[
https://issues.apache.org/jira/browse/OAK-3899?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alexander Klimetschek updated OAK-3899:
---------------------------------------
Description:
The {{TokenLoginModule}} and specifically TokenProviderImpl [only look at
SimpleCredentials.getUserID()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl.java#L165]
when creating a token.
However, in certain situations, such as with the ExternalLoginModule and
non-username/password credentials, the SimpleCredentials are used but don't
have a user id as the real user id is determined not by the caller of
{{Repository.login()}}, but by the external identity provider inside the
ExternalLoginModule (and the credentials might not include any kind of user id,
say an opaque token from an external service). In this case,
{{SimpleCredentials.getUserID()}} returns null and the token implementation
fails to create a token and does not return it in the {{.token}} attribute of
the credentials.
Instead, the TokenLoginModule should look at the shared
{{javax.security.auth.login.name}} attribute, which can de-facto override a
{{SimpleCredentials.getUserID()}}, as it happens in the ExternalLoginModule.
was:
The {{TokenLoginModule}} and specifically [TokenProviderImpl only look at
SimpleCredentials.getUserID()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl.java#L165]
when creating a token.
However, in certain situations, such as with the ExternalLoginModule and
non-username/password credentials, the SimpleCredentials are used but don't
have a user id as the real user id is determined not by the caller of
{{Repository.login()}}, but by the external identity provider inside the
ExternalLoginModule (and the credentials might not include any kind of user id,
say an opaque token from an external service). In this case,
{{SimpleCredentials.getUserID()}} returns null and the token implementation
fails to create a token and does not return it in the {{.token}} attribute of
the credentials.
Instead, the TokenLoginModule should look at the shared
{{javax.security.auth.login.name}} attribute, which can de-facto override a
{{SimpleCredentials.getUserID()}}, as it happens in the ExternalLoginModule.
> TokenLoginModule ignores shared key javax.security.auth.login.name
> ------------------------------------------------------------------
>
> Key: OAK-3899
> URL: https://issues.apache.org/jira/browse/OAK-3899
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: core
> Affects Versions: 1.3.14
> Reporter: Alexander Klimetschek
> Attachments: OAK-3899.patch
>
>
> The {{TokenLoginModule}} and specifically TokenProviderImpl [only look at
> SimpleCredentials.getUserID()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl.java#L165]
> when creating a token.
> However, in certain situations, such as with the ExternalLoginModule and
> non-username/password credentials, the SimpleCredentials are used but don't
> have a user id as the real user id is determined not by the caller of
> {{Repository.login()}}, but by the external identity provider inside the
> ExternalLoginModule (and the credentials might not include any kind of user
> id, say an opaque token from an external service). In this case,
> {{SimpleCredentials.getUserID()}} returns null and the token implementation
> fails to create a token and does not return it in the {{.token}} attribute of
> the credentials.
> Instead, the TokenLoginModule should look at the shared
> {{javax.security.auth.login.name}} attribute, which can de-facto override a
> {{SimpleCredentials.getUserID()}}, as it happens in the ExternalLoginModule.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
