[jira] [Commented] (NIFI-7924) Fallback claim(s) support in OIDC based authentication

Fri, 23 Oct 2020 17:22:07 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-7924?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17219979#comment-17219979
 ] 

M Tien commented on NIFI-7924:
------------------------------

[~sjyang18] - Currently, `nifi.security.user.oidc.claim.identifying.user` 
defaults to email and is the only claim that is initially requested. If the 
identifying user claim is anything other than the email, it needs to be set at 
both `nifi.security.user.oidc.additional.scopes` and 
`nifi.security.user.oidc.claim.identifying.user`. Additional scopes indicates 
additional claims to request. Explicitly setting the identifying user claim 
indicates which claim to use as the user identity.

In the event that the identifying user claim is not found in the ID token, NiFi 
will attempt to retrieve the identity from the UserInfo endpoint.

I hope this helps your issue.

> Fallback claim(s) support in OIDC based authentication
> ------------------------------------------------------
>
>                 Key: NIFI-7924
>                 URL: https://issues.apache.org/jira/browse/NIFI-7924
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework
>    Affects Versions: 1.12.1
>            Reporter: Seokwon Yang
>            Assignee: Seokwon Yang
>            Priority: Minor
>
> Currently, 'nifi.security.user.oidc.claim.identifying.user' NiFi 
> configuration sets only one claim to bind ID token to username. There are 
> corner-case where fallback claim should search in case the configured claim 
> is not found in ID token.
> For example, not all user directory objects has email address in Azure 
> Activity Directory 
> ([https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#email]).
>  We need a fallback claim support so that when there is no email address 
> claim available for a user, the OIDC identity provider should pick up 
> fallback claim(s) for the user name. For other users with emails, it should 
> continue to use the configured claim to set user name.
>  
> I will introduce 'nifi.security.user.oidc.fallback.claims.identifying.user' 
> in NiFi properties and implement the fallback logic .
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to