exceptionfactory opened a new pull request, #7468: URL: https://github.com/apache/nifi/pull/7468
# Summary [NIFI-11781](https://issues.apache.org/jira/browse/NIFI-11781) Corrects OIDC username claim to application identity mapping when using optional or fallback claim properties. Following OIDC refactoring to support refresh tokens for [NIFI-4890](https://issues.apache.org/jira/browse/NIFI-4890), use of optional or fallback ID Token Claims resulted in runtime access problems. The standard Spring Security Client Registration includes a `userNameAttributeName` property that drives username identity resolution during the login process. This works as expected when the OIDC User Information endpoint always includes the configured claim name, such as `email`. However, this approach does not work when the configured claim name may be absent, requiring optional fallback claim names to be configured. The OpenID Connect 1.0 specification requires the `sub` claim to be present in OIDC User Information that the Identity Provider returns, so changes include setting `sub` as the `userNameAttributeName` to avoid unexpected failures. A new `StandardOidcUserService` extends that Spring Security `OidcUserService` and implements support for using the first available fallback claim from the combination of OIDC User Information and OIDC ID Token Claims. This approach restores the supported behavior from NiFi 1.20.0. # Tracking Please complete the following tracking steps prior to pull request creation. ### Issue Tracking - [X] [Apache NiFi Jira](https://issues.apache.org/jira/browse/NIFI) issue created ### Pull Request Tracking - [X] Pull Request title starts with Apache NiFi Jira issue number, such as `NIFI-00000` - [X] Pull Request commit message starts with Apache NiFi Jira issue number, as such `NIFI-00000` ### Pull Request Formatting - [X] Pull Request based on current revision of the `main` branch - [X] Pull Request refers to a feature branch with one commit containing changes # Verification Please indicate the verification steps performed prior to pull request creation. ### Build - [X] Build completed using `mvn clean install -P contrib-check` - [X] JDK 17 ### Licensing - [ ] New dependencies are compatible with the [Apache License 2.0](https://apache.org/licenses/LICENSE-2.0) according to the [License Policy](https://www.apache.org/legal/resolved.html) - [ ] New dependencies are documented in applicable `LICENSE` and `NOTICE` files ### Documentation - [ ] Documentation formatting appears as expected in rendered files -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
