[
https://issues.apache.org/jira/browse/OAK-3876?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alexander Klimetschek updated OAK-3876:
---------------------------------------
Description:
In the ExternalLoginModule, the user = authorizable id for the subject after
successful authentication will be solely based on the userId of the passed in
SimpleCredentials, as the [original credentials are set as
SHARED_KEY_CREDENTIALS|https://github.com/apache/jackrabbit-oak/blob/cc78f6fdd122d1c9f200b43fc2b9536518ea996b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/ExternalLoginModule.java#L230].
However, with an external identity provider it can be the case that the
credentials do not contain the actual local user id and only the identity
provider would do the mapping in its authentication logic and return the right
local user id via ExternalUser.getId().
An example might be an opaque token string used as credential, which the
external IDP validates by calling the external entity, and receiving user data
that allows to map to the local user id.
was:
In the ExternalLoginModule, the user = authorizable id for the subject after
successful authentication will be solely based on the userId of the passed in
SimpleCredentials, as the [original credentials are set as
SHARED_KEY_CREDENTIALS|https://github.com/apache/jackrabbit-oak/blob/cc78f6fdd122d1c9f200b43fc2b9536518ea996b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/ExternalLoginModule.java#L230].
However, with an external identity provider it can be the case that the
credentials do not contain the actual local user id and thus the
SimpleCredentials passed in might not contain the right user id yet, only the
identity provider would do the mapping in its authentication logic and return
via ExternalUser.getId().
An example might be an opaque token string used as credential, which the
external IDP validates by calling the external entity, and receiving user data
that allows to map to the local user id.
> ExternalLoginModule ignores authorizable ID returned from IDP
> -------------------------------------------------------------
>
> Key: OAK-3876
> URL: https://issues.apache.org/jira/browse/OAK-3876
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: auth-external
> Affects Versions: 1.2.9, 1.3.13
> Reporter: Alexander Klimetschek
>
> In the ExternalLoginModule, the user = authorizable id for the subject after
> successful authentication will be solely based on the userId of the passed in
> SimpleCredentials, as the [original credentials are set as
> SHARED_KEY_CREDENTIALS|https://github.com/apache/jackrabbit-oak/blob/cc78f6fdd122d1c9f200b43fc2b9536518ea996b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/ExternalLoginModule.java#L230].
> However, with an external identity provider it can be the case that the
> credentials do not contain the actual local user id and only the identity
> provider would do the mapping in its authentication logic and return the
> right local user id via ExternalUser.getId().
> An example might be an opaque token string used as credential, which the
> external IDP validates by calling the external entity, and receiving user
> data that allows to map to the local user id.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
