angela created OAK-5210:

             Summary: Ability to resolve principal name from 
ExternalIdentityRef without IDP roundtrip
                 Key: OAK-5210
             Project: Jackrabbit Oak
          Issue Type: New Feature
          Components: auth-external
            Reporter: angela

Currently the only way to reliably determine the principal name for a given 
external identity is by calling {{ExternalIdentity.getPrincipalName()}}. This 
also means that there is currently no way to resolve the principal name from a 
given {{ExternalIdentityRef}}, without calling 

In the default sync mode a given identity-ref will always be resolved to the 
associated identity once a given identity is up for (re)sync and thus the 
identity resolution is part of the synchronization. On the other hand the 
partial sync as provided by the {{DynamicSyncContext}} doesn't require the 
resolution of group identities but only needs to be able to obtain the 
principal name, which is needed to proper populate the subject upon repository 
login (and for permission setup for those group principals). In this setup it 
would be preferrable if the principal name could be resolved from the 
{{ExternalIdentityRef}} without the intermediate identity resolution.

This aim of this issue is to discuss the different options on how to achieve 
this improvement in a generic way that doesn't make any assumptions regarding 
the relationship between {{ExternalIdentity.getId}}, 
{{ExternalIdentity.getPrincipalName}} and {{ExternalIdentityRef.getId}}.

See also OAK-4930 and OAK-5200 for additional information.

This message was sent by Atlassian JIRA

Reply via email to