search

PaloAltoNetworks / a3s

Auth As A Service
Apache License 2.0
8 stars 5 forks source link

Fixed: Only populate issuer if one is found #64

Closed ericrpowers closed 2 years ago

ericrpowers commented 2 years ago

Description

When leveraging a3s as an auth source, I noticed that claims coming from backend looked like this:

"claims": [
  "@auth:account=account-837b0b8d-6a14-4cb8-a11d-97a03fafe6c6",
  "@auth:email=user@account-837b0b8d-6a14-4cb8-a11d-97a03fafe6c6.com",
  "@auth:id=6357a6d0a76fe8b13709d736",
  "@auth:organization=account-837b0b8d-6a14-4cb8-a11d-97a03fafe6c6",
  "@auth:realm=vince",
  "@auth:subject=account-837b0b8d-6a14-4cb8-a11d-97a03fafe6c6"
]

This caused issue with the retrievemany filter for authorizations as there was no issuer provided. To get it to work, the logic is now to populate the issuer if one is found, else skip adding it.

primalmotion commented 2 years ago

trustedissuer is necessary for federation. Accepting * or empty (in your case) could be potentially dangerous.