cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Beryozkin (JIRA)" <>
Subject [jira] [Updated] (FEDIZ-207) FedizPrincipal interface needs to have getId() method
Date Tue, 29 Aug 2017 16:17:00 GMT


Sergey Beryozkin updated FEDIZ-207:
    Attachment: fediz207.txt

This is a 1.4.x patch. Is there a reason it should only go to the master ? I'm pretty sure
the only custom FedizPrincipal impl that is really affected here is the test one in the core.
The global logout needs to work in 1.4.x

> FedizPrincipal interface needs to have getId() method
> -----------------------------------------------------
>                 Key: FEDIZ-207
>                 URL:
>             Project: CXF-Fediz
>          Issue Type: Improvement
>          Components: IDP, Plugin
>            Reporter: Sergey Beryozkin
>         Attachments: fediz207.txt
> OIDC IDToken generates a random IdToken SubjectId value when it converts the values found
in the FedizPrincipal's SAML token. The problem is that every time the user comes in a new
subjectId is generated for the id token - while this value is actually expected to be identical
for a given user. 
> The immediate problem we face is that every client application gets an IdToken for a
user 'alice' with the different subjectId, thus. during the global logout, it is impossible
for each of these client applications to identify, from the logout token, which user to logout
- because when OIDC LogoutService creates a logout token it uses FedizSubjectCreator to create
a new IdToken with a newly generated subject id.
> One way to solve is to start hacking a solution involving saving it in a session id and
then take care of removing it from the session on the logout - but given that every Fediz
plugin takes care of dealing with FedizPrincipal it is better to keep 'id' at the FedizPrincipal
> Updating the interface with getId() will only affect the plugins and not the user code.
Each plugin will use UUID to generate it 

This message was sent by Atlassian JIRA

View raw message