You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2021/01/07 21:13:01 UTC

[jira] [Commented] (NIFI-7924) Fallback claim(s) support in OIDC based authentication

    [ https://issues.apache.org/jira/browse/NIFI-7924?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17260831#comment-17260831 ] 

ASF subversion and git services commented on NIFI-7924:
-------------------------------------------------------

Commit f330078fffd39feeb2b289f7e9de5113f9c78bb4 in nifi's branch refs/heads/main from sjyang18
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=f330078 ]

NIFI-7924 Add fallback claims for identifying user to OIDC provider

This closes #4630

Signed-off-by: Joey Frazee <jf...@apache.org>


> Fallback claim(s) support in OIDC based authentication
> ------------------------------------------------------
>
>                 Key: NIFI-7924
>                 URL: https://issues.apache.org/jira/browse/NIFI-7924
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework
>    Affects Versions: 1.12.1
>            Reporter: Seokwon Yang
>            Assignee: Seokwon Yang
>            Priority: Minor
>          Time Spent: 3h 40m
>  Remaining Estimate: 0h
>
> Currently, 'nifi.security.user.oidc.claim.identifying.user' NiFi configuration sets only one claim to bind ID token to username. There are corner-case where fallback claim should search in case the configured claim is not found in ID token.
> For example, not all user directory objects has email address in Azure Activity Directory ([https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#email]). We need a fallback claim support so that when there is no email address claim available for a user, the OIDC identity provider should pick up fallback claim(s) for the user name. For other users with emails, it should continue to use the configured claim to set user name.
>  
> I will introduce 'nifi.security.user.oidc.fallback.claims.identifying.user' in NiFi properties and implement the fallback logic .
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)