You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-issues@jackrabbit.apache.org by "Alexander Klimetschek (JIRA)" <ji...@apache.org> on 2016/01/15 03:33:39 UTC
[jira] [Comment Edited] (OAK-3876) ExternalLoginModule ignores
authorizable ID returned from IDP
[ https://issues.apache.org/jira/browse/OAK-3876?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15101079#comment-15101079 ]
Alexander Klimetschek edited comment on OAK-3876 at 1/15/16 2:33 AM:
---------------------------------------------------------------------
Turns out there is *no problem in the ExternalLoginModule*. User id is correctly set on the final Subject, taken from the ExternalUser.getId().
Problem I had was in my Sling AuthenticationHandler: when the user id is not known you have to not set a userId in the AuthenticationInfo and then pass the jcr Credentials object manually in the "user.jcr.credentials" attribute:
{code}
// ExternalLoginModule currently requires SimpleCredentials, but ideally, if the user id
// is unkwnown and the password is not used, a special Credentials class makes more sense
SimpleCredentials credentials = new SimpleCredentials(null, new char[0]);
credentials.setAttribute("my-attribute", "....");
AuthenticationInfo authInfo = new AuthenticationInfo(AuthConstants.ACCESS_TOKEN);
authInfo.put("user.jcr.credentials", credentials);
{code}
was (Author: alexander.klimetschek):
Turns out there is no problem in the ExternalLoginModule.
Problem I had was in my Sling AuthenticationHandler: when the user id is not know you have to not set a userId in the AuthenticationInfo and then pass the jcr Credentials object manually in the "user.jcr.credentials" attribute:
{code}
// ExternalLoginModule currently requires SimpleCredentials, but ideally, if the user id
// is unkwnown and the password is not used, a special Credentials class makes more sense
SimpleCredentials credentials = new SimpleCredentials(null, new char[0]);
credentials.setAttribute("my-attribute", "....");
AuthenticationInfo authInfo = new AuthenticationInfo(AuthConstants.ACCESS_TOKEN);
authInfo.put("user.jcr.credentials", credentials);
{code}
> ExternalLoginModule ignores authorizable ID returned from IDP
> -------------------------------------------------------------
>
> Key: OAK-3876
> URL: https://issues.apache.org/jira/browse/OAK-3876
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: auth-external
> Affects Versions: 1.2.9, 1.3.13
> Reporter: Alexander Klimetschek
>
> In the ExternalLoginModule, the user = authorizable id for the subject after successful authentication will be solely based on the userId of the passed in SimpleCredentials, as the [original credentials are set as SHARED_KEY_CREDENTIALS|https://github.com/apache/jackrabbit-oak/blob/cc78f6fdd122d1c9f200b43fc2b9536518ea996b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/ExternalLoginModule.java#L230].
> However, with an external identity provider it can be the case that the credentials do not contain the actual local user id and only the identity provider would do the mapping in its authentication logic and return the right local user id via ExternalUser.getId().
> An example might be an opaque token string used as credential, which the external IDP validates by calling the external entity, and receiving user data that allows to map to the local user id.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)