You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "M Tien (Jira)" <ji...@apache.org> on 2020/11/20 21:22:00 UTC

[jira] [Commented] (NIFI-7924) Fallback claim(s) support in OIDC based authentication

    [ https://issues.apache.org/jira/browse/NIFI-7924?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17236447#comment-17236447 ] 

M Tien commented on NIFI-7924:
------------------------------

[~sjyang18] I reviewed your PR and left a comment on the PR:

Thank you for submitting this. I've reviewed it and the functionality LGTM. I verified I can log in with OIDC enabled and verified the tests will use the listed fallback claim when email is not available.

One suggestion is to update the NiFi docs with a description of the new fallback claim property. Here's a link to the docs section I'm referring to:

[http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#openid_connect]

I can give a +1 once this is updated. Thanks!

> Fallback claim(s) support in OIDC based authentication
> ------------------------------------------------------
>
>                 Key: NIFI-7924
>                 URL: https://issues.apache.org/jira/browse/NIFI-7924
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework
>    Affects Versions: 1.12.1
>            Reporter: Seokwon Yang
>            Assignee: Seokwon Yang
>            Priority: Minor
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> Currently, 'nifi.security.user.oidc.claim.identifying.user' NiFi configuration sets only one claim to bind ID token to username. There are corner-case where fallback claim should search in case the configured claim is not found in ID token.
> For example, not all user directory objects has email address in Azure Activity Directory ([https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#email]). We need a fallback claim support so that when there is no email address claim available for a user, the OIDC identity provider should pick up fallback claim(s) for the user name. For other users with emails, it should continue to use the configured claim to set user name.
>  
> I will introduce 'nifi.security.user.oidc.fallback.claims.identifying.user' in NiFi properties and implement the fallback logic .
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)