Hello, I'm using CXF OIDC.When my Client Application redirects a user to OIDC and the user is not associated with any role in sts side, then everything works fine. When I associate the user with at least 1 roles, I've got a 403 on this request :http://localhost:8080/oidc/idp/authorize?client_id=XXX&redirect_uri=http://localhost:9999/dashboard/login&response_type=code&scope=openid&state=YYY >From >https://github.com/apache/cxf-fediz/blob/master/plugins/tomcat8/src/main/java/org/apache/cxf/fediz/tomcat8/handler/TomcatSigninHandler.java#L54 > : * When user has no roles, tomcat handler adds 'Authenticated' role. * When user has 1..n roles, no 'Authenticated' role is added. As a workaround, I could give everyone of my users an Authenticated role, but it seems a bit artificial.Shouldn't TomcatSigninHandler.java systematically add Authenticated role ? Thanks,Adrian
P.S.Here's the extract of my web.xml : <security-role> <role-name>Manager</role-name> </security-role> <security-role> <role-name>User</role-name> </security-role> <security-role> <role-name>Admin</role-name> </security-role> <security-role> <role-name>Authenticated</role-name> </security-role> <security-constraint> <web-resource-collection> <web-resource-name>User Protected Area</web-resource-name> <url-pattern>/idp/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint>
