[
https://issues.apache.org/jira/browse/OAK-9468?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber resolved OAK-9468.
-----------------------------------
Fix Version/s: 1.42.0
Resolution: Fixed
Rev. 1890973: initial best effort implementation that covers
{{GroupAction.onMemberAdded(Group, Authorizable, Root, NamePathMapper)}} that
doesn't require an extra lookup of the new member.
> Define mechanism to prevent cross-IDP membership
> ------------------------------------------------
>
> Key: OAK-9468
> URL: https://issues.apache.org/jira/browse/OAK-9468
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: auth-external, security
> Reporter: Angela Schreiber
> Assignee: Angela Schreiber
> Priority: Major
> Fix For: 1.42.0
>
>
> while {{DefaultSyncContext}} verifies that external identities are not added
> as members of group defined by a different IDP, this can manually achieved in
> the repository's user management after a full sync.
> therefore _oak-auth-external_ should come with a mechanism to detect and
> prevent IDP-boundary violations. This could either be an
> {{AuthorizableActionProvider}} containing an implementation of
> {{GroupAction}} or a dedicated {{Validator}} implementation. For backwards
> compatibility an 'warnonly' option would allow to only log a warning instead
> of failing the operation.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
