[
https://issues.apache.org/jira/browse/NIFI-4698?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16295140#comment-16295140
]
ASF GitHub Bot commented on NIFI-4698:
--------------------------------------
Github user mcgilman commented on the issue:
https://github.com/apache/nifi/pull/2346
@rsomas Thanks for submitting a PR! Reading through the JIRA, I wanted to
get your take on possibly taking a slightly different approach as it appears
that the attribute that identifies the user may differ from provider to
provider. Since there does not appear to be anything in the discovery document
that specifies the attribute, what are your thoughts on adding a property to
the nifi.properties that does? This value would default to 'email' but could be
updated to suit any value that Identity Provider supports without requiring
additional code changes.
> Nifi Open ID Connect with Azure Active Directory fails to extract email from
> UserInfoToken
> ------------------------------------------------------------------------------------------
>
> Key: NIFI-4698
> URL: https://issues.apache.org/jira/browse/NIFI-4698
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core Framework
> Affects Versions: 1.4.0
> Environment: Microsoft Azure
> Reporter: Raghu Somasundaram
> Fix For: 1.5.0
>
>
> While integrating with Microsoft Azure Active Directory through
> OpenIDConnect, Azure AD sends back Json response without "email" attribute.
> This causes Nifi to throw following exception:
> 2017-12-12 16:34:20,442 ERROR [NiFi Web Server-67]
> org.apache.nifi.web.api.AccessResource Unable to exchange authorization for
> ID token: Unable to extract email from the UserInfo token.
> java.lang.IllegalStateException: Unable to extract email from the UserInfo
> token.
> at
> org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.lookupEmail(StandardOidcIdentityProvider.java:352)
> at
> org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.exchangeAuthorizationCode(StandardOidcIdentityProvider.java:306)
> at
> org.apache.nifi.web.security.oidc.OidcService.exchangeAuthorizationCode(OidcService.java:192)
> at
> org.apache.nifi.web.api.AccessResource.oidcCallback(AccessResource.java:256)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
> at
> com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$VoidOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:167)
> at
> com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
> The workaround is to extract "upn" attribute for email. This code fix checks
> the json response for "email" attribute. If email is empty, it returns "upn"
> value as email. If both email and upn are empty, we thrown the same exception
> as above.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
