stormpath-sdk-java icon indicating copy to clipboard operation
stormpath-sdk-java copied to clipboard

Published 20 hours ago verified publisher icon stormpath

Add support for organizationNameKey for oauth token exchange

Open omgitstom opened this issue 8 years ago • 3 comments

https://stormpath.atlassian.net/browse/AM-3287

This issue will need to contemplate what was defined in the Spec as well: https://github.com/stormpath/stormpath-framework-spec/blob/master/multi-tenancy.md

omgitstom avatar Jun 29 '16 15:06 omgitstom

This feature must properly allow this scenario to succeed:

curl -X POST --data 'grant_type=password&username=myemail&password=mypass&organizationNameKey=fooOrg' -H 'Origin: http://fooOrg.localhost:8080' http://fooOrg.localhost:8080/oauth/token

This must provide a token to work with organization fooOrg. All calls to barOrg should fail.

So,

curl -H "Authorization: Bearer eyJraWQiOiI1WDdI..." http://fooOrg.localhost:8080/someService

should succeed, but

curl -H "Authorization: Bearer eyJraWQiOiI1WDdI..." http://barOrg.localhost:8092/someService

should fail

mrioan avatar Sep 07 '16 16:09 mrioan

Thanks for the info @mrioan, so we need to add a new filter or some kind mechanism in the web tier that checks the org claim inside the access token, against the resolved organization. And it should fail with a 401 if they don't match.

It should also fail for cookie based authentication not just bearer.

jarias avatar Sep 07 '16 16:09 jarias

BTW, this feature should work the same way whether IDSIte is enabled or not

mrioan avatar Sep 07 '16 17:09 mrioan