[jira] [Commented] (OAK-6144) ExternalIdentity should have a method indicating if an identity is actually active

Tue, 30 May 2017 08:05:18 -0700 

    [ 
https://issues.apache.org/jira/browse/OAK-6144?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16029518#comment-16029518
 ] 

Manfred Baedke commented on OAK-6144:
-------------------------------------

Yes [~angela], the whole point is that "consumers should treat inactivity of an 
identity like they are currently treating absence of an identity, and they 
should treat activity like they are currently treating presence. But it's just 
a hint by the IDP which can be ignored without breaking the contract." (quote 
from 
https://issues.apache.org/jira/browse/OAK-6144?focusedCommentId=16006485&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16006485).
Of course, consumers under our control, ilke DynamicSyncContext and 
DefaultSyncContext, should do just that.

> ExternalIdentity should have a method indicating if an identity is actually 
> active
> ----------------------------------------------------------------------------------
>
>                 Key: OAK-6144
>                 URL: https://issues.apache.org/jira/browse/OAK-6144
>             Project: Jackrabbit Oak
>          Issue Type: New Feature
>          Components: auth-external
>            Reporter: Manfred Baedke
>            Assignee: Manfred Baedke
>         Attachments: oak-6144-1.patch
>
>
> The interface ExternalIdentityProvider currently offers the method 
> getIdentity(ExternalIdentityRef) to resolve a reference to an external 
> Identity, but there is no way to tell if the external identity is considered 
> active by the identity provider. The ability to resolve the reference doesn't 
> mean that the resulting identity may actually be used for authentication or 
> authorization.
> If ExternaIIdentity isn't able to express this difference, it's hard to come 
> up with a sensible implemenation of e.g. 
> SynchronizationMBean#purgeOrphanedUsers(), because the ability to resolve a 
> reference to an external identity doesn't mean that the corresponding Oak 
> user is still valid.
> A new method ExternalIdentiy#isActive() would allow us to clearly define the 
> notion of an "orphaned user".



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to