Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Principal name and preferred_username conflict #319

Closed
sberyozkin opened this issue Jul 6, 2023 · 2 comments
Closed

Principal name and preferred_username conflict #319

sberyozkin opened this issue Jul 6, 2023 · 2 comments

Comments

@sberyozkin
Copy link
Contributor

@FroMage has noticed an obvious conflict in the JsonWebToken#getName() Java Docs, where preferred_username is mentioned as a fallback:

https://github.com/eclipse/microprofile-jwt-auth/blob/master/api/src/main/java/org/eclipse/microprofile/jwt/JsonWebToken.java#L40

(Also, that JavaDoc needs to be synced with the spec text which mentions sub as the final fallback).

However the very same OIDC docs for preferred_username to which MP JWT links to says:

The RP MUST NOT rely upon this value being unique

which conflicts with the Returns the unique name of this principal. message in JsonWebToken#getName() Java Docs.

My proposal would be to deprecate preferred_username as a possible fallback from upn.

Or, given how long preferred_username has been around as a fallback from upn, instead fix the java docs and explain the principal name is not guaranteed to be unique and advise users get either upn or sub claims directly

@sberyozkin
Copy link
Contributor Author

Given that JsonWebToken#getName is coming from Principal#getName which does not have a uniqueness constraint, simplest can be fix the JavaDocs not to require a unique name - it is impossible to enforce given that preferred_username fallback exists. Removing to enforce the uniqueness constraint does not seem reasonable as it would change the message of Principal#getName

@sberyozkin
Copy link
Contributor Author

marking it as resolved by #332 for now

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant