Closed apinder closed 6 years ago
I'm not sure they are, the first is just saying that we don't provide any operations to create/modify/etc the roles. The second is saying that roles are optional and what to do about that.
I do agree however that you last sentence is correct, there is no way of determining whether roles are required or not. However, security systems should not report whether specific fields are missing or wrong during a log in attempt (just that it failed) as this gives hints to attackers.
Actually thinking about it you can use the listRoles operation, that returns NULL if roles are not used.
The below statements from the requirements appear to be contradictory:
and these two:
To determine whether the roles are required by the system you need to know implementation details of a particular deployment therefore the login service can never know whether or not roles are required or not unless we provide a way for the deployment to notify the login service of this.