You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by GitBox <gi...@apache.org> on 2021/01/05 22:06:50 UTC
[GitHub] [nifi] sjyang18 opened a new pull request #4630: NIFI-7924: add fallback claims for identifying user
sjyang18 opened a new pull request #4630:
URL: https://github.com/apache/nifi/pull/4630
Thank you for submitting a contribution to Apache NiFi.
Please provide a short description of the PR here:
#### Description of PR
NIFI-7924: add fallback claims for identifying user
In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:
### For all changes:
- [X] Is there a JIRA ticket associated with this PR? Is it referenced
in the commit message?
- [X] Does your PR title start with **NIFI-XXXX** where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
- [X] Has your PR been rebased against the latest commit within the target branch (typically `main`)?
- [X] Is your initial contribution a single, squashed commit? _Additional commits in response to PR reviewer feedback should be made on this branch and pushed to allow change tracking. Do not `squash` or use `--force` when pushing to allow for clean monitoring of changes._
### For code changes:
- [X] Have you ensured that the full suite of tests is executed via `mvn -Pcontrib-check clean install` at the root `nifi` folder?
- [X] Have you written or updated unit tests to verify your changes?
- [X] Have you verified that the full build is successful on JDK 8?
- [X] Have you verified that the full build is successful on JDK 11?
- [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)?
- [ ] If applicable, have you updated the `LICENSE` file, including the main `LICENSE` file under `nifi-assembly`?
- [ ] If applicable, have you updated the `NOTICE` file, including the main `NOTICE` file found under `nifi-assembly`?
- [ ] If adding new Properties, have you added `.displayName` in addition to .name (programmatic access) for each of the new properties?
### For documentation related changes:
- [X] Have you ensured that format looks appropriate for the output in which it is rendered?
### Note:
Please ensure that once the PR is submitted, you check GitHub Actions CI for build issues and submit an update to your PR as soon as possible.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] jfrazee commented on a change in pull request #4630: NIFI-7924: add fallback claims for identifying user
Posted by GitBox <gi...@apache.org>.
jfrazee commented on a change in pull request #4630:
URL: https://github.com/apache/nifi/pull/4630#discussion_r553486148
##########
File path: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/groovy/org/apache/nifi/web/security/oidc/StandardOidcIdentityProviderGroovyTest.groovy
##########
@@ -411,10 +411,30 @@ class StandardOidcIdentityProviderGroovyTest extends GroovyTestCase {
assert exp <= System.currentTimeMillis() + 10_000
}
+ @Test
+ void testconvertOIDCTokenToLoginAuthenticationTokenShouldHandleNoEmailClaimHasFallbackClaims() {
Review comment:
```suggestion
@Test
void testConvertOIDCTokenToLoginAuthenticationTokenShouldHandleNoEmailClaimHasFallbackClaims() {
```
##########
File path: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/groovy/org/apache/nifi/web/security/oidc/StandardOidcIdentityProviderGroovyTest.groovy
##########
@@ -411,10 +411,30 @@ class StandardOidcIdentityProviderGroovyTest extends GroovyTestCase {
assert exp <= System.currentTimeMillis() + 10_000
}
+ @Test
+ void testconvertOIDCTokenToLoginAuthenticationTokenShouldHandleNoEmailClaimHasFallbackClaims() {
+ // Arrange
+ StandardOidcIdentityProvider soip = buildIdentityProviderWithMockTokenValidator(["getOidcClaimIdentifyingUser": "email", "getOidcFallbackClaimsIdentifyingUser": ["upn"] ])
+ String expectedUpn = "xxx@aaddomain";
+
+ OIDCTokenResponse mockResponse = mockOIDCTokenResponse(["email": null, "upn": expectedUpn])
+ logger.info("OIDC Token Response with no email and upn: ${mockResponse.dump()}")
+
+ String loginToken = soip.convertOIDCTokenToLoginAuthenticationToken(mockResponse)
+ logger.info("NiFi token create with upn: ${loginToken}")
+ // Assert
+ // Split JWT into components and decode Base64 to JSON
+ def (String contents, String expiration) = loginToken.tokenize("\\[\\]")
+ logger.info("Token contents: ${contents} | Expiration: ${expiration}")
+ assert contents =~ "LoginAuthenticationToken for ${expectedUpn} issued by https://accounts\\.issuer\\.com expiring at"
+
+
Review comment:
```suggestion
```
##########
File path: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java
##########
@@ -439,8 +439,17 @@ private LoginAuthenticationToken convertOIDCTokenToLoginAuthenticationToken(OIDC
