rajalakshmys-27 opened a new issue, #2215:
URL: https://github.com/apache/incubator-kie-issues/issues/2215
Description: When kogito.security.auth.enabled=true and a user is
authenticated via JWT, the backend incorrectly returns an empty identity if no
impersonation params (user, groups) are provided. This results in empty
transition lists ([]).
Scenario :
Business Service with hiring process, HR Interview task (Actors empty,
Groups=HR).
Identity Provider: Keycloak, user jdoe in HR group.
Case 1: impersonation NOT set
(kogito.security.auth.impersonation.allowed-for-roles)
transitions?user=jdoe → valid transitions.
transitions (no params, JWT only) → valid transitions.
Extra params ignored.
Case 2: impersonation allowed for HR
(kogito.security.auth.impersonation.allowed-for-roles=HR){}
transitions?user=jdoe → 403.
transitions (no params, JWT only) → empty list [].
transitions?user=jdoe&group=HR → valid transitions.
user only → 403.
group only → empty list.
Root Cause: The backend generates an empty identity when no impersonation
params are provided, instead of using the authenticated JWT identity.
Expected Behavior:
When no impersonation params are provided, backend should return the current
authenticated identity from the JWT token.
Only when impersonation params are explicitly provided should backend
validate impersonation roles and apply them.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
