missing username in oidc intercept
Cantor, Scott
cantor.2 at osu.edu
Thu Nov 14 15:56:12 EST 2019
On 11/14/19, 3:40 PM, "users on behalf of Jim Fox" <users-bounces at shibboleth.net on behalf of fox at washington.edu> wrote:
> where the usernameLookupStrategy is the CanonicalUsernameLookupStrategy
You shouldn't use that function, the proper place to get the username once authentication is done is the SubjectContext (child of PRC).
If you want to parameterize the logic, the best default is a composition of net.shibboleth.idp.authn.context.navigate.SubjectContextPrincipalLookupFunction with ChildContextLookup<>(SubjectContext.class)
> It works fine with SAML logins, but always returns null when activated
> during an OIDC login.
That may, and probably is, a sign of a bug, but the best fix is the above. Once the login is complete, the SubjectContext is gospel for that request by design.
The one you're using is more of a "mid-login" way to get the "best" guess as to the currently assumed value to use for cross-factor situations.
-- Scott
More information about the users
mailing list