Type: New Feature
A common use case in web applications is that users log-in with their email address, which then becomes the user/caller principal once authenticated.
A user should be allowed to change her email address, but this is not easily supported by JASPIC, since this also requires a re-authentication, which on its turn likely needs the original credentials used for authentication (which a secure application of course does not store, so can not use for this case).
This means that a user either needs to provide these credentials together with the action of changing the email, which is not entirely user friendly in the first place. Those provided credentials may possibly not even be useable for programmatic re-authentication if the SAM that's used only supports asking them directly from the user.
Another option is to immediately log the user out after changing the email, which again is not really user friendly.
Something similar holds for roles; a user may obtain new roles during a session (for example by making a payment, or obtaining a reward for some online action, etc). Requiring the user to log-out and log-in again for the new role to take effect is not always desirable.
In order to support such use cases I'd like to propose that the possibility to handle changes to the authenticated identity without the need for a manual logout and login (re-authenticate) be added to JASPIC.
One possibility could be for a variant on HttpServletRequest#authenticate that takes one or more Callbacks, and the definition of several new Callbacks, e.g.
- AddGroupPrincipalCallback - Adds a new group/role to the authenticated identity
- RemoveGroupPrincipalCallback - Removed an existing group/role from the authenticated identity
- UpdateCallerPrincipalCallback - Updates the caller principal in the authenticated identity