identity = claimsSet.getStringClaim(EMAIL_CLAIM);
logger.info("The 'email' claim was present. Using that claim to avoid extra remote call");
} else {
- identity = retrieveIdentityFromUserInfoEndpoint(oidcTokens);
- logger.info("Retrieved identity from UserInfo endpoint");
+ final List<String> fallbackClaims = properties.getOidcFallbackClaimsIdentifyingUser();
+ for (String fallbackClaim : fallbackClaims) {
+ if (availableClaims.contains(fallbackClaim)) {
+ identity = claimsSet.getStringClaim(fallbackClaim);
+ break;
+ }
+ }
+ if (StringUtils.isBlank(identity)) {
+ identity = retrieveIdentityFromUserInfoEndpoint(oidcTokens);
+ }
+
Review comment:
```suggestion
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] jfrazee commented on pull request #4630: NIFI-7924: add fallback claims for identifying user
Posted by GitBox <gi...@apache.org>.
jfrazee commented on pull request #4630:
URL: https://github.com/apache/nifi/pull/4630#issuecomment-755742518
Thanks @bbende That's sort of where my head was at. Neither seems like it results in a bad outcome and the current path makes it clear what the additional values are.
Provided we make the small change to filter empty values, I'm happy to see this go in.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] sjyang18 closed pull request #4630: NIFI-7924: add fallback claims for identifying user
Posted by GitBox <gi...@apache.org>.
sjyang18 closed pull request #4630:
URL: https://github.com/apache/nifi/pull/4630
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] sjyang18 commented on pull request #4630: NIFI-7924: add fallback claims for identifying user
Posted by GitBox <gi...@apache.org>.
sjyang18 commented on pull request #4630:
URL: https://github.com/apache/nifi/pull/4630#issuecomment-755729231
There are existing test cases that we need to update if we modify the semantics of existing property, and I choose not to modify existing semantics and logics.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] jfrazee commented on pull request #4630: NIFI-7924: add fallback claims for identifying user
Posted by GitBox <gi...@apache.org>.
jfrazee commented on pull request #4630:
URL: https://github.com/apache/nifi/pull/4630#issuecomment-755724733
@sushilkm I think that's a valid question. I haven't been able to convince myself which configuration experience is the right one.
@mcgilman You did a bunch of work on the OIDC code, can you weigh in on this? (I.e., whether it's better for the user to have a distinct fallback claim configuration or to overload/enhance the existing one to be an ordered list.)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] jfrazee commented on a change in pull request #4630: NIFI-7924: add fallback claims for identifying user
Posted by GitBox <gi...@apache.org>.
jfrazee commented on a change in pull request #4630:
URL: https://github.com/apache/nifi/pull/4630#discussion_r552954964
##########
File path: nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java
##########
@@ -1011,6 +1012,21 @@ public String getOidcClaimIdentifyingUser() {
return getProperty(SECURITY_USER_OIDC_CLAIM_IDENTIFYING_USER, "email").trim();
}
+ /**
+ * Returns the list of fallback claims to be used to identify a user when the configured claim is empty for a user
+ *
+ * @return The list of fallback claims to be used to identify the user
+ */
+ public List<String> getOidcFallbackClaimsIdentifyingUser() {
+ String rawProperty = getProperty(SECURITY_USER_OIDC_FALLBACK_CLAIMS_IDENTIFYING_USER, "").trim();
+ if (rawProperty.isEmpty()) {
Review comment:
```suggestion
if (StringUtils.isBlank(rawProperty)) {
```
##########
File path: nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java
##########
@@ -1011,6 +1012,21 @@ public String getOidcClaimIdentifyingUser() {
return getProperty(SECURITY_USER_OIDC_CLAIM_IDENTIFYING_USER, "email").trim();
}
+ /**
+ * Returns the list of fallback claims to be used to identify a user when the configured claim is empty for a user
+ *
+ * @return The list of fallback claims to be used to identify the user
+ */
+ public List<String> getOidcFallbackClaimsIdentifyingUser() {
+ String rawProperty = getProperty(SECURITY_USER_OIDC_FALLBACK_CLAIMS_IDENTIFYING_USER, "").trim();
+ if (rawProperty.isEmpty()) {
+ return Collections.emptyList();
+ } else {
+ List<String> fallbackClaims = Arrays.asList(rawProperty.split(","));
+ return fallbackClaims.stream().map(String::trim).collect(Collectors.toList());
Review comment:
This allows empty fallback claims to come through for strings like `",a,b,"`.
