[jira] [Created] (NIFI-4698) Nifi Open ID Connect with Azure Active Directory fails to extract email from UserInfoToken

Fri, 15 Dec 2017 11:46:16 -0800 

Raghu Somasundaram created NIFI-4698:
----------------------------------------

             Summary: Nifi Open ID Connect with Azure Active Directory fails to 
extract email from UserInfoToken
                 Key: NIFI-4698
                 URL: https://issues.apache.org/jira/browse/NIFI-4698
             Project: Apache NiFi
          Issue Type: Improvement
          Components: Core Framework
    Affects Versions: 1.4.0
         Environment: Microsoft Azure
            Reporter: Raghu Somasundaram
             Fix For: 1.5.0


While integrating with Microsoft Azure Active Directory through OpenIDConnect, 
Azure AD sends back Json response without "email" attribute. This cause Nifi to 
throw following exception:
2017-12-12 16:34:20,442 ERROR [NiFi Web Server-67] 
org.apache.nifi.web.api.AccessResource Unable to exchange authorization for ID 
token: Unable to extract email from the UserInfo token.
java.lang.IllegalStateException: Unable to extract email from the UserInfo 
token.
        at 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.lookupEmail(StandardOidcIdentityProvider.java:352)
        at 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.exchangeAuthorizationCode(StandardOidcIdentityProvider.java:306)
        at 
org.apache.nifi.web.security.oidc.OidcService.exchangeAuthorizationCode(OidcService.java:192)
        at 
org.apache.nifi.web.api.AccessResource.oidcCallback(AccessResource.java:256)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at 
com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
        at 
com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$VoidOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:167)
        at 
com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)

The workaround is to extract "upn" attribute for email. This code fix checks 
the json response for "email". If email is empty, it returns "upn" value as 
email. If both email and upn are empty, we thrown the same exception as above.




--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to