I think we could just get rid of them for the non-console part of the OIDC IdP. For the normal RP case, you want to make sure that only authenticated users in a given role can access the application. But here we're just logging users in, so I don't think we need to specify a constraint on the role.
Colm. On Mon, Jul 18, 2016 at 12:11 PM, Sergey Beryozkin <[email protected]> wrote: > One thing to note is that these roles in fediz-oidc/web.xml is a > temporarily side-effect of the fact that OIDC is implemented right now as > Fediz WS-Fed RP (meaning that internally, when the user is actually > authenticated, OIDC talks to the core Fediz IDP using WS-Fed which is > transparent to the user). > And because OIDC is Fediz RP right now, it is like any other web > application protected by Fediz Authenticators and hence I simply copied > the roles from a based Fediz demo when prototyping the initial Fediz OIDC > web.xml. > > So I wonder can we simply get rid of those roles ? I recall it was quite > sensitive. Or may be fix something at the Fediz core level not to lose > 'Authenticated' ? > > Either way these roles will go once we have OIDC and IDP combined with > OIDC becoming a real IDP itself... > > Cheers, Sergey > > > > On 18/07/16 13:58, Colm O hEigeartaigh wrote: > >> Hi Adrian, >> >> I suppose the question is why you need to specify a role constraint at all >> for the OIDC authorization call? If you're happy to allow any >> authenticated >> user access, then why have a constraint on the role of the user? >> >> Colm. >> >> On Mon, Jul 18, 2016 at 10:51 AM, Adrian Gonzalez < >> [email protected]> wrote: >> >> Hello, >>> I'm using CXF OIDC.When my Client Application redirects a user to OIDC >>> and >>> the user is not associated with any role in sts side, then everything >>> works >>> fine. >>> When I associate the user with at least 1 roles, I've got a 403 on this >>> request : >>> >>> http://localhost:8080/oidc/idp/authorize?client_id=XXX&redirect_uri=http://localhost:9999/dashboard/login&response_type=code&scope=openid&state=YYY >>> From >>> >>> https://github.com/apache/cxf-fediz/blob/master/plugins/tomcat8/src/main/java/org/apache/cxf/fediz/tomcat8/handler/TomcatSigninHandler.java#L54 >>> : >>> * When user has no roles, tomcat handler adds 'Authenticated' role. * >>> When user has 1..n roles, no 'Authenticated' role is added. >>> As a workaround, I could give everyone of my users an Authenticated role, >>> but it seems a bit artificial.Shouldn't TomcatSigninHandler.java >>> systematically add Authenticated role ? >>> Thanks,Adrian >>> >>> P.S.Here's the extract of my web.xml : <security-role> >>> <role-name>Manager</role-name> >>> </security-role> >>> <security-role> >>> <role-name>User</role-name> >>> </security-role> >>> <security-role> >>> <role-name>Admin</role-name> >>> </security-role> >>> <security-role> >>> <role-name>Authenticated</role-name> >>> </security-role> >>> <security-constraint> >>> <web-resource-collection> >>> <web-resource-name>User Protected Area</web-resource-name> >>> <url-pattern>/idp/*</url-pattern> >>> </web-resource-collection> >>> <auth-constraint> >>> <role-name>*</role-name> >>> </auth-constraint> >>> </security-constraint> >>> >>> >>> >>> >> >> > > -- > Sergey Beryozkin > > Talend Community Coders > http://coders.talend.com/ > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
