[
https://issues.apache.org/jira/browse/OAK-3899?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alexander Klimetschek updated OAK-3899:
---------------------------------------
Description:
The {{TokenLoginModule}} and specifically [TokenProviderImpl only look at
SimpleCredentials.getUserID()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl.java#L165]
when creating a token.
However, in certain situations, such as with the ExternalLoginModule and
non-username/password credentials, the SimpleCredentials are used but don't
have a user id as the real user id is determined not by the caller of
{{Repository.login()}}, but by the external identity provider (and the
credentials might not include any kind of user id, say an opaque token from an
external service). In this case, {{getUserID()}} returns null and the token
implementation fails to create a token and return it in the {{.token}}
attribute of the credentials.
Instead, the TokenLoginModule should look at the shared
{{javax.security.auth.login.name}} attribute, which can de-facto override a
{{SimpleCredentials.getUserID()}}, as it happens in the ExternalLoginModule.
was:
The {{TokenLoginModule}} and specifically [TokenProviderImpl only look at
SimpleCredentials.getUserID()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl.java#L165]
when creating a token.
However, in certain situations, such as the ExternalLoginModule, the
SimpleCredentials are used but don't have a user id as the real user id is
determined not by the caller of {{Repository.login()}}, but by the external
identity provider (and the credentials might not include any kind of user id,
say an opaque token from an external service). In this case, {{getUserID()}}
returns null and the token implementation fails to create a token and return it
in the {{.token}} attribute of the credentials.
Instead, the TokenLoginModule should look at the shared
{{javax.security.auth.login.name}} attribute, which can de-facto override a
{{SimpleCredentials.getUserID()}}, as it happens in the ExternalLoginModule.
> TokenLoginModule ignores shared key javax.security.auth.login.name
> ------------------------------------------------------------------
>
> Key: OAK-3899
> URL: https://issues.apache.org/jira/browse/OAK-3899
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: core
> Affects Versions: 1.3.14
> Reporter: Alexander Klimetschek
> Attachments: OAK-3899.patch
>
>
> The {{TokenLoginModule}} and specifically [TokenProviderImpl only look at
> SimpleCredentials.getUserID()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl.java#L165]
> when creating a token.
> However, in certain situations, such as with the ExternalLoginModule and
> non-username/password credentials, the SimpleCredentials are used but don't
> have a user id as the real user id is determined not by the caller of
> {{Repository.login()}}, but by the external identity provider (and the
> credentials might not include any kind of user id, say an opaque token from
> an external service). In this case, {{getUserID()}} returns null and the
> token implementation fails to create a token and return it in the {{.token}}
> attribute of the credentials.
> Instead, the TokenLoginModule should look at the shared
> {{javax.security.auth.login.name}} attribute, which can de-facto override a
> {{SimpleCredentials.getUserID()}}, as it happens in the ExternalLoginModule.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
