✨ [#3695] Add USE_OIDC_FOR_ADMIN_LOGIN setting and document it

docs/configuration/general/oidc.rst

@@ -86,3 +86,6 @@ Klik tot slot rechtsonder op **Opslaan**.
 Je kan vervolgens het makkelijkst testen of alles werkt door in een incognitoscherm
 naar ``https://open-formulieren.gemeente.nl/admin/`` te navigeren en op 
 *Inloggen met organisatieaccount* te klikken.
+
+.. note:: We raden aan om Open Formulieren te deployen met de ``USE_OIDC_FOR_ADMIN_LOGIN=1``
+   environment variabele zodat je meteen omgeleid wordt naar de OpenID Connect Provider.

docs/installation/config.rst

@@ -260,6 +260,11 @@ Other settings
   Docker images. The value is used to know which SDK JS/CSS files to include on the form
   detail page.
 
+* ``USE_OIDC_FOR_ADMIN_LOGIN``: If enabled, the admin login page will automatically
+  redirect to the OpenID Connect provider. You typically want to enable this if you
+  enable :ref:`Organization accounts <configuration_authentication_oidc>`. Defaults
+  to ``False``.
+
 * ``SESSION_EXPIRE_AT_BROWSER_CLOSE``: Controls if sessions expire at browser close.
   This applies to both the session of end-users filling out forms and staff using the
   administrative interface. Enabling this forces users to log in every time they open

src/openforms/admin/urls.py

@@ -37,6 +37,9 @@
         ),
     ),
     path("login/failure/", AdminLoginFailure.as_view(), name="admin-oidc-error"),
+    # Custom views on top of maykin-2fa even for OIDC redirect if staff users are not
+    # authenticated.
+    # TODO
     # Use custom login views for the admin + support hardware tokens
     path("", include((urlpatterns, "maykin_2fa"))),
     path("", include((webauthn_urlpatterns, "two_factor"))),

src/openforms/conf/base.py

@@ -513,6 +513,9 @@
 LOGIN_REDIRECT_URL = reverse_lazy("admin:index")
 LOGOUT_REDIRECT_URL = reverse_lazy("admin:index")
 
+# Custom setting
+USE_OIDC_FOR_ADMIN_LOGIN = config("USE_OIDC_FOR_ADMIN_LOGIN", default=False)
+
 #
 # SECURITY settings
 #