This is an automated email from the ASF dual-hosted git repository.
greyp pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push:
new 1639ecee11 NIFI-11438 Set standard OpenID Connect Scopes
1639ecee11 is described below
commit 1639ecee11d5ed2502d11e1f97bdb800b5d2bc0a
Author: exceptionfactory <[email protected]>
AuthorDate: Wed Apr 12 17:34:23 2023 -0500
NIFI-11438 Set standard OpenID Connect Scopes
- Restored previous behavior of sending openid and email scopes for OpenID
Connect token requests
- Added offline_access scope as the default value in nifi.properties to
support Refresh Tokens
This closes #7168
Signed-off-by: Paul Grey <[email protected]>
---
nifi-docs/src/main/asciidoc/administration-guide.adoc | 2 +-
.../nifi-framework/nifi-resources/pom.xml | 3 ++-
.../registration/StandardClientRegistrationProvider.java | 9 ++++++---
.../StandardClientRegistrationProviderTest.java | 14 ++++++++++++++
4 files changed, 23 insertions(+), 5 deletions(-)
diff --git a/nifi-docs/src/main/asciidoc/administration-guide.adoc
b/nifi-docs/src/main/asciidoc/administration-guide.adoc
index aad8cb1250..10f8659c69 100644
--- a/nifi-docs/src/main/asciidoc/administration-guide.adoc
+++ b/nifi-docs/src/main/asciidoc/administration-guide.adoc
@@ -579,7 +579,7 @@ OpenID Connect integration supports the following settings
in _nifi.properties_.
by the OpenID Connect Provider according to the specification. If this value
is `HS256`, `HS384`, or `HS512`, NiFi will attempt to validate HMAC protected
tokens using the specified client secret.
If this value is `none`, NiFi will attempt to validate unsecured/plain tokens.
Other values for this algorithm will attempt to parse as an RSA or EC algorithm
to be used in conjunction with the
JSON Web Key (JWK) provided through the jwks_uri in the metadata found at the
discovery URL
-|`nifi.security.user.oidc.additional.scopes` | Comma separated
scopes that are sent to OpenID Connect Provider in addition to `openid` and
`email`
+|`nifi.security.user.oidc.additional.scopes` | Comma separated
scopes that are sent to OpenID Connect Provider in addition to `openid` and
`email`. Authorization Servers require the `offline_access` scope to return a
Refresh Token.
|`nifi.security.user.oidc.claim.identifying.user` | Claim that
identifies the authenticated user. The default value is `email`. Claim names
may need to be requested using the `nifi.security.user.oidc.additional.scopes`
property
|`nifi.security.user.oidc.fallback.claims.identifying.user` | Comma-separated
list of possible fallback claims used to identify the user when the
`nifi.security.user.oidc.claim.identifying.user` claim is not found.
|`nifi.security.user.oidc.claim.groups` | Name of the ID
token claim that contains an array of group names of which the
diff --git
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/pom.xml
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/pom.xml
index 512b88c8bb..87d7ba6183 100644
---
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/pom.xml
+++
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/pom.xml
@@ -168,7 +168,8 @@
<nifi.security.user.oidc.client.id />
<nifi.security.user.oidc.client.secret />
<nifi.security.user.oidc.preferred.jwsalgorithm />
- <nifi.security.user.oidc.additional.scopes />
+ <!-- Set additional scopes to support Refresh Token retrieval -->
+
<nifi.security.user.oidc.additional.scopes>offline_access</nifi.security.user.oidc.additional.scopes>
<nifi.security.user.oidc.claim.identifying.user />
<nifi.security.user.oidc.fallback.claims.identifying.user />
<nifi.security.user.oidc.claim.groups>groups</nifi.security.user.oidc.claim.groups>
diff --git
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProvider.java
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProvider.java
index bc14c4ba81..f2368c3eeb 100644
---
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProvider.java
+++
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProvider.java
@@ -21,7 +21,6 @@ import static
com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod.CLIENT_SEC
import static com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod.NONE;
