[
https://issues.apache.org/jira/browse/NIFI-11438?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17715057#comment-17715057
]
ASF subversion and git services commented on NIFI-11438:
--------------------------------------------------------
Commit 1639ecee11d5ed2502d11e1f97bdb800b5d2bc0a in nifi's branch
refs/heads/main from David Handermann
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=1639ecee11 ]
NIFI-11438 Set standard OpenID Connect Scopes
- Restored previous behavior of sending openid and email scopes for OpenID
Connect token requests
- Added offline_access scope as the default value in nifi.properties to support
Refresh Tokens
This closes #7168
Signed-off-by: Paul Grey <[email protected]>
> OIDC requests all available scopes
> ----------------------------------
>
> Key: NIFI-11438
> URL: https://issues.apache.org/jira/browse/NIFI-11438
> Project: Apache NiFi
> Issue Type: Bug
> Components: Security
> Affects Versions: 1.21.0
> Environment: Windows ADFS used for OIDC
> Reporter: Jody DesRoches
> Assignee: David Handermann
> Priority: Major
> Time Spent: 20m
> Remaining Estimate: 0h
>
> OIDC configuration that works with 1.20.0 fails to login with version 1.21.0.
> Logging exceptions in ADFS that indicate NiFi is requesting forbidden
> resources.
> NiFi is requesting all scopes listed in
> ../adfs/.well-known/openid-configuration under {_}scopes_supported{_}.
> *Expected* only request scopes "{_}openid{_} _email"_ plus values in
> "{_}nifi.security.user.oidc.additional.scopes"{_}
> Source code affecting scope selection:
> [https://github.com/apache/nifi/blob/3322ad7a20c99dec01ee0c3f530c0566acd13258/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProvider.java#L80]
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
