You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Matt Gilman (JIRA)" <ji...@apache.org> on 2019/04/26 20:45:00 UTC

[jira] [Resolved] (NIFI-4698) Nifi Open ID Connect with Azure Active Directory fails to extract email from UserInfoToken

     [ https://issues.apache.org/jira/browse/NIFI-4698?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Matt Gilman resolved NIFI-4698.
-------------------------------
       Resolution: Fixed
    Fix Version/s: 1.10.0

This issue is addressed with the changes provided in NIFI-6171

> Nifi Open ID Connect with Azure Active Directory fails to extract email from UserInfoToken
> ------------------------------------------------------------------------------------------
>
>                 Key: NIFI-4698
>                 URL: https://issues.apache.org/jira/browse/NIFI-4698
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework
>    Affects Versions: 1.4.0
>         Environment: Microsoft Azure
>            Reporter: Raghu Somasundaram
>            Priority: Major
>             Fix For: 1.10.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> While integrating with Microsoft Azure Active Directory through OpenIDConnect, Azure AD sends back Json response without "email" attribute. This causes Nifi to throw following exception:
> 2017-12-12 16:34:20,442 ERROR [NiFi Web Server-67] org.apache.nifi.web.api.AccessResource Unable to exchange authorization for ID token: Unable to extract email from the UserInfo token.
> java.lang.IllegalStateException: Unable to extract email from the UserInfo token.
>         at org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.lookupEmail(StandardOidcIdentityProvider.java:352)
>         at org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.exchangeAuthorizationCode(StandardOidcIdentityProvider.java:306)
>         at org.apache.nifi.web.security.oidc.OidcService.exchangeAuthorizationCode(OidcService.java:192)
>         at org.apache.nifi.web.api.AccessResource.oidcCallback(AccessResource.java:256)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:498)
>         at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
>         at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$VoidOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:167)
>         at com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
> The workaround is to extract "upn" attribute for email. This code fix checks the json response for "email" attribute. If email is empty, it returns "upn" value as email. If both email and upn are empty, we thrown the same exception as above.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)