angela created OAK-4087:
---------------------------
Summary: Replace Sync of configured AutoMembership by Dynamic
Principal Generation
Key: OAK-4087
URL: https://issues.apache.org/jira/browse/OAK-4087
Project: Jackrabbit Oak
Issue Type: Improvement
Components: auth-external
Reporter: angela
the {{DefaultSyncConfig}} comes with a configuration option
{{PARAM_USER_AUTO_MEMBERSHIP}} indicating the set of groups a given external
user must always become member of upon sync into the repository.
this results in groups containing almost all users in the system (at least
those synchronized form the external IDP). while this behavior is straight
forward (and corresponds to the behavior in the previous crx version), it
wouldn't be necessary from a repository point of view as a given {{Subject}}
can be populated from different principal sources and dealing with this kind of
dynamic-auto-membership was a typical use-case.
what does that mean:
instead of performing the automembership on the user management, the external
authentication setup could come with an auto-membership {{PrincipalProvider}}
implementation that would expose the desired group membership for all external
principals (assuming that they were identified as such).
[~tripod], do you remember if that was ever an option while building the
{{oak-auth-external}} module? if not, could that be worth a second thought also
in the light of OAK-3933?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
