[
https://issues.apache.org/jira/browse/OAK-8802?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16983259#comment-16983259
]
Angela Schreiber commented on OAK-8802:
---------------------------------------
[~chaotic], before committing any changes related to this issue, i wanted to
get your opinion since we recently discussed the topic of user synchronization
in combination with login tokens. from oak point of view the
{{ExternalLoginModule}} should not make any assumptions regarding the
principal-configuration nor the authentication setup in place... but obviously
i don't want to break any existing setup.
> ExternalLoginModule.commit will fail if no principals can be resolved for
> externalUser
> --------------------------------------------------------------------------------------
>
> Key: OAK-8802
> URL: https://issues.apache.org/jira/browse/OAK-8802
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: auth-external, security
> Reporter: Angela Schreiber
> Assignee: Angela Schreiber
> Priority: Major
>
> while testing a potential patch for OAK-8710 i noticed that
> {{ExternalLoginModule.commit()}} will not succeed if
> {{AbstractLoginModule.getPrincipals}} returns an empty list. however,
> depending on the oak security setup there the principal lookup may not be
> able to resolve the given external ID while still being able to successfully
> login the given external user e.g. by means of login with a subject that has
> already been populated with the principals to be used.
> i would suggest to let {{ExternalLoginModule.commit()}} succeed as soon as
> the {{externalUser}} field was set during the first login phase. authinfo and
> subject can then be populated accordingly.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
