+1,
Cheers, Sergey
On 18/07/16 14:18, Colm O hEigeartaigh wrote:
I think we could just get rid of them for the non-console part of the OIDC
IdP. For the normal RP case, you want to make sure that only authenticated
users in a given role can access the application. But here we're just
logging users in, so I don't think we need to specify a constraint on the
role.
Colm.
On Mon, Jul 18, 2016 at 12:11 PM, Sergey Beryozkin <[email protected]>
wrote:
One thing to note is that these roles in fediz-oidc/web.xml is a
temporarily side-effect of the fact that OIDC is implemented right now as
Fediz WS-Fed RP (meaning that internally, when the user is actually
authenticated, OIDC talks to the core Fediz IDP using WS-Fed which is
transparent to the user).
And because OIDC is Fediz RP right now, it is like any other web
application protected by Fediz Authenticators and hence I simply copied
the roles from a based Fediz demo when prototyping the initial Fediz OIDC
web.xml.
So I wonder can we simply get rid of those roles ? I recall it was quite
sensitive. Or may be fix something at the Fediz core level not to lose
'Authenticated' ?
Either way these roles will go once we have OIDC and IDP combined with
OIDC becoming a real IDP itself...
Cheers, Sergey
On 18/07/16 13:58, Colm O hEigeartaigh wrote:
Hi Adrian,
I suppose the question is why you need to specify a role constraint at all
for the OIDC authorization call? If you're happy to allow any
authenticated
user access, then why have a constraint on the role of the user?
Colm.
On Mon, Jul 18, 2016 at 10:51 AM, Adrian Gonzalez <
[email protected]> wrote:
Hello,
I'm using CXF OIDC.When my Client Application redirects a user to OIDC
and
the user is not associated with any role in sts side, then everything
works
fine.
When I associate the user with at least 1 roles, I've got a 403 on this
request :
http://localhost:8080/oidc/idp/authorize?client_id=XXX&redirect_uri=http://localhost:9999/dashboard/login&response_type=code&scope=openid&state=YYY
From
https://github.com/apache/cxf-fediz/blob/master/plugins/tomcat8/src/main/java/org/apache/cxf/fediz/tomcat8/handler/TomcatSigninHandler.java#L54
:
* When user has no roles, tomcat handler adds 'Authenticated' role. *
When user has 1..n roles, no 'Authenticated' role is added.
As a workaround, I could give everyone of my users an Authenticated role,
but it seems a bit artificial.Shouldn't TomcatSigninHandler.java
systematically add Authenticated role ?
Thanks,Adrian
P.S.Here's the extract of my web.xml : <security-role>
<role-name>Manager</role-name>
</security-role>
<security-role>
<role-name>User</role-name>
</security-role>
<security-role>
<role-name>Admin</role-name>
</security-role>
<security-role>
<role-name>Authenticated</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>User Protected Area</web-resource-name>
<url-pattern>/idp/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
