Merge the SuiteAuth and Bosch ID OAuth2 integrations
Opened this issue · 1 comments
SuiteAuth uses Bosch ID behind the scenes (the opposite is however not true).
If we could manage to handle both SuiteAuth and Bosch ID users in the same way, especially with regards to persisting the same authentication provider upon sign-up, we would remove one major obstacle in considering same usernames with different authentication providers as different users.
This could pave the way to implement #2529 (designing a more robust authorization system that does not only use the username when performing authorization checks).
In turn, that would allow us to be ready to expand the list of supported authentication providers, e.g. by re-enabling Eclipse (see #2330 and #2530) as well as e.g. #2680.
After trying some code and evaluating with @kolotu again, we realize this cannot work, as the two providers actually direct the request to differently parametrized endpoints when it comes to authentication, and would not know which to choose if the two implementation were merged together.
In order to achieve the goal here (using composite username + authentication provider based authorization), we are better off implementing an exceptional behavior in the authorization, that would ignore the authentication provider as a relevant part of the composite ID only for Bosch OAuth providers, and enforce it for other providers (Eclipse, GitHub, etc.).
We could also experiment with persisting the same authentication provider string for Bosch ID and Suite Auth (for clarity purposes only) as a side-task.
I will close this task as unfeasible and create a new one for the required changes at authorization level instead.