Hi Adrian, I suppose the question is why you need to specify a role constraint at all for the OIDC authorization call? If you're happy to allow any authenticated user access, then why have a constraint on the role of the user?
Colm. On Mon, Jul 18, 2016 at 10:51 AM, Adrian Gonzalez < [email protected]> wrote: > Hello, > I'm using CXF OIDC.When my Client Application redirects a user to OIDC and > the user is not associated with any role in sts side, then everything works > fine. > When I associate the user with at least 1 roles, I've got a 403 on this > request : > http://localhost:8080/oidc/idp/authorize?client_id=XXX&redirect_uri=http://localhost:9999/dashboard/login&response_type=code&scope=openid&state=YYY > From > https://github.com/apache/cxf-fediz/blob/master/plugins/tomcat8/src/main/java/org/apache/cxf/fediz/tomcat8/handler/TomcatSigninHandler.java#L54 > : > * When user has no roles, tomcat handler adds 'Authenticated' role. * > When user has 1..n roles, no 'Authenticated' role is added. > As a workaround, I could give everyone of my users an Authenticated role, > but it seems a bit artificial.Shouldn't TomcatSigninHandler.java > systematically add Authenticated role ? > Thanks,Adrian > > P.S.Here's the extract of my web.xml : <security-role> > <role-name>Manager</role-name> > </security-role> > <security-role> > <role-name>User</role-name> > </security-role> > <security-role> > <role-name>Admin</role-name> > </security-role> > <security-role> > <role-name>Authenticated</role-name> > </security-role> > <security-constraint> > <web-resource-collection> > <web-resource-name>User Protected Area</web-resource-name> > <url-pattern>/idp/*</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>*</role-name> > </auth-constraint> > </security-constraint> > > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
