[
https://issues.apache.org/jira/browse/OAK-3876?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alexander Klimetschek updated OAK-3876:
---------------------------------------
Summary: ExternalLoginModule ignores authorizable ID returned from IDP
(was: ExternalLoginModule ignores authorizableId returned from IDP)
> ExternalLoginModule ignores authorizable ID returned from IDP
> -------------------------------------------------------------
>
> Key: OAK-3876
> URL: https://issues.apache.org/jira/browse/OAK-3876
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: auth-external
> Affects Versions: 1.2.9, 1.3.13
> Reporter: Alexander Klimetschek
>
> In the ExternalLoginModule, the user id for the subject after successful
> authentication will be solely based on the userId in the SimpleCredentials,
> as the [original credentials are set as SHARED_KEY_CREDENTIALS
> |https://github.com/apache/jackrabbit-oak/blob/cc78f6fdd122d1c9f200b43fc2b9536518ea996b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/ExternalLoginModule.java#L230].
> However, with an external identity provider it might be likely that the
> credentials do not contain the actual local user id and thus the
> SimpleCredentials passed in might not contain the right user id yet, only the
> identity provider would do the mapping in its authentication logic and return
> via ExternalUser.getId().
> An example might be an opaque token string used as credential, which the
> external IDP validates by calling the external entity, and receiving user
> data that allows to map to the local user id.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
