[OAK-9468] Define mechanism to prevent cross-IDP membership - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.42.0
Component/s: auth-external, security
Labels:
None

Description

while DefaultSyncContext verifies that external identities are not added as members of group defined by a different IDP, this can manually achieved in the repository's user management after a full sync.

therefore oak-auth-external should come with a mechanism to detect and prevent IDP-boundary violations. This could either be an AuthorizableActionProvider containing an implementation of GroupAction or a dedicated Validator implementation. For backwards compatibility an 'warnonly' option would allow to only log a warning instead of failing the operation.

Attachments

Activity

People

Assignee:: Angela Schreiber

Reporter:: Angela Schreiber

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 17/Jun/21 06:23

Updated:: 12/Jan/22 13:44

Resolved:: 22/Jun/21 13:30