[jira] [Resolved] (OAK-3876) ExternalLoginModule ignores authorizable ID returned from IDP

Thu, 14 Jan 2016 18:33:07 -0800 

     [ 
https://issues.apache.org/jira/browse/OAK-3876?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Alexander Klimetschek resolved OAK-3876.
----------------------------------------
    Resolution: Invalid

Turns out there is no problem in the ExternalLoginModule.

Problem I had was in my Sling AuthenticationHandler: when the user id is not 
know you have to not set a userId in the AuthenticationInfo and then pass the 
jcr Credentials object manually in the "user.jcr.credentials" attribute:
{code}
// ExternalLoginModule currently requires SimpleCredentials, but ideally, if 
the user id
// is unkwnown and the password is not used, a special Credentials class makes 
more sense
SimpleCredentials credentials = new SimpleCredentials(null, new char[0]);
credentials.setAttribute("my-attribute", "....");

AuthenticationInfo authInfo = new 
AuthenticationInfo(AuthConstants.ACCESS_TOKEN);
authInfo.put("user.jcr.credentials", credentials);
{code}

> ExternalLoginModule ignores authorizable ID returned from IDP
> -------------------------------------------------------------
>
>                 Key: OAK-3876
>                 URL: https://issues.apache.org/jira/browse/OAK-3876
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: auth-external
>    Affects Versions: 1.2.9, 1.3.13
>            Reporter: Alexander Klimetschek
>
> In the ExternalLoginModule, the user = authorizable id for the subject after 
> successful authentication will be solely based on the userId of the passed in 
> SimpleCredentials, as the [original credentials are set as 
> SHARED_KEY_CREDENTIALS|https://github.com/apache/jackrabbit-oak/blob/cc78f6fdd122d1c9f200b43fc2b9536518ea996b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/ExternalLoginModule.java#L230].
> However, with an external identity provider it can be the case that the 
> credentials do not contain the actual local user id and only the identity 
> provider would do the mapping in its authentication logic and return the 
> right local user id via ExternalUser.getId().
> An example might be an opaque token string used as credential, which the 
> external IDP validates by calling the external entity, and receiving user 
> data that allows to map to the local user id.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to