[
https://issues.apache.org/jira/browse/NIFI-11438?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17711524#comment-17711524
]
David Handermann commented on NIFI-11438:
-----------------------------------------
Thanks for reporting this issue [~dbmxer]. It sounds like changing the behavior
to the previous approach of requesting only {{openid}} and {{email}} may be the
best way forward, although this could also impact Refresh Token retrieval.
The [OpenID Connect Core
specification|https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims]
defines multiple optional scopes, but does not appear to define particular
behavior when a client requests scopes that the Authorization Server disallows.
For additional background, does the current behavior in NiFi 1.21.0 disallow
authentication altogether, or does it just result in exceptions on AD FS?
> OIDC requests all available scopes
> ----------------------------------
>
> Key: NIFI-11438
> URL: https://issues.apache.org/jira/browse/NIFI-11438
> Project: Apache NiFi
> Issue Type: Bug
> Components: Security
> Affects Versions: 1.21.0
> Environment: Windows ADFS used for OIDC
> Reporter: Jody DesRoches
> Assignee: David Handermann
> Priority: Major
>
> OIDC configuration that works with 1.20.0 fails to login with version 1.21.0.
> Logging exceptions in ADFS that indicate NiFi is requesting forbidden
> resources.
> NiFi is requesting all scopes listed in
> ../adfs/.well-known/openid-configuration under {_}scopes_supported{_}.
> *Expected* only request scopes "{_}openid{_} _email"_ plus values in
> "{_}nifi.security.user.oidc.additional.scopes"{_}
> Source code affecting scope selection:
> [https://github.com/apache/nifi/blob/3322ad7a20c99dec01ee0c3f530c0566acd13258/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProvider.java#L80]
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
