You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Jody DesRoches (Jira)" <ji...@apache.org> on 2023/04/12 18:37:00 UTC

[jira] [Updated] (NIFI-11438) OIDC requests all available scopes

     [ https://issues.apache.org/jira/browse/NIFI-11438?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jody DesRoches updated NIFI-11438:
----------------------------------
    Description: 
OIDC configuration that works with 1.20.0 fails to login with version 1.21.0.

Logging exceptions in ADFS that indicate NiFi is requesting forbidden resources.

NiFi is requesting all scopes listed in ../adfs/.well-known/openid-configuration under {_}scopes_supported{_}. 

*Expected* only request scopes "{_}openid{_} _email"_ plus values in "{_}nifi.security.user.oidc.additional.scopes"{_}

Source code affecting scope selection: [https://github.com/apache/nifi/blob/3322ad7a20c99dec01ee0c3f530c0566acd13258/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProvider.java#L80]

 

  was:
OIDC configuration that works with 1.20.0 fails to login with version 1.21.0.

Logging exceptions in ADFS that indicate NiFi is requesting forbidden resources.

NiFi is requesting all scopes listed in ../adfs/.well-known/openid-configuration under {_}scopes_supported{_}.  

*Expected* only request scopes "{_}openid{_} ** _email"_ plus values in "{_}nifi.security.user.oidc.additional.scopes"{_}


Source code affecting scope selection: https://github.com/apache/nifi/blob/3322ad7a20c99dec01ee0c3f530c0566acd13258/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProvider.java#L80

 


> OIDC requests all available scopes
> ----------------------------------
>
>                 Key: NIFI-11438
>                 URL: https://issues.apache.org/jira/browse/NIFI-11438
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 1.21.0
>         Environment: Windows ADFS used for OIDC
>            Reporter: Jody DesRoches
>            Priority: Major
>
> OIDC configuration that works with 1.20.0 fails to login with version 1.21.0.
> Logging exceptions in ADFS that indicate NiFi is requesting forbidden resources.
> NiFi is requesting all scopes listed in ../adfs/.well-known/openid-configuration under {_}scopes_supported{_}. 
> *Expected* only request scopes "{_}openid{_} _email"_ plus values in "{_}nifi.security.user.oidc.additional.scopes"{_}
> Source code affecting scope selection: [https://github.com/apache/nifi/blob/3322ad7a20c99dec01ee0c3f530c0566acd13258/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProvider.java#L80]
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)