[
https://issues.apache.org/jira/browse/OAK-4224?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
angela updated OAK-4224:
------------------------
Attachment: OAK-4224_2.patch
Alternative patch that returns a {{SyncResult}} with status {{FOREIGH}} instead
of throwing {{SyncException}}.
To me having a {{null}} value for {{SyncResult.getIdentity()}} seemed to be the
right choice here but I wasn't totally sure I properly interpreted the API
contract, which isn't too specific here.
[~tripod], may I kindly ask you to review this and let me know if building a
result without a synced-id is correct and the expected outcome if no attempt
was may to synchronize (nor testing if there existed an authorizable with the
given ID). If not, I would appreciate if you could elaborate on the API
contract in particular under which circumstances {{SyncResult.getIdentity}} is
expected to return {{null}}. Thanks a lot.
If you'd prefer throwing {{SyncException}} as proposed earlier I would be
equally fine... just let me know your preference.
> DefaultSyncContext.sync(ExternalIdentity) should verify IDP
> -----------------------------------------------------------
>
> Key: OAK-4224
> URL: https://issues.apache.org/jira/browse/OAK-4224
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: auth-external
> Reporter: angela
> Priority: Minor
> Attachments: OAK-4224.patch, OAK-4224_2.patch
>
>
> while writing more test for {{DefaultSyncContext}} i realized that the
> implementation of {{sync(ExternalIdentity)}} doesn't verify that the given
> external identity belongs to the same IDP than the one associated with the
> context instance.
> IMHO this would be needed and useful particularly when multiple IDPs are
> combined. also, the {{DefaultSyncContext}} is a public exposed class, I
> would prefer if it would guard against mixing up sync of external identities
> from different sources.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
