDC_NONCE_SIZE
     DIGID_OIDC_OIDC_OP_AUTHORIZATION_ENDPOINT
@@ -57,30 +55,18 @@ Detailed Information
 
 ::
 
+    Variable            DIGID_OIDC_BSN_CLAIM
+    Setting             BSN-claim
+    Description         Naam van de claim die het BSN bevat van de ingelogde gebruiker.
+    Possible values     No information available
+    Default value       bsn
+    
     Variable            DIGID_OIDC_ENABLED
     Setting             inschakelen
-    Description         Geeft aan of OpenID Connect voor authenticatie/autorisatie is ingeschakeld. Deze overschrijft het gebruik van SAML voor DigiD-authenticatie.
+    Description         Indicates whether OpenID Connect for authentication/authorization is enabled
     Possible values     True, False
     Default value       False
     
-    Variable            DIGID_OIDC_ERROR_MESSAGE_MAPPING
-    Setting             Foutmelding mapping
-    Description         Mapping die de door de identiteitsprovider geretourneerde foutmeldingen, omzet in leesbare meldingen die aan de gebruiker worden getoond
-    Possible values     Mapping: {'some_key': 'Some value'}
-    Default value       {}
-    
-    Variable            DIGID_OIDC_IDENTIFIER_CLAIM_NAME
-    Setting             BSN claim naam
-    Description         De naam van de claim waarin het BSN nummer van de gebruiker is opgeslagen
-    Possible values     string
-    Default value       bsn
-    
-    Variable            DIGID_OIDC_OIDC_EXEMPT_URLS
-    Setting             URLs exempt from session renewal
-    Description         This is a list of absolute url paths, regular expressions for url paths, or Django view names. This plus the mozilla-django-oidc urls are exempted from the session renewal by the SessionRefresh middleware.
-    Possible values     No information available
-    Default value       
-    
     Variable            DIGID_OIDC_OIDC_KEYCLOAK_IDP_HINT
     Setting             Keycloak-identiteitsprovider hint
     Description         Specifiek voor Keycloak: parameter die aangeeft welke identiteitsprovider gebruikt moet worden (inlogscherm van Keycloak overslaan).
@@ -149,7 +135,7 @@ Detailed Information
     
     Variable            DIGID_OIDC_OIDC_RP_SCOPES_LIST
     Setting             OpenID Connect scopes
-    Description         OpenID Connect-scopes die worden bevraagd tijdens het inloggen. Deze zijn hardcoded en moeten worden ondersteund door de identiteitsprovider.
+    Description         OpenID Connect scopes that are requested during login. These scopes are hardcoded and must be supported by the identity provider.
     Possible values     No information available
     Default value       openid, bsn
     
 
@@ -32,9 +32,7 @@ All settings:
 ::
 
     EHERKENNING_OIDC_ENABLED
-    EHERKENNING_OIDC_ERROR_MESSAGE_MAPPING
-    EHERKENNING_OIDC_IDENTIFIER_CLAIM_NAME
-    EHERKENNING_OIDC_OIDC_EXEMPT_URLS
+    EHERKENNING_OIDC_LEGAL_SUBJECT_CLAIM
     EHERKENNING_OIDC_OIDC_KEYCLOAK_IDP_HINT
     EHERKENNING_OIDC_OIDC_NONCE_SIZE
     EHERKENNING_OIDC_OIDC_OP_AUTHORIZATION_ENDPOINT
@@ -59,27 +57,15 @@ Detailed Information
 
     Variable            EHERKENNING_OIDC_ENABLED
     Setting             inschakelen
-    Description         Geeft aan of OpenID Connect voor authenticatie/autorisatie is ingeschakeld. Deze heeft voorrang op het gebruik van SAML voor eHerkenning-authenticatie.
+    Description         Indicates whether OpenID Connect for authentication/authorization is enabled
     Possible values     True, False
     Default value       False
     
