[GitHub] [nifi] mcgilman commented on a change in pull request #3398: NIFI-6171 always send email scope for OIDC

[GitBox]

mcgilman commented on a change in pull request #3398: NIFI-6171 always send 
email scope for OIDC
URL: https://github.com/apache/nifi/pull/3398#discussion_r277326382
 
 

 ##########
 File path: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java
 ##########
 @@ -307,17 +296,22 @@ public String exchangeAuthorizationCode(final 
AuthorizationGrant authorizationGr
                 // validate the token - no nonce required for authorization 
code flow
                 final IDTokenClaimsSet claimsSet = 
tokenValidator.validate(oidcJwt, null);
 
-                // attempt to extract the email from the id token if possible
-                String email = claimsSet.getStringClaim(EMAIL_CLAIM_NAME);
-                if (StringUtils.isBlank(email)) {
+                // attempt to extract the configured claim to access the 
user's identity; default is 'email'
+                String identity = 
claimsSet.getStringClaim(properties.getOidcClaimIdentifyingUser());
+                if (StringUtils.isBlank(identity)) {
+                    // explicitly try to get the identity from the UserInfo 
endpoint with the 'email' claim
+                    logger.warn("The identity of the user was tried to get 
with the claim '" +
+                            properties.getOidcClaimIdentifyingUser() + "'. The 
according additional scope is not " +
+                            "configured correctly. Trying to get it with the 
'email' claim.");
+
                     // extract the bearer access token
                     final BearerAccessToken bearerAccessToken = 
oidcTokens.getBearerAccessToken();
                     if (bearerAccessToken == null) {
                         throw new IllegalStateException("No access token found 
in the ID tokens");
                     }
 
                     // invoke the UserInfo endpoint
-                    email = lookupEmail(bearerAccessToken);
+                    identity = lookupEmail(bearerAccessToken);
 
 Review comment:
   Sorry if the earlier comments weren't clear. I thought we should retain 
`lookupEmail` in order to invoke the UserInfo endpoint. What I did a poor job 
relaying that I think it should be updated to look up the user identity as 
configured in `nifi.properties`. So if I configured an additional scope of 
`profile` and a claim of `preferred_username` we should be extracting that 
claim fro the UserInfo response. Assuming we make these changes, it probably 
makes sense to just rename this method `lookupIdentity`.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services