```suggestion
return fallbackClaims.stream().map(String::trim).filter(s -> !s.isEmpty()).collect(Collectors.toList());
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] sushilkm commented on pull request #4630: NIFI-7924: add fallback claims for identifying user
Posted by GitBox <gi...@apache.org>.
sushilkm commented on pull request #4630:
URL: https://github.com/apache/nifi/pull/4630#issuecomment-755710209
Not sure why do we want to add another property.
I think it would be simpler for users to update `nifi.security.user.oidc.claim.identifying.user` with the comma separated value(s) that we are intending to put for `nifi.security.user.oidc.fallback.claims.identifying.user`
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] bbende commented on pull request #4630: NIFI-7924: add fallback claims for identifying user
Posted by GitBox <gi...@apache.org>.
bbende commented on pull request #4630:
URL: https://github.com/apache/nifi/pull/4630#issuecomment-755739378
If we had done this from the beginning, I definitely think we should have used a single property with an ordered list of claims, and used "claims" in the name instead of "claim", but since we have the existing property I'm not sure either approach has a major advantage...
On one hand, using the existing property is easier for anyone already referencing the property in some way, and it can be done without breaking anything.
On the other hand, the work is already done to add the second property, and it does create very specific semantics where the original "claim" property is a single claim, and the second one with "claims" is a list.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] sjyang18 commented on pull request #4630: NIFI-7924: add fallback claims for identifying user
Posted by GitBox <gi...@apache.org>.
sjyang18 commented on pull request #4630:
URL: https://github.com/apache/nifi/pull/4630#issuecomment-754932330
@mtien-apache
I have added the fallback property explanation to admin doc. Will this work?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] jfrazee closed pull request #4630: NIFI-7924: add fallback claims for identifying user
Posted by GitBox <gi...@apache.org>.
jfrazee closed pull request #4630:
URL: https://github.com/apache/nifi/pull/4630
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] mtien-apache commented on pull request #4630: NIFI-7924: add fallback claims for identifying user
Posted by GitBox <gi...@apache.org>.
mtien-apache commented on pull request #4630:
URL: https://github.com/apache/nifi/pull/4630#issuecomment-755715621
@sushilkm I believe `nifi.security.user.oidc.claim.identifying.user` does not allow comma separated values.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] MuazmaZ commented on pull request #4630: NIFI-7924: add fallback claims for identifying user
Posted by GitBox <gi...@apache.org>.
MuazmaZ commented on pull request #4630:
URL: https://github.com/apache/nifi/pull/4630#issuecomment-755437978
@jfrazee I have tested this with Azure. I have also verified the functionality and it works as expected.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] mtien-apache commented on pull request #4630: NIFI-7924: add fallback claims for identifying user
Posted by GitBox <gi...@apache.org>.
mtien-apache commented on pull request #4630:
URL: https://github.com/apache/nifi/pull/4630#issuecomment-721452676
@sjyang18 Thank you for submitting this. I've reviewed it and the functionality LGTM. I verified I can log in with OIDC enabled and verified the tests will use the listed fallback claim when email is not available.
One suggestion is to update the NiFi docs with a description of the new fallback claim property. Here's a link to the docs section I'm referring to:
http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#openid_connect
I can give a +1 once this is updated. Thanks!
