Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
1.4.11, 1.5.15
-
None
Description
Since OAK-4224, the external IDP should be verified to be the same, but DefaultSyncContext.sync(ExternalIdentity) doesn't do that, as it only looks at ExternalIdentityRef.getProviderName(), but never at the rep:externalId of the (existing) authorizable as it is done in DefaultSyncContext.sync(String).
The ExternalIdentity's provider will usually match the one from the context, and it's important to check against the existing local user's rep:externalId in case it was synced with a different IDP beforehand (as per the intention in OAK-4224 afaiu, and as done for group memberships in OAK-4397).
Assume there is
- a user with the authorizable id "frank"
- a rep:externalId with provider "alpha" or no such property (because locally created)
- a sync context using provider "beta"
Calling by id:
context.sync("frank") => result has Status.FOREIGN
Calling by external id:
ExternalIdentity externalId = ... // externalId.getId() => "frank" // externalId.getExternalId().getProviderName() => "beta" context.sync(externalId) => result has Status.UPDATE