missing username in oidc intercept

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

missing username in oidc intercept

Jim Fox

We have a very simple intercept class that includes this:

   public boolean testSlack(@Nullable final ProfileRequestContext input) {
         username = usernameLookupStrategy.apply(input);

where the usernameLookupStrategy is the CanonicalUsernameLookupStrategy

It works fine with SAML logins, but always returns null when activated
during an OIDC login.

Does the oidc plugin require a different lookup class?

Thanks,

Jim

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: missing username in oidc intercept

Cantor, Scott E.
On 11/14/19, 3:40 PM, "users on behalf of Jim Fox" <[hidden email] on behalf of [hidden email]> wrote:

> where the usernameLookupStrategy is the CanonicalUsernameLookupStrategy

You shouldn't use that function, the proper place to get the username once authentication is done is the SubjectContext (child of PRC).

If you want to parameterize the logic, the best default is a composition of net.shibboleth.idp.authn.context.navigate.SubjectContextPrincipalLookupFunction with ChildContextLookup<>(SubjectContext.class)

> It works fine with SAML logins, but always returns null when activated
> during an OIDC login.

That may, and probably is, a sign of a bug, but the best fix is the above. Once the login is complete, the SubjectContext is gospel for that request by design.

The one you're using is more of a "mid-login" way to get the "best" guess as to the currently assumed value to use for cross-factor situations.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: missing username in oidc intercept

Jim Fox

>> where the usernameLookupStrategy is the CanonicalUsernameLookupStrategy
>
> You shouldn't use that function, the proper place to get the username once authentication is done is the SubjectContext (child of PRC).
>

That works. Thanks.    If I should have known, where would I have found
out?

Jim
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: missing username in oidc intercept

Cantor, Scott E.
On 11/14/19, 4:52 PM, "users on behalf of Jim Fox" <[hidden email] on behalf of [hidden email]> wrote:

> That works. Thanks.    If I should have known, where would I have found out?

The only real documentation on this is in [1] and while it documents the state of the tree for this kind of intercept, it doesn't exactly spell out anything about what's in them.

If you click on SubjectContext in the block diagram, the javadoc is fairly precise about the meaning.

-- Scott

[1] https://wiki.shibboleth.net/confluence/display/IDP30/ProfileHandling#ProfileHandling-Post-AuthenticationInterceptContract


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]