You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Sergey Beryozkin (JIRA)" <ji...@apache.org> on 2017/08/29 16:17:00 UTC
[jira] [Updated] (FEDIZ-207) FedizPrincipal interface needs to have
getId() method
[ https://issues.apache.org/jira/browse/FEDIZ-207?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sergey Beryozkin updated FEDIZ-207:
-----------------------------------
Attachment: fediz207.txt
This is a 1.4.x patch. Is there a reason it should only go to the master ? I'm pretty sure the only custom FedizPrincipal impl that is really affected here is the test one in the core. The global logout needs to work in 1.4.x
> FedizPrincipal interface needs to have getId() method
> -----------------------------------------------------
>
> Key: FEDIZ-207
> URL: https://issues.apache.org/jira/browse/FEDIZ-207
> Project: CXF-Fediz
> Issue Type: Improvement
> Components: IDP, Plugin
> Reporter: Sergey Beryozkin
> Attachments: fediz207.txt
>
>
> OIDC IDToken generates a random IdToken SubjectId value when it converts the values found in the FedizPrincipal's SAML token. The problem is that every time the user comes in a new subjectId is generated for the id token - while this value is actually expected to be identical for a given user.
> The immediate problem we face is that every client application gets an IdToken for a user 'alice' with the different subjectId, thus. during the global logout, it is impossible for each of these client applications to identify, from the logout token, which user to logout - because when OIDC LogoutService creates a logout token it uses FedizSubjectCreator to create a new IdToken with a newly generated subject id.
> One way to solve is to start hacking a solution involving saving it in a session id and then take care of removing it from the session on the logout - but given that every Fediz plugin takes care of dealing with FedizPrincipal it is better to keep 'id' at the FedizPrincipal level.
> Updating the interface with getId() will only affect the plugins and not the user code. Each plugin will use UUID to generate it
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)