Add internal API to look up NameID for specific user/SP #1931
Description
New Feature Request
Summary
For security reasons (malware, hacked accounts) it is sometimes necessary to find a nameid of a specific user, given their shcacHomeOrganisation and uid. We currently have separate scripts to do this, which read directly from the database.
Instead, it would be much cleaner to let Engineblock handle this itself. This would also allow us to automate this and make it available in a self-service interface to authorized users.
Proposed Solution
Therefore I propose to add two internal, EB-API endpoints that can handle these type of lookups:
/info/users/nameid: translate sho/uid/sp to nameid/info/users/id: translate nameid to sho/uid/sp
Example requests/responses
id --> nameid
Note: this call could work even if the user has never logged into this service yet. I.e., the resulting anmeid doesn't have to exist yet, because it can eb calculated based on the user uuid and service. Possibly: add a flag in the output if the nameid was calculated instead of lookup up in the database.
Example:
POST https://engine-api.openconxt.dev/info/users/nameid
[
{"schacHomeOrganization": "example.edu", "uid": "student001", "sp_entityid": "https://service.example.com/"},
{"schacHomeOrganization": "example.org", "uid": "employee001", "sp_entityid": "https://service.example.com/"}
]
["62546075f3ad801acdad821aacb006ff61298603","5e76eca7df5c64ec30b55071bd9a47716457a480"]
nameid --> id
Examples:
POST https://engine-api.openconxt.dev/info/users/id
["62546075f3ad801acdad821aacb006ff61298603","5e76eca7df5c64ec30b55071bd9a47716457a480"]
[
{"schacHomeOrganization": "example.edu", "uid": "student001", "sp_entityid": "https://service.example.com/"},
{"schacHomeOrganization": "example.org", "uid": "employee001", "sp_entityid": "https://service.example.com/"}
]
logging
For each of the requests, log which ids were requested and by which user.