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] exceptionfactory commented on a change in pull request #4630: NIFI-7924: add fallback claims for identifying user
Posted by GitBox <gi...@apache.org>.
exceptionfactory commented on a change in pull request #4630:
URL: https://github.com/apache/nifi/pull/4630#discussion_r530754016
##########
File path: nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java
##########
@@ -982,6 +984,21 @@ public String getOidcClaimIdentifyingUser() {
return getProperty(SECURITY_USER_OIDC_CLAIM_IDENTIFYING_USER, "email").trim();
}
+ /**
+ * Returns the list of fallback claims to be used to identify a user when the configured claim is empty for a user
+ *
+ * @return The list of fallback claims to be used to identify the user
+ */
+ public List<String> getOidcFallbackClaimsIdentifyingUser() {
+ String rawProperty = getProperty(SECURITY_USER_OIDC_FALLBACK_CLAIMS_IDENTIFYING_USER, "").trim();
+ if (rawProperty.isEmpty()) {
+ return new ArrayList<>();
Review comment:
Recommend returning Collections.emptyList() to avoid unnecessary ArrayList creation.
##########
File path: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java
##########
@@ -439,8 +439,21 @@ private LoginAuthenticationToken convertOIDCTokenToLoginAuthenticationToken(OIDC
identity = claimsSet.getStringClaim(EMAIL_CLAIM);
logger.info("The 'email' claim was present. Using that claim to avoid extra remote call");
} else {
- identity = retrieveIdentityFromUserInfoEndpoint(oidcTokens);
- logger.info("Retrieved identity from UserInfo endpoint");
+ final List<String> fallbackClaims = properties.getOidcFallbackClaimsIdentifyingUser();
+ if (fallbackClaims.size() > 0) {
+ logger.info("fallbackClaims.size() : " + fallbackClaims.size());
Review comment:
This is not necessary to log at the info level, and since it is a configuration property, it seems unnecessary to log even at the debug level. Recommend at least changing to debug and using parameterized message strings or removing altogether.
##########
File path: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java
##########
@@ -439,8 +439,21 @@ private LoginAuthenticationToken convertOIDCTokenToLoginAuthenticationToken(OIDC
identity = claimsSet.getStringClaim(EMAIL_CLAIM);
logger.info("The 'email' claim was present. Using that claim to avoid extra remote call");
} else {
- identity = retrieveIdentityFromUserInfoEndpoint(oidcTokens);
- logger.info("Retrieved identity from UserInfo endpoint");
+ final List<String> fallbackClaims = properties.getOidcFallbackClaimsIdentifyingUser();
+ if (fallbackClaims.size() > 0) {
+ logger.info("fallbackClaims.size() : " + fallbackClaims.size());
+ for (String fallbackClaim : fallbackClaims) {
+ if (availableClaims.contains(fallbackClaim)) {
+ identity = claimsSet.getStringClaim(fallbackClaim);
+ break;
+ }
+ }
+ }
+ if (StringUtils.isBlank(identity)) {
+ identity = retrieveIdentityFromUserInfoEndpoint(oidcTokens);
+ logger.info("Retrieved identity from UserInfo endpoint");
Review comment:
This log message is somewhat unclear and may not be necessary at the info level. Recommend at least changing it to debug an parameterizing the message with the retrieved identity along the following lines:
```suggestion
logger.debug("Identity [{}] retrieved from UserInfo endpoint", identity);
```
##########
File path: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java
##########
@@ -439,8 +439,21 @@ private LoginAuthenticationToken convertOIDCTokenToLoginAuthenticationToken(OIDC
identity = claimsSet.getStringClaim(EMAIL_CLAIM);
logger.info("The 'email' claim was present. Using that claim to avoid extra remote call");
} else {
- identity = retrieveIdentityFromUserInfoEndpoint(oidcTokens);
- logger.info("Retrieved identity from UserInfo endpoint");
+ final List<String> fallbackClaims = properties.getOidcFallbackClaimsIdentifyingUser();
+ if (fallbackClaims.size() > 0) {
Review comment:
This size check seems unnecessary, particularly if the following log line is removed, since the for loop will not run over an empty list.