-    Variable            EHERKENNING_OIDC_ERROR_MESSAGE_MAPPING
-    Setting             Foutmelding mapping
-    Description         Mapping die de door de identiteitsprovider geretourneerde foutmeldingen, omzet in leesbare meldingen die aan de gebruiker worden getoond
-    Possible values     Mapping: {'some_key': 'Some value'}
-    Default value       {}
-    
-    Variable            EHERKENNING_OIDC_IDENTIFIER_CLAIM_NAME
-    Setting             KVK claim naam
-    Description         De naam van de claim waarin het KVK nummer van de gebruiker is opgeslagen
-    Possible values     string
-    Default value       kvk
-    
-    Variable            EHERKENNING_OIDC_OIDC_EXEMPT_URLS
-    Setting             URLs exempt from session renewal
-    Description         This is a list of absolute url paths, regular expressions for url paths, or Django view names. This plus the mozilla-django-oidc urls are exempted from the session renewal by the SessionRefresh middleware.
-    Possible values     string, comma-delimited ('foo,bar,baz')
-    Default value       
+    Variable            EHERKENNING_OIDC_LEGAL_SUBJECT_CLAIM
+    Setting             bedrijfsidenticatie-claim
+    Description         Naam van de claim die de identificatie van het ingelogde/vertegenwoordigde bedrijf bevat.
+    Possible values     No information available
+    Default value       urn:etoegang:core:LegalSubjectID
     
     Variable            EHERKENNING_OIDC_OIDC_KEYCLOAK_IDP_HINT
     Setting             Keycloak-identiteitsprovider hint
@@ -149,7 +135,7 @@ Detailed Information
     
     Variable            EHERKENNING_OIDC_OIDC_RP_SCOPES_LIST
     Setting             OpenID Connect scopes
-    Description         OpenID Connect-scopes die worden bevraagd tijdens het inloggen. Deze zijn hardcoded en moeten worden ondersteund door de identiteitsprovider.
+    Description         OpenID Connect scopes that are requested during login. These scopes are hardcoded and must be supported by the identity provider.
     Possible values     string, comma-delimited ('foo,bar,baz')
     Default value       openid, kvk
     
 
@@ -134,7 +134,7 @@ Detailed Information
     
     Variable            EHERKENNING_SAML_EH_LOA
     Setting             eHerkenning LoA
-    Description         Level of Assurance (LoA) to use for the eHerkenning service.
+    Description         Betrouwbaarheidsniveau (LoA) voor de eHerkenningservice.
     Possible values     urn:etoegang:core:assurance-class:loa1, urn:etoegang:core:assurance-class:loa2, urn:etoegang:core:assurance-class:loa2plus, urn:etoegang:core:assurance-class:loa3, urn:etoegang:core:assurance-class:loa4
     Default value       urn:etoegang:core:assurance-class:loa3
     
@@ -164,7 +164,7 @@ Detailed Information
     
     Variable            EHERKENNING_SAML_EIDAS_LOA
     Setting             eIDAS LoA
-    Description         Level of Assurance (LoA) to use for the eIDAS service.
+    Description         Betrouwbaarheidsniveau (LoA) voor de eIDAS-service.
     Possible values     urn:etoegang:core:assurance-class:loa1, urn:etoegang:core:assurance-class:loa2, urn:etoegang:core:assurance-class:loa2plus, urn:etoegang:core:assurance-class:loa3, urn:etoegang:core:assurance-class:loa4
     Default value       urn:etoegang:core:assurance-class:loa3
     
 
@@ -79,7 +79,7 @@ elastic-apm  # Elastic APM integration
 beautifulsoup4
 
 # DigidLocal
-django-digid-eherkenning
+django-digid-eherkenning[oidc]
 maykin-python3-saml
 pyopenssl
 django-sessionprofile
 
