Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: publish an external group auth event only with registered IDPs #2941

Merged
merged 2 commits into from
Jun 26, 2024
Merged

fix: publish an external group auth event only with registered IDPs #2941

merged 2 commits into from
Jun 26, 2024

Conversation

mikeroda
Copy link
Contributor

When authenticating a user with external OAuth, only publish the ExternalGroupAuthorizationEvent for registered IDPs, thereby skipping the event if authentication is through UAA itself, such as when using the JWT bearer token grant. Without this fix, the event is published every time you use the JWT bearer token grant.

@mikeroda
fix: publish external group event only with registered IDPs
a4d48d3 
When authenticating a user with oauth, only publish the external
group event for registered IDPs, thereby skipping the event if
authentication is through uaa itself, such as when using the
JWT bearer token grant.

Change-Id: Ie62720a4f0d8933e35fe4d46921fd9b5b1293d58
@cf-gitbot
Copy link

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/187837610

The labels on this github issue will be updated when the story is started.

@strehle
Copy link
Member

strehle commented Jun 24, 2024

clean

https://sonarcloud.io/summary/new_code?id=cloudfoundry-identity-parent&pullRequest=2941

so far valid

@peterhaochen47
Copy link
Member

peterhaochen47 commented Jun 26, 2024
edited
Loading

skipping the event if authentication is through UAA itself, such as when using the JWT bearer token grant

Hi @mikeroda, correct me if I'm wrong: After this PR, when the JWT bearer grant is invoked when the request param assertion is an external IDP token, the ExternalGroupAuthorizationEvent will still be published. This PR just skips the event when the JWT bearer grant's request assertion is a UAA internal token.

peterhaochen47
peterhaochen47 reviewed Jun 26, 2024
View reviewed changes
.../java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerIT.java Outdated
@@ -908,6 +909,37 @@ void updateShadowUser_IfAlreadyExists() {
assertEquals(OriginKeys.UAA, uaaUser.getZoneId());
}

@Test
void publishExternalGroupAuthorizationEvent_skippedIf_isRegisteredIdpAuthentication() {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

publishExternalGroupAuthorizationEvent_skippedIf_isRegisteredIdpAuthentication

I thought this PR skips if it's not a "registered Idp Authentication"?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes you're right. The method name is backwards. I'll fix it.

@mikeroda
Copy link
Contributor Author

skipping the event if authentication is through UAA itself, such as when using the JWT bearer token grant

Hi @mikeroda, correct me if I'm wrong: After this PR, when the JWT bearer grant is invoked when the request param assertion is an external IDP token, the ExternalGroupAuthorizationEvent will still be published. This PR just skips the event when the JWT bearer grant's request assertion is a UAA internal token.

@peterhaochen47, that's correct.

@mikeroda
fix the name of the test that skips publishing the event
22263d3 
Change-Id: I19f435d622afc3858d72500ca89b5ad9a3c84aee
@peterhaochen47 peterhaochen47 requested a review from a team June 26, 2024 01:30
@peterhaochen47 peterhaochen47 merged commit 1308dde into cloudfoundry:develop Jun 26, 2024
22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@peterhaochen47 peterhaochen47 peterhaochen47 approved these changes

@strehle strehle strehle approved these changes

@Tallicia Tallicia Awaiting requested review from Tallicia

@hsinn0 hsinn0 Awaiting requested review from hsinn0

Assignees
No one assigned
Labels
None yet
Projects
Foundational Infrastructure Working Group
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mikeroda @cf-gitbot @strehle @peterhaochen47