[jboss-jira] [JBoss JIRA] (ELY-1077) Allow AuthenticationConfiguration identity forwarding to populate authorization-id instead of authentication name
David Lloyd (JIRA)
issues at jboss.org
Mon Aug 28 11:24:02 EDT 2017
[ https://issues.jboss.org/browse/ELY-1077?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Lloyd reassigned ELY-1077:
--------------------------------
Assignee: David Lloyd
> Allow AuthenticationConfiguration identity forwarding to populate authorization-id instead of authentication name
> -----------------------------------------------------------------------------------------------------------------
>
> Key: ELY-1077
> URL: https://issues.jboss.org/browse/ELY-1077
> Project: WildFly Elytron
> Issue Type: Enhancement
> Components: Authentication Client
> Reporter: David Lloyd
> Assignee: David Lloyd
>
> Sometimes it is useful to run-as the local identity on a peer which does not have access to the local identity credentials. In this case, a trusted identity can be set up on the peer which is authorized to run-as a set of identities from the local system.
> In order to support this in AuthenticationConfiguration, a fixed authentication principal and credential set must be used, but the authorization ID would be outflowed from the local security domain instead.
> To support this, we need a new method on AuthenticationConfiguration to use a forwarded authorization ID independently from the authentication ID/credentials.
> The implementation could retain the single securityDomain field and introduce a bit set that determines whether the forwarded identity is used for authentication, authorization, or both. To avoid comparison issues, the forwarded security domain should be cleared when the bit set is cleared, or otherwise disregarded for the purposes of hashing or comparison in this case.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list