[
https://issues.apache.org/jira/browse/OAK-3899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15123336#comment-15123336
]
angela commented on OAK-3899:
-----------------------------
I am sorry, but I don't share you interpretation. Furthermore, we already have
different implementations of the {{TokenProvider}} in production. If you as an
application don't have the need for a custom implementation of the
{{TokenProvider}} I am obviously happy that the code is used and will try to
meet you needs but I hope you understand that I don't want to apply a hack that
makes things work for you but breaks it for others by introducing backwards
incompatible behavior (btw, neither in the {{TokenLoginModule}} nor in the
{{TokenProvider}}). Oak is an implementation of the JCR specification that
allows for any type of {{Credentials}} and IMO it's important that reflect that
fact throughout the various authentication related parts. otherwise the API
would have probably defined to only take {{SimpleCredentials}}.
> Extend TokenLoginModule to respect shared key javax.security.auth.login.name
> ----------------------------------------------------------------------------
>
> Key: OAK-3899
> URL: https://issues.apache.org/jira/browse/OAK-3899
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: core
> Affects Versions: 1.3.14
> Reporter: Alexander Klimetschek
> Assignee: angela
> Attachments: OAK-3899.patch
>
>
> The {{TokenLoginModule}} and specifically TokenProviderImpl [only look at
> SimpleCredentials.getUserID()|https://github.com/apache/jackrabbit-oak/blob/1144914c053ec9c2723450261fabfee1bd9d0e58/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl.java#L165]
> when creating a token.
> However, in certain situations, such as with the ExternalLoginModule and
> non-username/password credentials, the SimpleCredentials are used but don't
> have a user id as the real user id is determined not by the caller of
> {{Repository.login()}}, but by the external identity provider inside the
> ExternalLoginModule (and the credentials might not include any kind of user
> id, say an opaque token from an external service). In this case,
> {{SimpleCredentials.getUserID()}} returns null and the token implementation
> fails to create a token and does not return it in the {{.token}} attribute of
> the credentials.
> Instead, the TokenLoginModule should look at the shared
> {{javax.security.auth.login.name}} attribute, which can de-facto override a
> {{SimpleCredentials.getUserID()}}, as it happens in the ExternalLoginModule.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
