You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2019/04/26 20:42:00 UTC

[jira] [Commented] (NIFI-6171) Fix OIDC implementation

    [ https://issues.apache.org/jira/browse/NIFI-6171?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16827308#comment-16827308 ] 

ASF subversion and git services commented on NIFI-6171:
-------------------------------------------------------

Commit 0650521eb276bb4a68c271be9f49325fdcffaee0 in nifi's branch refs/heads/master from simonl
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=0650521 ]

NIFI-6171 always send email scope for OIDC
NIFI-6171 re-added lookupEmail() as fallback
NIFI-6171 additional OIDC scopes via nifi.properties
NIFI-6171 alternative user identification (instead of email)  via nifi.properties
NIFI-6171 changed lookupEmail() so that any configured claim can be fetched fro the UserInfo endpoint

This closes #3398
This closes #2346


> Fix OIDC implementation
> -----------------------
>
>                 Key: NIFI-6171
>                 URL: https://issues.apache.org/jira/browse/NIFI-6171
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 1.9.1
>            Reporter: Simon Linder
>            Priority: Minor
>              Labels: security
>          Time Spent: 2h 50m
>  Remaining Estimate: 0h
>
> The implementation using OIDC has some issues (see the class *StandardOidcIdentityProvider* for all issues):
>  * when accessing an OIDC endpoint that doesn't provide any scopes, you'll get a NullPointerException
>  * when accessing an OIDC endpoint that doesn't provide the *email* scope, you'll never have the chance to login at all
> The first issue is just a wrong implementation of the check (line 151).
> The complete implementation is not correct in my opinion. The [OpenID spec for the discovery endpoint|https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata] states that it is *RECOMMENDED* to send the *scopes_supported* within the provider metadata. Therefore it is not assured to have those scopes. The implementation of the *StandardOidcIdentityProvider* want's to throw an exception within the constructor if neither the scope OPENID nor EMAIL is provided (there is an error in the implementation, see line 151).
> On the other side in the overwritten function *getScopes()* (line 250), the *openid* scope is always added, the *email* scope is only added when the metadata contains this scope. Otherwise the function *lookupEmail()* (line 336) is called to get the email out of the UserInfo endpoint using the Bearer token. This also will never work, because the Bearer token doesn't contain the email scope, thus it will never be returned.
> Therefore I would remove the check in the constructor as well as the function (lookupEmail()) completely, add the *email* scope to every request and throw an exception, if the email address is not provided.
> This can all be tested and simulated by connecting to Google OIDC, but commenting the code in the *getScopes()* function so that the email scope is not sent (line 258).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)