OIDC with Authorization?

[Jon Logan <jm...@buffalo.edu>]

Hi,

I am trying to use OIDC for Authentication, but it seems to not support any
form of Authorization -- is there any way to avoid having to manually list
every user permitted after installation? ex. allow all authenticated users,
or support groups from the OIDC provider?

Thanks!

Re: OIDC with Authorization?

[Bryan Bende <bb...@gmail.com>]

Hello,

Currently OIDC is only part of authentication, and the authenticated user
identity is then passed to whatever authorizer is configured. If you wanted
to authorize any authenticated user to do anything, then you could
implement your own Authorizer that just returns approved for everything.

When adding SAML support, we did create a new way to pass the users groups
along from the identity provider into NiFi’s Authorizer, so presumably if
OIDC responses contain group info, then we could do the same thing. The
groups would still need to be manually defined in Nifi so that policies can
be created against them, but the membership wouldn’t need to be defined in
Nifi.

Thanks,

Bryan

On Mon, Aug 2, 2021 at 5:03 PM Jon Logan <jm...@buffalo.edu> wrote:

> Hi,
>
> I am trying to use OIDC for Authentication, but it seems to not support
> any form of Authorization -- is there any way to avoid having to manually
> list every user permitted after installation? ex. allow all authenticated
> users, or support groups from the OIDC provider?
>
> Thanks!
>
-- 
Sent from Gmail Mobile