Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Federated basicRegistry returns inconsistent results for case insensitive direct user lookups in scim-1.0 #13569

Closed
jvanhill opened this issue Aug 19, 2020 · 1 comment · Fixed by #13570 or #13617
Closed

Federated basicRegistry returns inconsistent results for case insensitive direct user lookups in scim-1.0 #13569

jvanhill opened this issue Aug 19, 2020 · 1 comment · Fixed by #13570 or #13617
Assignees
@jvanhill
Labels
release bug This bug is present in a released version of Open Liberty release:200010 team:Wendigo East

Comments

@jvanhill
Copy link
Contributor

jvanhill commented Aug 19, 2020
edited
Loading

SCIM returns inconsistent results when the ignoreCaseForAuthentication attribute for basicRegistry is set to true.

For reference, the following basic registry configuration:

<basicRegistry realm="BasicRealm" ignoreCaseForAuthentication="true">
  <user name="scimUser" password="password"/>
  <group name="scimGroup">
    <member name="scimUser"/>
  </group>
</basicRegistry>

Take two similar requests below, the first searching scimUser (matching the case in the configuration) and the second searching for scimuser. Both calls return results that match the case sent on the search (i.e. id, userName, displayName, location). Additionally, the second search does not return the groups.

bash$ curl -sk -u "scimuser:password" https://localhost:9443/ibm/api/scim/Users/scimUser?attributes=id,userName,displayName,emails,groups | json_reformat 
{
    "id": "scimUser",
    "schemas": [
        "urn:scim:schemas:core:1.0"
    ],
    "userName": "scimUser",
    "displayName": "scimUser",
    "externalId": null,
    "groups": [
        {
            "value": "scimGroup",
            "display": "scimGroup"
        }
    ],
    "meta": {
        "location": "https://localhost:9443/ibm/api/scim/Users/scimUser"
    }
}

bash$ curl -sk -u "scimuser:password" https://localhost:9443/ibm/api/scim/Users/scimuser?attributes=id,userName,displayName,emails,groups | json_reformat 
{
    "id": "scimuser",
    "schemas": [
        "urn:scim:schemas:core:1.0"
    ],
    "userName": "scimuser",
    "displayName": "scimuser",
    "externalId": null,
    "meta": {
        "location": "https://localhost:9443/ibm/api/scim/Users/scimuser"
    }
}

The error is due to URBridge logic in federated repositories. It searches for the user in the federated basic registry, and since ignore case is turned on for authentication, the user is found. However; federated repositories URBridge doesn't use the security name passed back by the registry and instead uses the security name passed in to populate the results. It also uses the security name passed in to search for groups, which is not effected by the ignoreCaseForAuthentication configuration attribute.

The URBridge logic was updated to populate the entity from the registry. It will also use the security name returned from the registry to perform the group search so that groups will be returned.
@jvanhill jvanhill self-assigned this Aug 19, 2020
@jvanhill jvanhill mentioned this issue Aug 19, 2020
Merged
@jvanhill jvanhill added the release bug This bug is present in a released version of Open Liberty label Aug 19, 2020
@jvanhill jvanhill changed the title Federated basicRegistry returns inconsistent results for case insensitive searches in scim-1.0 Federated basicRegistry returns inconsistent results for case insensitive direct user lookups in scim-1.0 Aug 19, 2020
@jvanhill
Copy link
Contributor Author

Re-opening as PR #13570 got reverted.

@jvanhill jvanhill reopened this Aug 24, 2020
@jvanhill jvanhill mentioned this issue Aug 24, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jvanhill jvanhill

Labels
release bug This bug is present in a released version of Open Liberty release:200010 team:Wendigo East
Projects
None yet
Milestone
No milestone
2 participants
@jvanhill @LibbyBot