##########
File path: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/groovy/org/apache/nifi/web/security/oidc/StandardOidcIdentityProviderGroovyTest.groovy
##########
@@ -411,10 +411,29 @@ class StandardOidcIdentityProviderGroovyTest extends GroovyTestCase {
assert exp <= System.currentTimeMillis() + 10_000
}
+ @Test
+ void testconvertOIDCTokenToLoginAuthenticationTokenShouldHandleNoEmailClaimHasFallbackClaims() {
+ // Arrange
+ StandardOidcIdentityProvider soip = buildIdentityProviderWithMockTokenValidator(["getOidcClaimIdentifyingUser": "email", "getOidcFallbackClaimsIdentifyingUser": ["upn"] ])
+
+ OIDCTokenResponse mockResponse = mockOIDCTokenResponse(["email": null, "upn": "xxx@aaddomain"])
+ logger.info("OIDC Token Response with no email and upn: ${mockResponse.dump()}")
+
+ String loginToken = soip.convertOIDCTokenToLoginAuthenticationToken(mockResponse)
+ logger.info("NiFi token create with upn: ${loginToken}")
+ // Assert
+ // Split JWT into components and decode Base64 to JSON
+ def (String contents, String expiration) = loginToken.tokenize("\\[\\]")
+ logger.info("Token contents: ${contents} | Expiration: ${expiration}")
+ assert contents =~ "LoginAuthenticationToken for xxx@aaddomain issued by https://accounts\\.issuer\\.com expiring at"
Review comment:
Recommend declaring a variable for the email address so that both the mockOIDCTokenResponse() and the assert clearly use the same string.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] jfrazee commented on pull request #4630: NIFI-7924: add fallback claims for identifying user
Posted by GitBox <gi...@apache.org>.
jfrazee commented on pull request #4630:
URL: https://github.com/apache/nifi/pull/4630#issuecomment-754971676
@mtien-apache @sjyang18 I've been looking at this and was wondering which identity providers this has been tested against?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] sjyang18 removed a comment on pull request #4630: NIFI-7924: add fallback claims for identifying user
Posted by GitBox <gi...@apache.org>.
sjyang18 removed a comment on pull request #4630:
URL: https://github.com/apache/nifi/pull/4630#issuecomment-754930724
> @sjyang18 Thank you for submitting this. I've reviewed it and the functionality LGTM. I verified I can log in with OIDC enabled and verified the tests will use the listed fallback claim when email is not available.
>
> One suggestion is to update the NiFi docs with a description of the new fallback claim property. Here's a link to the docs section I'm referring to:
>
> http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#openid_connect
>
> I can give a +1 once this is updated. Thanks!
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] mtien-apache commented on pull request #4630: NIFI-7924: add fallback claims for identifying user
Posted by GitBox <gi...@apache.org>.
mtien-apache commented on pull request #4630:
URL: https://github.com/apache/nifi/pull/4630#issuecomment-755661706
+1 Reviewed and verified all changes work as expected. Admin doc addition look good. Thank you.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] mtien-apache commented on pull request #4630: NIFI-7924: add fallback claims for identifying user
Posted by GitBox <gi...@apache.org>.
mtien-apache commented on pull request #4630:
URL: https://github.com/apache/nifi/pull/4630#issuecomment-755478795
@jfrazee I tested it with Azure, Google, and Okta.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] sushilkm commented on pull request #4630: NIFI-7924: add fallback claims for identifying user
Posted by GitBox <gi...@apache.org>.
sushilkm commented on pull request #4630:
URL: https://github.com/apache/nifi/pull/4630#issuecomment-755717862
@mtien-apache what i mean to say was instead of adding another property we could make the existing property to behave like that comma-separated value. it should not be breaking change.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] sjyang18 commented on pull request #4630: NIFI-7924: add fallback claims for identifying user
Posted by GitBox <gi...@apache.org>.
sjyang18 commented on pull request #4630:
URL: https://github.com/apache/nifi/pull/4630#issuecomment-754930724
> @sjyang18 Thank you for submitting this. I've reviewed it and the functionality LGTM. I verified I can log in with OIDC enabled and verified the tests will use the listed fallback claim when email is not available.
>
> One suggestion is to update the NiFi docs with a description of the new fallback claim property. Here's a link to the docs section I'm referring to:
>
> http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#openid_connect
>
> I can give a +1 once this is updated. Thanks!
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org