You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "David Handermann (Jira)" <ji...@apache.org> on 2023/04/12 19:03:00 UTC

[jira] [Commented] (NIFI-11438) OIDC requests all available scopes

    [ https://issues.apache.org/jira/browse/NIFI-11438?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17711524#comment-17711524 ] 

David Handermann commented on NIFI-11438:
-----------------------------------------

Thanks for reporting this issue [~dbmxer]. It sounds like changing the behavior to the previous approach of requesting only {{openid}} and {{email}} may be the best way forward, although this could also impact Refresh Token retrieval.

The [OpenID Connect Core specification|https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims] defines multiple optional scopes, but does not appear to define particular behavior when a client requests scopes that the Authorization Server disallows.

For additional background, does the current behavior in NiFi 1.21.0 disallow authentication altogether, or does it just result in exceptions on AD FS?


> OIDC requests all available scopes
> ----------------------------------
>
>                 Key: NIFI-11438
>                 URL: https://issues.apache.org/jira/browse/NIFI-11438
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 1.21.0
>         Environment: Windows ADFS used for OIDC
>            Reporter: Jody DesRoches
>            Assignee: David Handermann
>            Priority: Major
>
> OIDC configuration that works with 1.20.0 fails to login with version 1.21.0.
> Logging exceptions in ADFS that indicate NiFi is requesting forbidden resources.
> NiFi is requesting all scopes listed in ../adfs/.well-known/openid-configuration under {_}scopes_supported{_}. 
> *Expected* only request scopes "{_}openid{_} _email"_ plus values in "{_}nifi.security.user.oidc.additional.scopes"{_}
> Source code affecting scope selection: [https://github.com/apache/nifi/blob/3322ad7a20c99dec01ee0c3f530c0566acd13258/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProvider.java#L80]
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)