[jira] [Commented] (OAK-3876) ExternalLoginModule ignores authorizableId returned from IDP

Wed, 13 Jan 2016 19:55:19 -0800 

    [ 
https://issues.apache.org/jira/browse/OAK-3876?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15097543#comment-15097543
 ] 

Alexander Klimetschek commented on OAK-3876:
--------------------------------------------

One could argue that the use of SimpleCredentials, which is currently required 
by the ExternalLoginModule, is a problem, as this requires to specify a userId 
upfront, and a use case like an opaque token would better be handled by a 
specific Credential object.

However, the versatility of the SimpleCredentials object is quite useful, as it 
allows to specify any number of additional attributes (and the password is 
effectively optional). In my opaque token use case I currently set a 
"temporary" user id based on the token.

Hence the simplest solution is to make sure to rebuild the SimpleCredentials to 
include the ExternalUser.getId() (returned from the IDP) before setting it as 
SHARED_KEY_CREDENTIALS, in case the user id is different.

> ExternalLoginModule ignores authorizableId returned from IDP
> ------------------------------------------------------------
>
>                 Key: OAK-3876
>                 URL: https://issues.apache.org/jira/browse/OAK-3876
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: auth-external
>    Affects Versions: 1.2.9, 1.3.13
>            Reporter: Alexander Klimetschek
>
> In the ExternalLoginModule, the user id for the subject after successful 
> authentication will be solely based on the userId in the SimpleCredentials, 
> as the [original credentials are set as SHARED_KEY_CREDENTIALS 
> |https://github.com/apache/jackrabbit-oak/blob/cc78f6fdd122d1c9f200b43fc2b9536518ea996b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/ExternalLoginModule.java#L230].
> However, with an external identity provider it might be likely that the 
> credentials do not contain the actual local user id and thus the 
> SimpleCredentials passed in might not contain the right user id yet, only the 
> identity provider would do the mapping in its authentication logic and return 
> via ExternalUser.getId().
> An example might be an opaque token string used as credential, which the 
> external IDP validates by calling the external entity, and receiving user 
> data that allows to map to the local user id.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to