[
https://issues.apache.org/jira/browse/KNOX-1119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16270103#comment-16270103
]
Larry McCay commented on KNOX-1119:
-----------------------------------
I have created a new revision of the patch that avoids a NPE when an invalid
profile attribute is configured and log the fact that it is invalid. I've also
modified the existing test to set the attribute_id param.
Should really revisit this area to extend testing.
> Pac4J OAuth/OpenID Principal Needs to be Configurable
> -----------------------------------------------------
>
> Key: KNOX-1119
> URL: https://issues.apache.org/jira/browse/KNOX-1119
> Project: Apache Knox
> Issue Type: Bug
> Components: KnoxSSO
> Reporter: Larry McCay
> Assignee: Larry McCay
> Priority: Blocker
> Fix For: 0.14.0
>
> Attachments: Add_configurable_id_attribute_to_pac4j_filter_.patch,
> KNOX-1119-001.patch, KNOX-1119-002.patch
>
>
> Currently, the Pac4JIdentityAdapter blindly accepts the subject of the
> returned UserProfile which isn't directly usable in the Hadoop operating
> environment. We need to be able to resolve it to an actual username.
> It seems that we could take two different approaches for this.
> 1. Add a param to the pac4j provider to indicate the UserProfile attribute to
> use as the PrimaryPrincipal
> 2. Add a new identity assertion provider that can decrypt the
> pac4jUserProfile cookie and extract the configured attribute.
> I lean towards #1 above so that identity assertion providers could be used to
> munge the extracted attribute in interesting ways.
> There was some discussion of this [1] back in 0.8.0 and we never really
> circled back to it.
> [~jleleu] - Am I missing anything that is already in place for this?
> 1.
> http://mail-archives.apache.org/mod_mbox/knox-dev/201601.mbox/%3CCACRbFyitvZ72-oqu2triGmn%3DKhB8JE0pFONyFim63RKS4gZp0A%40mail.gmail.com%3E
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
