[
https://issues.apache.org/jira/browse/OAK-6144?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16006126#comment-16006126
]
angela commented on OAK-6144:
-----------------------------
[~baedke], [~tripod], [~alex.parvulescu] on a second thought I even have more
questions to clarify:
- is there a similarity between {{ExternalIdentity.isActive()}} and
{{User.isDisabled()}}? this also goes in the direction wrt clarifying what
'active' really means. Somehow I get the impression that it has pretty much the
same intention: the identity exists but is disabled, which presents sync and
login
- and that leads me to the next question: should login with an non-active
external identity really succeed (irrespective of the sync)? I doubt that...
(see also also comment above wrt sync during login). so, I would like to
additionally clarify if this feature is a way to mark external identities as
'disabled'. if it does, I would suggest to use the same naming of the method.
If it doesn't I would like us to discuss the distinction.
- and in that same context: is that new flag intended to be used both for
external users and external groups? and is it really sensible for groups? in
case it applies for groups as well, more work is needed to defined the expected
behavior with the dynamic membership feature. also i would like to see specific
tests for groups then and the impact it has when synchronizing individual users.
- and in the same direction: would it make sense to disabled synced users once
the external identity becomes inactive? currently they are just not synced
during {{SynchronizationMBean.syncAllUsers}} but the repository content is not
updated to reflect this... depending on the actual meaning of 'active' this may
lead to the situation that a 'inactive' user can still login to the repository
with his/her login tokens despite the fact that is has been forced-sync and
thus has been identified to be no longer active.
> ExternalIdentity should have a method indicating if an identity is actually
> active
> ----------------------------------------------------------------------------------
>
> Key: OAK-6144
> URL: https://issues.apache.org/jira/browse/OAK-6144
> Project: Jackrabbit Oak
> Issue Type: New Feature
> Components: auth-external
> Reporter: Manfred Baedke
> Assignee: Manfred Baedke
> Attachments: oak-6144-1.patch
>
>
> The interface ExternalIdentityProvider currently offers the method
> getIdentity(ExternalIdentityRef) to resolve a reference to an external
> Identity, but there is no way to tell if the external identity is considered
> active by the identity provider. The ability to resolve the reference doesn't
> mean that the resulting identity may actually be used for authentication or
> authorization.
> If ExternaIIdentity isn't able to express this difference, it's hard to come
> up with a sensible implemenation of e.g.
> SynchronizationMBean#purgeOrphanedUsers(), because the ability to resolve a
> reference to an external identity doesn't mean that the corresponding Oak
> user is still valid.
> A new method ExternalIdentiy#isActive() would allow us to clearly define the
> notion of an "orphaned user".
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
