[jira] [Created] (NIFI-15288) Support OIDC acr_values and claims parameter for amr/acr in NiFi OIDC authentication

Wed, 03 Dec 2025 00:09:06 -0800 

Thierry PRATS created NIFI-15288:
------------------------------------

             Summary: Support OIDC acr_values and claims parameter for amr/acr 
in NiFi OIDC authentication
                 Key: NIFI-15288
                 URL: https://issues.apache.org/jira/browse/NIFI-15288
             Project: Apache NiFi
          Issue Type: Improvement
          Components: Configuration, Security
            Reporter: Thierry PRATS


h3. Requested features
* Config property for acr_values in auth request (e.g. 
nifi.security.user.oidc.acr.values)
* Config for claims parameter JSON to request amr/acr

h3. Description
NiFi currently supports configuring additional OIDC scopes but does not support 
sending custom claims or explicit claim values (such as *amr* and *acr*) in the 
OIDC authentication request.

In some environments, strong authentication / MFA is enforced by the Identity 
Provider (IdP), but the client must explicitly request specific amr and/or acr 
values so that the IdP can apply the right authentication policies for a given 
application. This is the case for my deployment, where NiFi is integrated with 
an enterprise IdP and needs to trigger strong authentication flows.

In my use case, the Identity Provider is OpenAM by Ping Identity (PingAM / AM). 
It supports enforcing strong authentication using amr and acr values as 
described in its OIDC documentation:

Ping Identity OpenAM OIDC authentication requirements (amr/acr) :
[https://docs.pingidentity.com/pingam/7.5/am-oidc1/oidc-authentication-requirements.html]

>From the OIDC specification :

The amr claim can be requested via the claims request parameter, as defined in 
OpenID Connect Core section 5.5 “Claims Request Parameter”:
[https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter]

The acr_values parameter is an optional request parameter on the authentication 
request, as described in OpenID Connect Core section 3.1.2.1 “Authentication 
Request”:
[https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest]

As a result, NiFi cannot “tell” the IdP which level of assurance or which MFA 
profile it needs, even though the IdP supports it.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to