Angela Schreiber created OAK-9468:
-------------------------------------
Summary: Define mechanism to prevent cross-IDP membership
Key: OAK-9468
URL: https://issues.apache.org/jira/browse/OAK-9468
Project: Jackrabbit Oak
Issue Type: Improvement
Components: auth-external, security
Reporter: Angela Schreiber
Assignee: Angela Schreiber
while {{DefaultSyncContext}} verifies that external identities are not added as
members of group defined by a different IDP, this can manually achieved in the
repository's user management after a full sync.
therefore _oak-auth-external_ should come with a mechanism to detect and
prevent IDP-boundary violations. This could either be an
{{AuthorizableActionProvider}} containing an implementation of {{GroupAction}}
or a dedicated {{Validator}} implementation. For backwards compatibility an
'warnonly' option would allow to only log a warning instead of failing the
operation.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
