Skip to content

Commit 543bc7c

Browse files
GPortasGPortas
committed
Added: doc tweak related to impersonation issues when using API_BEARER_AUTH_USE_BUILTIN_USER_ON_ID_MATCH
1 parent 8601113 commit 543bc7c

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

doc/sphinx-guides/source/installation/config.rst

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3750,7 +3750,7 @@ please find all known feature flags below. Any of these flags can be activated u
37503750
- Specifies that Terms of Service acceptance is handled by the IdP, eliminating the need to include ToS acceptance boolean parameter (termsAccepted) in the OIDC user registration request body. This feature only works when the feature flag ``api-bearer-auth`` is also enabled.
37513751
- ``Off``
37523752
* - api-bearer-auth-use-builtin-user-on-id-match
3753-
- Allows the use of a built-in user account when an identity match is found during API bearer authentication. This feature enables automatic association of an incoming IdP identity with an existing built-in user account, bypassing the need for additional user registration steps. This feature only works when the feature flag ``api-bearer-auth`` is also enabled. **Caution: Enabling this feature flag exposes the installation to potential user impersonation issues depending on the specifics of the IdP configured (For example, if it is configured such that an attacker can create a new account in the IdP, or configured social login account, matching a Dataverse built-in account).**
3753+
- Allows the use of a built-in user account when an identity match is found during API bearer authentication. This feature enables automatic association of an incoming IdP identity with an existing built-in user account, bypassing the need for additional user registration steps. This feature only works when the feature flag ``api-bearer-auth`` is also enabled. **Caution: Enabling this flag could result in impersonation risks if (and only if) used with a misconfigured IdP.**
37543754
- ``Off``
37553755
* - api-bearer-auth-use-shib-user-on-id-match
37563756
- Allows the use of a Shibboleth user account when an identity match is found during API bearer authentication. This feature enables automatic association of an incoming IdP identity with an existing Shibboleth user account, bypassing the need for additional user registration steps. This feature only works when the feature flag ``api-bearer-auth`` is also enabled. **Caution: Enabling this flag could result in impersonation risks if (and only if) used with a misconfigured IdP.**

0 commit comments

Comments
 (0)