@@ -190,7 +190,7 @@ django-csp==3.7
     # via -r requirements/base.in
 django-csp-reports==1.8.1
     # via -r requirements/base.in
-django-digid-eherkenning==0.13.1
+django-digid-eherkenning[oidc]==0.16.0
     # via -r requirements/base.in
 django-elasticsearch-dsl==7.4
     # via -r requirements/base.in
@@ -403,10 +403,12 @@ maykin-python3-saml==1.16.1
     #   django-digid-eherkenning
 messagebird==2.1.0
     # via -r requirements/base.in
-mozilla-django-oidc==2.0.0
+mozilla-django-oidc==4.0.1
     # via mozilla-django-oidc-db
-mozilla-django-oidc-db==0.14.1
-    # via -r requirements/base.in
+mozilla-django-oidc-db==0.19.0
+    # via
+    #   -r requirements/base.in
+    #   django-digid-eherkenning
 notifications-api-common==0.2.2
     # via -r requirements/base.in
 oath==1.4.4
@@ -544,6 +546,7 @@ tinycss2==1.1.1
 typing-extensions==4.10.0
     # via
     #   -r requirements/base.in
+    #   mozilla-django-oidc-db
     #   pydantic
     #   pydantic-core
     #   pyee
 
@@ -314,10 +314,11 @@ django-csp-reports==1.8.1
     # via
     #   -c requirements/base.txt
     #   -r requirements/base.txt
-django-digid-eherkenning==0.13.1
+django-digid-eherkenning[oidc]==0.16.0
     # via
     #   -c requirements/base.txt
     #   -r requirements/base.txt
+    #   django-digid-eherkenning
 django-elasticsearch-dsl==7.4
     # via
     #   -c requirements/base.txt
@@ -743,15 +744,16 @@ messagebird==2.1.0
     # via
     #   -c requirements/base.txt
     #   -r requirements/base.txt
-mozilla-django-oidc==2.0.0
+mozilla-django-oidc==4.0.1
     # via
     #   -c requirements/base.txt
     #   -r requirements/base.txt
     #   mozilla-django-oidc-db
-mozilla-django-oidc-db==0.14.1
+mozilla-django-oidc-db==0.19.0
     # via
     #   -c requirements/base.txt
     #   -r requirements/base.txt
+    #   django-digid-eherkenning
 multidict==6.0.5
     # via yarl
 mypy-extensions==1.0.0
@@ -1066,6 +1068,7 @@ typing-extensions==4.10.0
     # via
     #   -c requirements/base.txt
     #   -r requirements/base.txt
+    #   mozilla-django-oidc-db
     #   polyfactory
     #   pydantic
     #   pydantic-core
 
@@ -356,10 +356,11 @@ django-csp-reports==1.8.1
     #   -r requirements/ci.txt
 django-debug-toolbar==3.2.2
     # via -r requirements/dev.in
-django-digid-eherkenning==0.13.1
+django-digid-eherkenning[oidc]==0.16.0
     # via
     #   -c requirements/ci.txt
     #   -r requirements/ci.txt
+    #   django-digid-eherkenning
 django-elasticsearch-dsl==7.4
     # via
     #   -c requirements/ci.txt
@@ -845,15 +846,16 @@ messagebird==2.1.0
     # via
     #   -c requirements/ci.txt
     #   -r requirements/ci.txt
-mozilla-django-oidc==2.0.0
+mozilla-django-oidc==4.0.1
     # via
     #   -c requirements/ci.txt
     #   -r requirements/ci.txt
     #   mozilla-django-oidc-db
-mozilla-django-oidc-db==0.14.1
+mozilla-django-oidc-db==0.19.0
     # via
     #   -c requirements/ci.txt
     #   -r requirements/ci.txt
+    #   django-digid-eherkenning
 msgpack==1.0.7
     # via locust
 multidict==6.0.5
@@ -1269,6 +1271,7 @@ typing-extensions==4.10.0
     # via
     #   -c requirements/ci.txt
     #   -r requirements/ci.txt
+    #   mozilla-django-oidc-db
     #   polyfactory
     #   pydantic
     #   pydantic-core