[jira] [Commented] (NIFI-7924) Fallback claim(s) support in OIDC based authentication

Fri, 20 Nov 2020 13:22:35 -0800 


    [ 
https://issues.apache.org/jira/browse/NIFI-7924?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17236447#comment-17236447
 ] 

M Tien commented on NIFI-7924:
------------------------------

[~sjyang18] I reviewed your PR and left a comment on the PR:

Thank you for submitting this. I've reviewed it and the functionality LGTM. I 
verified I can log in with OIDC enabled and verified the tests will use the 
listed fallback claim when email is not available.

One suggestion is to update the NiFi docs with a description of the new 
fallback claim property. Here's a link to the docs section I'm referring to:

[http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#openid_connect]

I can give a +1 once this is updated. Thanks!

> Fallback claim(s) support in OIDC based authentication
> ------------------------------------------------------
>
>                 Key: NIFI-7924
>                 URL: https://issues.apache.org/jira/browse/NIFI-7924
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework
>    Affects Versions: 1.12.1
>            Reporter: Seokwon Yang
>            Assignee: Seokwon Yang
>            Priority: Minor
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> Currently, 'nifi.security.user.oidc.claim.identifying.user' NiFi 
> configuration sets only one claim to bind ID token to username. There are 
> corner-case where fallback claim should search in case the configured claim 
> is not found in ID token.
> For example, not all user directory objects has email address in Azure 
> Activity Directory 
> ([https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#email]).
>  We need a fallback claim support so that when there is no email address 
> claim available for a user, the OIDC identity provider should pick up 
> fallback claim(s) for the user name. For other users with emails, it should 
> continue to use the configured claim to set user name.
>  
> I will introduce 'nifi.security.user.oidc.fallback.claims.identifying.user' 
> in NiFi properties and implement the fallback logic .
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to