[ https://issues.apache.org/jira/browse/FEDIZ-207?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sergey Beryozkin updated FEDIZ-207: ----------------------------------- Attachment: fediz207.txt This is a 1.4.x patch. Is there a reason it should only go to the master ? I'm pretty sure the only custom FedizPrincipal impl that is really affected here is the test one in the core. The global logout needs to work in 1.4.x > FedizPrincipal interface needs to have getId() method > ----------------------------------------------------- > > Key: FEDIZ-207 > URL: https://issues.apache.org/jira/browse/FEDIZ-207 > Project: CXF-Fediz > Issue Type: Improvement > Components: IDP, Plugin > Reporter: Sergey Beryozkin > Attachments: fediz207.txt > > > OIDC IDToken generates a random IdToken SubjectId value when it converts the > values found in the FedizPrincipal's SAML token. The problem is that every > time the user comes in a new subjectId is generated for the id token - while > this value is actually expected to be identical for a given user. > The immediate problem we face is that every client application gets an > IdToken for a user 'alice' with the different subjectId, thus. during the > global logout, it is impossible for each of these client applications to > identify, from the logout token, which user to logout - because when OIDC > LogoutService creates a logout token it uses FedizSubjectCreator to create a > new IdToken with a newly generated subject id. > One way to solve is to start hacking a solution involving saving it in a > session id and then take care of removing it from the session on the logout - > but given that every Fediz plugin takes care of dealing with FedizPrincipal > it is better to keep 'id' at the FedizPrincipal level. > Updating the interface with getId() will only affect the plugins and not the > user code. Each plugin will use UUID to generate it -- This message was sent by Atlassian JIRA (v6.4.14#64029)