[jira] [Commented] (KNOX-655) Pac4j Provider Client Selection from client_name Query Parameter

Mon, 25 Jan 2016 14:37:55 -0800 

    [ 
https://issues.apache.org/jira/browse/KNOX-655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15116210#comment-15116210
 ] 

Larry McCay commented on KNOX-655:
----------------------------------

>From dev@ list:

"I just uploaded a patch for KNOX-655 and successfully tested it: using
https://127.0.0.1:8443/gateway/sandbox/webhdfs/v1/tmp?op=LISTSTATUS, I'm
redirected to my CAS server for login. I can force the authentication on
Facebook using: https://127.0.0.1:8443/gateway/idp/api/v1/websso?
*client_name=FacebookClient*&originalUrl=
https://127.0.0.1:8443/gateway/sandbox/webhdfs/v1/tmp?op=LISTSTATUS

The documentation needs to be amended on two points:

1) about the clientName definition: if more than one client is defined, it
must define the default pac4j client to use (the order of the properties
defined in the configuration are not taken into account, it's the order in
the pac4j PropertiesConfigFactory in fact); if you want to be able to use
two clients (let's say a CasClient and a SAML2Client) and you want CAS to
be the default authentication method, you need to define the clientName as
follows: CasClient,SAML2Client

2) a warning must be written somewhere to say that a pac4jCallback=true
parameter is added to the IDP endpoint url (Knox side) and thus, this must
be maybe taken into account when defining it on the identity provider side."


> Pac4j Provider Client Selection from client_name Query Parameter
> ----------------------------------------------------------------
>
>                 Key: KNOX-655
>                 URL: https://issues.apache.org/jira/browse/KNOX-655
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>            Reporter: Larry McCay
>            Assignee: Jérôme Leleu
>             Fix For: 0.8.0
>
>         Attachments: knox655.patch
>
>
> From dev@ list:
> "In pac4j, we have a callback controller which uses the client_name
> parameter to finish the login process and a protection filter which
> protects a resource and redirects the user to the identity provider for
> login. Since pac4j 1.8, most libraries using it now accept a client_name
> parameter in the protection filter as well to choose the authentication
> mechanism to use if the user is not authenticated.
> With Knox, this feature (choosing the authentication mechanism with the
> client_name parameter) is not available as this parameter is already used
> to define if it's a callback or an access. This could be changed and we
> could opt for a new convention, like a new pac4jCallback parameter to say
> if it's a callback or not. And this way, you could choose on the fly which
> authentication mechanism you want to use."



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to