Alexander Klimetschek created OAK-3899:
------------------------------------------
Summary: TokenLoginModule ignores shared key
javax.security.auth.login.name
Key: OAK-3899
URL: https://issues.apache.org/jira/browse/OAK-3899
Project: Jackrabbit Oak
Issue Type: Bug
Components: core
Affects Versions: 1.3.14
Reporter: Alexander Klimetschek
The TokenLoginModule and specifically [TokenProviderImpl only look at
SimpleCredentials.getUserID()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl.java#L165]
when creating a token.
However, in certain situations, such as the ExternalLoginModule, the
SimpleCredentials are used but don't have a user id as the real user id is
determined not by the caller of repository.login(), but by the external
identity provider (and the credentials might not include any kind of user id,
say an opaque token from an external service). In this case, getUserID()
returns null and the token implementation fails to create a token and return it
in the ".token" attribute of the credentials.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
