[jira] [Commented] (OAK-1710) Extend authentication with intelligent loginid->userid mapping

Tue, 09 Aug 2016 07:42:31 -0700 

    [ 
https://issues.apache.org/jira/browse/OAK-1710?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15413632#comment-15413632
 ] 

angela commented on OAK-1710:
-----------------------------

[~tripod], reading the logical steps above I have the feeling that this is 
already covered by OAK-3886:

1. select the correct IDP for the given credentials => Multiple 
{{ExternalLoginModule}} with a different IDP configured; IDP implementing 
{{CredentialsSupport}}
2. find the user in the IDP based on the credentials => no change required
3. authenticate the user => no change required
4. find the oak-user via user manager => The IDP implementing 
{{CredentialsSupport}} may return the ID of the {{ExternalUser}} upon 
{{CredentialsSupport.getUserId}}, which should work as the sync-code uses 
{{ExternalUser.getID}} to (re)-sync the user.
5. setup subject based on the oak-user => no change required
6. allow login modules to add more principals => no change required, see 
oak-doc for pluggability of {{PrincipalConfiguration}} and oak-auth-external 
code base for an example.
7. set AuthInfo to correctly identify the userid that corresponds to the user 
that was logged in => no change required

> Extend authentication with intelligent loginid->userid mapping
> --------------------------------------------------------------
>
>                 Key: OAK-1710
>                 URL: https://issues.apache.org/jira/browse/OAK-1710
>             Project: Jackrabbit Oak
>          Issue Type: New Feature
>          Components: auth-external, core
>            Reporter: Tobias Bocanegra
>
> use cases:
> * login with windows "DOMAIN\userid"
> * login with case insensitive userid
> * login with login id (e.g.) that is not equal to the user id
> * login with ldap DN
> the logical steps to resolve the users are:
> 1. select the correct IDP for the given credentials
> 2. find the user in the IDP based on the credentials
> 3. authenticate the user
> 4. find the oak-user via user manager
> 5. setup subject based on the oak-user
> 6. allow login modules to add more principals
> 7. set AuthInfo to correctly identify the userid that corresponds to the user 
> that was logged in
> question:
> * different credentials for different use cases?
> * how much must each login module implement itself?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to