You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Unless a provider is configured as an explicit outbound provider, propagation of security should not be enabled.
In other words - we need to have an explicit configuration for outbound security to work.
Now we add outbound by default, causing unintended propagation of user's identity to third party services.
There are several ways how to disable this, though maybe the default behavior should be not to propagate.
The text was updated successfully, but these errors were encountered:
GoogleTokenProvider and HeaderAtnProvider both propagate automatically - this should be modified.
I think all providers should only propagate when an outbound target is defined in configuration. An outbound target can always have any host used to enable propagation to any outbound target.
Environment Details
Problem Description
Unless a provider is configured as an explicit outbound provider, propagation of security should not be enabled.
In other words - we need to have an explicit configuration for outbound security to work.
Now we add outbound by default, causing unintended propagation of user's identity to third party services.
There are several ways how to disable this, though maybe the default behavior should be not to propagate.
The text was updated successfully, but these errors were encountered: