Re: 403 with CXF OIDC when user has roles

Mon, 18 Jul 2016 04:12:07 -0700

One thing to note is that these roles in fediz-oidc/web.xml is a temporarily side-effect of the fact that OIDC is implemented right now as Fediz WS-Fed RP (meaning that internally, when the user is actually authenticated, OIDC talks to the core Fediz IDP using WS-Fed which is transparent to the user). And because OIDC is Fediz RP right now, it is like any other web application protected by Fediz Authenticators and hence I simply copied the roles from a based Fediz demo when prototyping the initial Fediz OIDC web.xml.
So I wonder can we simply get rid of those roles ? I recall it was quite sensitive. Or may be fix something at the Fediz core level not to lose 'Authenticated' ? 


Either way these roles will go once we have OIDC and IDP combined with 
OIDC becoming a real IDP itself...


Cheers, Sergey



On 18/07/16 13:58, Colm O hEigeartaigh wrote:

Hi Adrian,

I suppose the question is why you need to specify a role constraint at all
for the OIDC authorization call? If you're happy to allow any authenticated
user access, then why have a constraint on the role of the user?

Colm.

On Mon, Jul 18, 2016 at 10:51 AM, Adrian Gonzalez <
[email protected]> wrote:


Hello,
I'm using CXF OIDC.When my Client Application redirects a user to OIDC and
the user is not associated with any role in sts side, then everything works
fine.
When I associate the user with at least 1 roles, I've got a 403 on this
request :
http://localhost:8080/oidc/idp/authorize?client_id=XXX&redirect_uri=http://localhost:9999/dashboard/login&response_type=code&scope=openid&state=YYY
From
https://github.com/apache/cxf-fediz/blob/master/plugins/tomcat8/src/main/java/org/apache/cxf/fediz/tomcat8/handler/TomcatSigninHandler.java#L54
:
  * When user has no roles, tomcat handler adds 'Authenticated' role. *
When user has 1..n roles, no 'Authenticated' role is added.
As a workaround, I could give everyone of my users an Authenticated role,
but it seems a bit artificial.Shouldn't TomcatSigninHandler.java
systematically add Authenticated role ?
Thanks,Adrian

P.S.Here's the extract of my web.xml :    <security-role>
         <role-name>Manager</role-name>
     </security-role>
     <security-role>
         <role-name>User</role-name>
     </security-role>
     <security-role>
         <role-name>Admin</role-name>
     </security-role>
     <security-role>
         <role-name>Authenticated</role-name>
     </security-role>
     <security-constraint>
         <web-resource-collection>
             <web-resource-name>User Protected Area</web-resource-name>
             <url-pattern>/idp/*</url-pattern>
         </web-resource-collection>
         <auth-constraint>
             <role-name>*</role-name>
         </auth-constraint>
     </security-constraint>









--
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/






















					Reply via email to