You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by gr...@apache.org on 2023/01/10 22:22:06 UTC

[nifi] branch main updated: NIFI-11004 Added documentation for OIDC groups claim property

This is an automated email from the ASF dual-hosted git repository.

greyp pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git


The following commit(s) were added to refs/heads/main by this push:
     new 0c0f7e87be NIFI-11004 Added documentation for OIDC groups claim property
0c0f7e87be is described below

commit 0c0f7e87be4b2b51297fb4717335ca87f6089fae
Author: exceptionfactory <ex...@apache.org>
AuthorDate: Thu Dec 22 11:46:09 2022 -0600

    NIFI-11004 Added documentation for OIDC groups claim property
    
    This closes #6802
    Signed-off-by: Paul Grey <gr...@apache.org>
---
 nifi-docs/src/main/asciidoc/administration-guide.adoc                  | 3 +++
 .../nifi-framework-bundle/nifi-framework/nifi-resources/pom.xml        | 1 +
 .../nifi-resources/src/main/resources/conf/nifi.properties             | 1 +
 3 files changed, 5 insertions(+)

diff --git a/nifi-docs/src/main/asciidoc/administration-guide.adoc b/nifi-docs/src/main/asciidoc/administration-guide.adoc
index 94f4f69c55..007a432d95 100644
--- a/nifi-docs/src/main/asciidoc/administration-guide.adoc
+++ b/nifi-docs/src/main/asciidoc/administration-guide.adoc
@@ -503,6 +503,9 @@ JSON Web Key (JWK) provided through the jwks_uri in the metadata found at the di
 |`nifi.security.user.oidc.additional.scopes` | Comma separated scopes that are sent to OpenId Connect Provider in addition to `openid` and `email`.
 |`nifi.security.user.oidc.claim.identifying.user` | Claim that identifies the user to be logged in; default is `email`. May need to be requested via the `nifi.security.user.oidc.additional.scopes` before usage.
 |`nifi.security.user.oidc.fallback.claims.identifying.user` | Comma separated possible fallback claims used to identify the user in case `nifi.security.user.oidc.claim.identifying.user` claim is not present for the login user.
+|`nifi.security.user.oidc.claim.groups` | Name of the ID token claim that contains an array of group names of which the
+user is a member. Application groups must be supplied from a User Group Provider with matching names in order for the
+authorization process to use ID token claim groups. The default value is `groups`.
 |`nifi.security.user.oidc.truststore.strategy` | If value is `NIFI`, use the NiFi truststore when connecting to the OIDC service, otherwise if value is `JDK` use Java's default `cacerts` truststore. The default value is `JDK`.
 |==================================================================================================================================================
 
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/pom.xml b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/pom.xml
index e61077d5df..7940622098 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/pom.xml
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/pom.xml
@@ -171,6 +171,7 @@
         <nifi.security.user.oidc.additional.scopes />
         <nifi.security.user.oidc.claim.identifying.user />
         <nifi.security.user.oidc.fallback.claims.identifying.user />
+        <nifi.security.user.oidc.claim.groups>groups</nifi.security.user.oidc.claim.groups>
         <nifi.security.user.oidc.truststore.strategy>JDK</nifi.security.user.oidc.truststore.strategy>
 
         <!-- nifi.properties: apache knox -->
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/nifi.properties b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/nifi.properties
index 7b66af721b..9c61d1bc19 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/nifi.properties
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/nifi.properties
@@ -202,6 +202,7 @@ nifi.security.user.oidc.preferred.jwsalgorithm=${nifi.security.user.oidc.preferr
 nifi.security.user.oidc.additional.scopes=${nifi.security.user.oidc.additional.scopes}
 nifi.security.user.oidc.claim.identifying.user=${nifi.security.user.oidc.claim.identifying.user}
 nifi.security.user.oidc.fallback.claims.identifying.user=${nifi.security.user.oidc.fallback.claims.identifying.user}
+nifi.security.user.oidc.claim.groups=${nifi.security.user.oidc.claim.groups}
 nifi.security.user.oidc.truststore.strategy=${nifi.security.user.oidc.truststore.strategy}
 
 # Apache Knox SSO Properties #