- retry if refresh of exchanged token yields invalid token (wrong
audience - known case of apparently incorrect Keycloak behaviour)
- use custom header instead of redirect patch to have Repository tier not
redirect to Keycloak login page on unauthenticated access from Share
- activate audience verification which is inactive with Keycloak class
defaults
- RemoteUserAuthenticator may re-run KeycloakRemoteUserMapper for Bearer
authentication
- RemoteUserAuthenticator simply re-sets current user without running
through regular ticket validation hoops (which we already covered)
- need authentication listener to hook into triggered event for
re-processing access token
- this adds hard-dependency to full acosix-utility module, which is
extremely unfortunate - TODO: Move authenticator listener patch
(enabling multiple listeners) into utility core, since it can be
reasonably considered a non-invasive, baseline patch (does not alter
core behaviours) relevant for potentially multiple extensions, which
should not necessitate dependency on full utility module with its
accompanying set of (more or less) invasive patches
