cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FEDIZ-207) FedizPrincipal interface needs to have getId() method
Date Wed, 30 Aug 2017 15:23:00 GMT

    [ https://issues.apache.org/jira/browse/FEDIZ-207?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16147428#comment-16147428
] 

Colm O hEigeartaigh commented on FEDIZ-207:
-------------------------------------------

Patch looks fine to me and can go into 1.4.x as well.

> FedizPrincipal interface needs to have getId() method
> -----------------------------------------------------
>
>                 Key: FEDIZ-207
>                 URL: https://issues.apache.org/jira/browse/FEDIZ-207
>             Project: CXF-Fediz
>          Issue Type: Improvement
>          Components: IDP, Plugin
>            Reporter: Sergey Beryozkin
>         Attachments: fediz207.txt
>
>
> OIDC IDToken generates a random IdToken SubjectId value when it converts the values found
in the FedizPrincipal's SAML token. The problem is that every time the user comes in a new
subjectId is generated for the id token - while this value is actually expected to be identical
for a given user. 
> The immediate problem we face is that every client application gets an IdToken for a
user 'alice' with the different subjectId, thus. during the global logout, it is impossible
for each of these client applications to identify, from the logout token, which user to logout
- because when OIDC LogoutService creates a logout token it uses FedizSubjectCreator to create
a new IdToken with a newly generated subject id.
> One way to solve is to start hacking a solution involving saving it in a session id and
then take care of removing it from the session on the logout - but given that every Fediz
plugin takes care of dealing with FedizPrincipal it is better to keep 'id' at the FedizPrincipal
level.
> Updating the interface with getId() will only affect the plugins and not the user code.
Each plugin will use UUID to generate it 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message