import com.nimbusds.oauth2.sdk.ParseException;
-import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.web.security.oidc.OidcConfigurationException;
@@ -30,8 +29,11 @@ import
org.apache.nifi.web.security.oidc.client.web.OidcRegistrationProperty;
import
org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
+import org.springframework.security.oauth2.core.oidc.OidcScopes;
import org.springframework.web.client.RestOperations;
+import java.util.Arrays;
+import java.util.Collections;
import java.util.LinkedHashMap;
import java.util.LinkedHashSet;
import java.util.List;
@@ -46,6 +48,8 @@ public class StandardClientRegistrationProvider implements
ClientRegistrationPro
private static final String REGISTRATION_REDIRECT_URI =
String.format("{baseUrl}%s", OidcUrlPath.CALLBACK.getPath());
+ private static final Set<String> STANDARD_SCOPES =
Collections.unmodifiableSet(new
LinkedHashSet<>(Arrays.asList(OidcScopes.OPENID, OidcScopes.EMAIL)));
+
private final NiFiProperties properties;
private final RestOperations restOperations;
@@ -77,8 +81,7 @@ public class StandardClientRegistrationProvider implements
ClientRegistrationPro
final String jwkSetUri =
providerMetadata.getJWKSetURI().toASCIIString();
final String userInfoUri =
providerMetadata.getUserInfoEndpointURI().toASCIIString();
- final Scope metadataScope = providerMetadata.getScopes();
- final Set<String> scope = new
LinkedHashSet<>(metadataScope.toStringList());
+ final Set<String> scope = new LinkedHashSet<>(STANDARD_SCOPES);
final List<String> additionalScopes =
properties.getOidcAdditionalScopes();
scope.addAll(additionalScopes);
diff --git
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProviderTest.java
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProviderTest.java
index 97847926a1..164cd7c58c 100644
---
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProviderTest.java
+++
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProviderTest.java
@@ -28,12 +28,16 @@ import org.mockito.Mock;
import org.mockito.junit.jupiter.MockitoExtension;
import
org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.core.AuthenticationMethod;
+import org.springframework.security.oauth2.core.oidc.OidcScopes;
import org.springframework.web.client.RestOperations;
import java.net.URI;
+import java.util.Arrays;
import java.util.Collections;
+import java.util.LinkedHashSet;
import java.util.List;
import java.util.Properties;
+import java.util.Set;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertNotNull;
@@ -61,6 +65,8 @@ class StandardClientRegistrationProviderTest {
private static final String USER_NAME_ATTRIBUTE_NAME = "email";
+ private static final Set<String> EXPECTED_SCOPES = new
LinkedHashSet<>(Arrays.asList(OidcScopes.OPENID, OidcScopes.EMAIL,
OidcScopes.PROFILE));
+
private static final String INVALID_CONFIGURATION = "{}";
@Mock
@@ -92,6 +98,9 @@ class StandardClientRegistrationProviderTest {
assertEquals(USER_INFO_URI.toString(), userInfoEndpoint.getUri());
assertEquals(USER_NAME_ATTRIBUTE_NAME,
userInfoEndpoint.getUserNameAttributeName());
assertEquals(AuthenticationMethod.HEADER,
userInfoEndpoint.getAuthenticationMethod());
+
+ final Set<String> scopes = clientRegistration.getScopes();
+ assertEquals(EXPECTED_SCOPES, scopes);
}
@Test
@@ -120,6 +129,7 @@ class StandardClientRegistrationProviderTest {
properties.put(NiFiProperties.SECURITY_USER_OIDC_CLIENT_ID, CLIENT_ID);
properties.put(NiFiProperties.SECURITY_USER_OIDC_CLIENT_SECRET,
CLIENT_SECRET);
properties.put(NiFiProperties.SECURITY_USER_OIDC_CLAIM_IDENTIFYING_USER,
USER_NAME_ATTRIBUTE_NAME);
+ properties.put(NiFiProperties.SECURITY_USER_OIDC_ADDITIONAL_SCOPES,
OidcScopes.PROFILE);
return NiFiProperties.createBasicNiFiProperties(null, properties);
}
@@ -131,6 +141,10 @@ class StandardClientRegistrationProviderTest {
providerMetadata.setUserInfoEndpointURI(USER_INFO_URI);
providerMetadata.setAuthorizationEndpointURI(AUTHORIZATION_ENDPOINT_URI);
final Scope scopes = new Scope();
+ scopes.add(OidcScopes.OPENID);
+ scopes.add(OidcScopes.EMAIL);
+ scopes.add(OidcScopes.PROFILE);
+ scopes.add(OidcScopes.ADDRESS);
providerMetadata.setScopes(scopes);
return providerMetadata;
}
