Jody DesRoches created NIFI-11438:
-------------------------------------
Summary: OIDC requests all available scopes
Key: NIFI-11438
URL: https://issues.apache.org/jira/browse/NIFI-11438
Project: Apache NiFi
Issue Type: Bug
Components: Security
Affects Versions: 1.21.0
Environment: Windows ADFS used for OIDC
Reporter: Jody DesRoches
OIDC configuration that works with 1.20.0 fails to login with version 1.21.0.
Logging exceptions in ADFS that indicate NiFi is requesting forbidden resources.
NiFi is requesting all scopes listed in
../adfs/.well-known/openid-configuration under {_}scopes_supported{_}.
*Expected* only request scopes "{_}openid{_} ** _email"_ plus values in
"{_}nifi.security.user.oidc.additional.scopes"{_}
Source code affecting scope selection:
https://github.com/apache/nifi/blob/3322ad7a20c99dec01ee0c3f530c0566acd13258/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProvider.java#L80
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
