New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[management] OAuth2AuthenticationResource doesn't distinguish users by source #1486

Closed
briankrug opened this Issue Sep 7, 2018 · 2 comments

Comments

Projects
None yet
3 participants
@briankrug

briankrug commented Sep 7, 2018

If I define a user in the in-memory security provider and I also have an oauth2 security provider that has a user with the same username, when the oauth2 user logs into the Management UI, it may be matched with the wrong user id.

Expected Behavior

OAuth2AuthenticationResource (and all security providers) should look for a matching user by username and source (and not just by username)

Current Behavior

The wrong user may be picked (user from a different source)

Possible Solution

The method UserService.findByUsername should be changed to include an additional source parameter and this new signature should be used throughout.

@brasseld

This comment has been minimized.

Member

brasseld commented Sep 7, 2018

Good catch ! 👍

@brasseld brasseld added this to the 1.21.0 milestone Oct 16, 2018

@brasseld brasseld added the type: bug label Oct 16, 2018

@brasseld brasseld self-assigned this Oct 16, 2018

@brasseld brasseld changed the title from OAuth2AuthenticationResource doesn't distinguish users by source to [management] OAuth2AuthenticationResource doesn't distinguish users by source Oct 16, 2018

@brasseld

This comment has been minimized.

Member

brasseld commented Nov 14, 2018

Will be closed by #1595

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment