cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Beryozkin (JIRA)" <>
Subject [jira] [Created] (FEDIZ-207) FedizPrincipal interface needs to have getId() method
Date Tue, 29 Aug 2017 13:16:00 GMT
Sergey Beryozkin created FEDIZ-207:

             Summary: FedizPrincipal interface needs to have getId() method
                 Key: FEDIZ-207
             Project: CXF-Fediz
          Issue Type: Improvement
          Components: IDP, Plugin
            Reporter: Sergey Beryozkin

OIDC IDToken generates a random IdToken SubjectId value when it converts the values found
in the FedizPrincipal's SAML token. The problem is that every time the user comes in a new
subjectId is generated for the id token - while this value is actually expected to be identical
for a given user. 

The immediate problem we face is that every client application gets an IdToken for a user
'alice' with the different subjectId, thus. during the global logout, it is impossible for
each of these client applications to identify, from the logout token, which user to logout
- because when OIDC LogoutService creates a logout token it uses FedizSubjectCreator to create
a new IdToken with a newly generated subject id.

One way to solve is to start hacking a solution involving saving it in a session id and then
take care of removing it from the session on the logout - but given that every Fediz plugin
takes care of dealing with FedizPrincipal it is better to keep 'id' at the FedizPrincipal

Updating the interface with getId() will only affect the plugins and not the user code. Each
plugin will use UUID to generate it 

This message was sent by Atlassian JIRA

View raw message