[GitHub] [nifi] mcgilman commented on issue #3398: NIFI-6171 always send email scope for OIDC

[GitBox <gi...@apache.org>]

mcgilman commented on issue #3398: NIFI-6171 always send email scope for OIDC
URL: https://github.com/apache/nifi/pull/3398#issuecomment-480051136
 
 
   Thanks for filing this JIRA and creating this PR @SimonLinder! I also appreciate the write up in the JIRA. It makes this much easier for me to review.
   
   - Good catch on the incorrect null check.
   - If we can identify the fact that the IdP cannot support what we require, it's better to throw the exception to prevent startup. This is why there are so many checks in the constructor.
   - I didn't realize the claims specified in the call to the Authorization endpoint had any impact on a subsequent call to details returned from a UserInfo endpoint. 
   - From my initial testing with various IdP implementations, not all supported the email claim in their Authorization endpoint. Many did, however, support returning it in the subsequent call to the UserInfo endpoint.
   - There were others though, that did not support an email field in their UserInfo endpoint. We have received requests [1] to allow for additional configuration over what field we use to identify a user.
   
   I am concerned with requiring the email scope be part of the Authorization request would be too limiting. From your experience, would you have any guidance on how we could try to remain as flexible, identify users using any field (from the UserInfo endpoint), and work against as many IdP's as possible?
   
   [1] https://github.com/apache/nifi/pull/2346

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services