You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by GitBox <gi...@apache.org> on 2019/04/22 15:32:12 UTC
[GitHub] [nifi] mcgilman commented on a change in pull request #3398:
NIFI-6171 always send email scope for OIDC
mcgilman commented on a change in pull request #3398: NIFI-6171 always send email scope for OIDC
URL: https://github.com/apache/nifi/pull/3398#discussion_r277326536
##########
File path: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java
##########
@@ -307,17 +296,22 @@ public String exchangeAuthorizationCode(final AuthorizationGrant authorizationGr
// validate the token - no nonce required for authorization code flow
final IDTokenClaimsSet claimsSet = tokenValidator.validate(oidcJwt, null);
- // attempt to extract the email from the id token if possible
- String email = claimsSet.getStringClaim(EMAIL_CLAIM_NAME);
- if (StringUtils.isBlank(email)) {
+ // attempt to extract the configured claim to access the user's identity; default is 'email'
+ String identity = claimsSet.getStringClaim(properties.getOidcClaimIdentifyingUser());
+ if (StringUtils.isBlank(identity)) {
+ // explicitly try to get the identity from the UserInfo endpoint with the 'email' claim
+ logger.warn("The identity of the user was tried to get with the claim '" +
+ properties.getOidcClaimIdentifyingUser() + "'. The according additional scope is not " +
+ "configured correctly. Trying to get it with the 'email' claim.");
Review comment:
Assuming we update `lookupEmail` we should probably adjust this log message.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services