[jboss-jira] [JBoss JIRA] (ELY-1077) Allow AuthenticationConfiguration identity forwarding to populate authorization-id instead of authentication name

[David Lloyd (JIRA)]

David Lloyd created ELY-1077:
--------------------------------

             Summary: Allow AuthenticationConfiguration identity forwarding to populate authorization-id instead of authentication name
                 Key: ELY-1077
                 URL: https://issues.jboss.org/browse/ELY-1077
             Project: WildFly Elytron
          Issue Type: Enhancement
          Components: Authentication Client
            Reporter: David Lloyd


Sometimes it is useful to run-as the local identity on a peer which does not have access to the local identity credentials.  In this case, a trusted identity can be set up on the peer which is authorized to run-as a set of identities from the local system.

In order to support this in AuthenticationConfiguration, a fixed authentication principal and credential set must be used, but the authorization ID would be outflowed from the local security domain instead.

To support this, we need a new method on AuthenticationConfiguration to use a forwarded authorization ID independently from the authentication ID/credentials.

The implementation could retain the single securityDomain field and introduce a bit set that determines whether the forwarded identity is used for authentication, authorization, or both.  To avoid comparison issues, the forwarded security domain should be cleared when the bit set is cleared, or otherwise disregarded for the purposes of hashing or comparison in this case.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)