You are viewing a plain text version of this content. The canonical link for it is here.

Posted to oak-issues@jackrabbit.apache.org by "angela (JIRA)" <ji...@apache.org> on 2016/10/27 09:06:58 UTC

[jira] [Resolved] (OAK-4932) DefaultSyncContext.sync(String) could use idp.getIdentity(ExternalIdentityRef)

     [ https://issues.apache.org/jira/browse/OAK-4932?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

angela resolved OAK-4932.
-------------------------
    Resolution: Won't Fix

> DefaultSyncContext.sync(String) could use idp.getIdentity(ExternalIdentityRef)
> ------------------------------------------------------------------------------
>
>                 Key: OAK-4932
>                 URL: https://issues.apache.org/jira/browse/OAK-4932
>             Project: Jackrabbit Oak
>          Issue Type: Improvement
>          Components: auth-external
>            Reporter: Alexander Klimetschek
>
> Instead of [idp.getGroup(id)|https://github.com/apache/jackrabbit-oak/blob/08aadf19a5e6b1bb4ca6687623e06140fb1ec5bc/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java#L291] and [idp.getUser(id)|https://github.com/apache/jackrabbit-oak/blob/08aadf19a5e6b1bb4ca6687623e06140fb1ec5bc/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java#L300], the implementation of the DefaultSyncHandler could use {{ExternalIdentityProvider.getIdentity(ExternalIdentityRef)}}, as it looks up the reference right before (based on the {{rep:externalId}}) and fails if not present.
> h4. Reasoning
> Implementing {{getUser/Group(id)}} in an ExternalIdentityProvider can be difficult, because you need a way to search the external identity system efficiently by the local user id, which might not always be the case, if the external system uses another id and is only optimized for that.
> h4. Consequences
> # The only other place using {{ExternalIdentityProvider.getUser(String)}} is the [ExternalLoginModule|https://github.com/apache/jackrabbit-oak/blob/52f1e9a84324135e6a79678bbf209d03c0d2d77d/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/ExternalLoginModule.java#L217], in case the user is pre-authenticated and does not exist locally yet. However, this is a specific use case that might not apply to all identity providers, in which case they could happily skip implementing this method. A note in the javadoc could clarify this for implementors.
> # {{ExternalIdentityProvider.getGroup(String)}} would then be used in no other place (in the sync code) and could even be deprecated, as I can't imagine another application specific use case for it.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)