[jira] [Created] (NIFI-6171) Fix OIDC implementation

Tue, 02 Apr 2019 00:22:15 -0700 

Simon Linder created NIFI-6171:
----------------------------------

             Summary: Fix OIDC implementation
                 Key: NIFI-6171
                 URL: https://issues.apache.org/jira/browse/NIFI-6171
             Project: Apache NiFi
          Issue Type: Bug
          Components: Security
    Affects Versions: 1.9.1
            Reporter: Simon Linder


The implementation using OIDC has some issues (see the class 
*StandardOidcIdentityProvider* for all issues):
 * when accessing an OIDC endpoint that doesn't provide any scopes, you'll get 
a NullPointerException
 * when accessing an OIDC endpoint that doesn't provide the *email* scope, 
you'll never have the chance to login at all

The first issue is just a wrong implementation of the check (line 151).

The complete implementation is not correct in my opinion. The [OpenID spec for 
the discovery 
endpoint|https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata]
 states that it is *RECOMMENDED* to send the *scopes_supported* within the 
provider metadata. Therefore it is not assured to have those scopes. The 
implementation of the *StandardOidcIdentityProvider* want's to throw an 
exception within the constructor if neither the scope OPENID nor EMAIL is 
provided (there is an error in the implementation, see line 151).

On the other side in the overwritten function *getScopes()* (line 250), the 
*openid* scope is always added, the *email* scope is only added when the 
metadata contains this scope. Otherwise the function *lookupEmail()* (line 336) 
is called to get the email out of the UserInfo endpoint using the Bearer token. 
This also will never work, because the Bearer token doesn't contain the email 
scope, thus it will never be returned.

Therefore I would remove the check in the constructor as well as the function 
(lookupEmail()) completely, add the *email* scope to every request and throw an 
exception, if the email address is not provided.

This can all be tested and simulated by connecting to Google OIDC, but 
commenting the code in the *getScopes()* function so that the email scope is 
not sent (line 258).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to