Alexander Klimetschek created OAK-3876:
------------------------------------------
Summary: ExternalLoginModule ignores authorizableId returned from
IDP
Key: OAK-3876
URL: https://issues.apache.org/jira/browse/OAK-3876
Project: Jackrabbit Oak
Issue Type: Bug
Components: auth-external
Affects Versions: 1.3.13, 1.2.9
Reporter: Alexander Klimetschek
In the ExternalLoginModule, the user id for the subject after successful
authentication will be solely based on the userId in the SimpleCredentials, as
the [original credentials are set as SHARED_KEY_CREDENTIALS
|https://github.com/apache/jackrabbit-oak/blob/cc78f6fdd122d1c9f200b43fc2b9536518ea996b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/ExternalLoginModule.java#L230].
However, with an external identity provider it might be likely that the
credentials do not contain the actual local user id and thus the
SimpleCredentials passed in might not contain the right user id yet, only the
identity provider would do the mapping in its authentication logic and return
via ExternalUser.getId().
An example might be an opaque token string used as credential, which the
external IDP validates by calling the external entity, and receiving user data
that allows to map to the local user id.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
