Improve Allow-List and Enable Thumbprints on Endpoint Resources #317
Description
Limitation
If an organization deploys two DSF instances for two distinct organization roles (e.g. DIC and DMS) within the same parent organization using a distinct client certificate per instance, both DSF instances will allow Task resources to be created with a recipient role DIC or DMS since the organization has both roles. In addition other organizations will also allow the creation of Task resources from both these DSF instances even if for example only DICs should be allowed.
To work around this limitation, two difference organization identifiers need to be used (e.g. dic.test.org, dms.test.org) with DSF 1.x for these two instances of the same organization.
The implementation should be modified to correctly associate incoming requests with the roles of the specific DSF instance even if both instances use the same organization identifier.
Proposed Solution
By enabling the use of the thumbprint extension also on Endpoint resources, we could configure the allow-list for the following scenarios:
- Organization with single DSF instance and multiple role in parent organization
Client certificate thumbprint in organization resource, one Endpoint (without thumbprint or with one) and one OrganizationAffiliation resource. - Organization with two DSF instances and distinct roles per instance in parent organization
Both client certificate thumbprints in organization resource, two Endpoint resources with one client certificate thumbprint each, two OrganizationAffiliation resources.
The TaskAuthorizationRule would decide based on OrganizationAffiliation resources found by first searching for the thumbprint of the current client in the Endpoint resources and if no resource found fall back to thumbprints on Organization resources.