[
https://issues.apache.org/jira/browse/OAK-3899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15108026#comment-15108026
]
Alexander Klimetschek commented on OAK-3899:
--------------------------------------------
To explain our use case a bit:
We have a custom external identity provider (for an external user &
authentication system). One authentication mechanism is using oauth, in which
an authorization code is sent with the request after a login page, and we pass
this code through from an Apache Sling AuthenticationHandler to the repository
login. This is done using SimpleCredentials (because a. the ExternalLoginModule
only supports this at this time and b. the retrieve-token-back feature of the
TokenLoginModule only works with SimpleCredentials as well), which gets a null
userId, empty password and a special attribute containing the code.
After this initial login using the code, we want to continue the browser
"session" with the oak login token. Because of that, the SimpleCredentials also
gets the {{.token}} attribute set in the authentication handler so after the
session login the token is present there and can be set as a cookie on the same
response for subsequent requests. This would make the whole process seamless,
avoiding extra (privileged) sessions.
Workaround:
I can use a utility (granite TokenUtil) to create the token after the session
was created and use the session user id to use for the token. This creates 2
extra sessions as it uses impersonation from a privileged session, which is
overhead I would like to avoid.
> TokenLoginModule ignores shared key javax.security.auth.login.name
> ------------------------------------------------------------------
>
> Key: OAK-3899
> URL: https://issues.apache.org/jira/browse/OAK-3899
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: core
> Affects Versions: 1.3.14
> Reporter: Alexander Klimetschek
> Attachments: OAK-3899.patch
>
>
> The {{TokenLoginModule}} and specifically TokenProviderImpl [only look at
> SimpleCredentials.getUserID()|https://github.com/apache/jackrabbit-oak/blob/1144914c053ec9c2723450261fabfee1bd9d0e58/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl.java#L165]
> when creating a token.
> However, in certain situations, such as with the ExternalLoginModule and
> non-username/password credentials, the SimpleCredentials are used but don't
> have a user id as the real user id is determined not by the caller of
> {{Repository.login()}}, but by the external identity provider inside the
> ExternalLoginModule (and the credentials might not include any kind of user
> id, say an opaque token from an external service). In this case,
> {{SimpleCredentials.getUserID()}} returns null and the token implementation
> fails to create a token and does not return it in the {{.token}} attribute of
> the credentials.
> Instead, the TokenLoginModule should look at the shared
> {{javax.security.auth.login.name}} attribute, which can de-facto override a
> {{SimpleCredentials.getUserID()}}, as it happens in the ExternalLoginModule.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
