jfrazee commented on a change in pull request #4630:
URL: https://github.com/apache/nifi/pull/4630#discussion_r553486148
##########
File path:
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/groovy/org/apache/nifi/web/security/oidc/StandardOidcIdentityProviderGroovyTest.groovy
##########
@@ -411,10 +411,30 @@ class StandardOidcIdentityProviderGroovyTest extends
GroovyTestCase {
assert exp <= System.currentTimeMillis() + 10_000
}
+ @Test
+ void
testconvertOIDCTokenToLoginAuthenticationTokenShouldHandleNoEmailClaimHasFallbackClaims()
{
Review comment:
```suggestion
@Test
void
testConvertOIDCTokenToLoginAuthenticationTokenShouldHandleNoEmailClaimHasFallbackClaims()
{
```
##########
File path:
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/groovy/org/apache/nifi/web/security/oidc/StandardOidcIdentityProviderGroovyTest.groovy
##########
@@ -411,10 +411,30 @@ class StandardOidcIdentityProviderGroovyTest extends
GroovyTestCase {
assert exp <= System.currentTimeMillis() + 10_000
}
+ @Test
+ void
testconvertOIDCTokenToLoginAuthenticationTokenShouldHandleNoEmailClaimHasFallbackClaims()
{
+ // Arrange
+ StandardOidcIdentityProvider soip =
buildIdentityProviderWithMockTokenValidator(["getOidcClaimIdentifyingUser":
"email", "getOidcFallbackClaimsIdentifyingUser": ["upn"] ])
+ String expectedUpn = "xxx@aaddomain";
+
+ OIDCTokenResponse mockResponse = mockOIDCTokenResponse(["email": null,
"upn": expectedUpn])
+ logger.info("OIDC Token Response with no email and upn:
${mockResponse.dump()}")
+
+ String loginToken =
soip.convertOIDCTokenToLoginAuthenticationToken(mockResponse)
+ logger.info("NiFi token create with upn: ${loginToken}")
+ // Assert
+ // Split JWT into components and decode Base64 to JSON
+ def (String contents, String expiration) =
loginToken.tokenize("\\[\\]")
+ logger.info("Token contents: ${contents} | Expiration: ${expiration}")
+ assert contents =~ "LoginAuthenticationToken for ${expectedUpn} issued
by https://accounts\\.issuer\\.com expiring at"
+
+
Review comment:
```suggestion
```
##########
File path:
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java
##########
@@ -439,8 +439,17 @@ private LoginAuthenticationToken
convertOIDCTokenToLoginAuthenticationToken(OIDC
identity = claimsSet.getStringClaim(EMAIL_CLAIM);
logger.info("The 'email' claim was present. Using that claim
to avoid extra remote call");
} else {
- identity = retrieveIdentityFromUserInfoEndpoint(oidcTokens);
- logger.info("Retrieved identity from UserInfo endpoint");
+ final List<String> fallbackClaims =
properties.getOidcFallbackClaimsIdentifyingUser();
+ for (String fallbackClaim : fallbackClaims) {
+ if (availableClaims.contains(fallbackClaim)) {
+ identity = claimsSet.getStringClaim(fallbackClaim);
+ break;
+ }
+ }
+ if (StringUtils.isBlank(identity)) {
+ identity =
retrieveIdentityFromUserInfoEndpoint(oidcTokens);
+ }
+
Review comment:
```suggestion
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
