[
https://issues.apache.org/jira/browse/NIFI-6171?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16827305#comment-16827305
]
ASF subversion and git services commented on NIFI-6171:
-------------------------------------------------------
Commit 0650521eb276bb4a68c271be9f49325fdcffaee0 in nifi's branch
refs/heads/master from simonl
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=0650521 ]
NIFI-6171 always send email scope for OIDC
NIFI-6171 re-added lookupEmail() as fallback
NIFI-6171 additional OIDC scopes via nifi.properties
NIFI-6171 alternative user identification (instead of email) via
nifi.properties
NIFI-6171 changed lookupEmail() so that any configured claim can be fetched fro
the UserInfo endpoint
This closes #3398
This closes #2346
> Fix OIDC implementation
> -----------------------
>
> Key: NIFI-6171
> URL: https://issues.apache.org/jira/browse/NIFI-6171
> Project: Apache NiFi
> Issue Type: Bug
> Components: Security
> Affects Versions: 1.9.1
> Reporter: Simon Linder
> Priority: Minor
> Labels: security
> Time Spent: 2h 50m
> Remaining Estimate: 0h
>
> The implementation using OIDC has some issues (see the class
> *StandardOidcIdentityProvider* for all issues):
> * when accessing an OIDC endpoint that doesn't provide any scopes, you'll
> get a NullPointerException
> * when accessing an OIDC endpoint that doesn't provide the *email* scope,
> you'll never have the chance to login at all
> The first issue is just a wrong implementation of the check (line 151).
> The complete implementation is not correct in my opinion. The [OpenID spec
> for the discovery
> endpoint|https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata]
> states that it is *RECOMMENDED* to send the *scopes_supported* within the
> provider metadata. Therefore it is not assured to have those scopes. The
> implementation of the *StandardOidcIdentityProvider* want's to throw an
> exception within the constructor if neither the scope OPENID nor EMAIL is
> provided (there is an error in the implementation, see line 151).
> On the other side in the overwritten function *getScopes()* (line 250), the
> *openid* scope is always added, the *email* scope is only added when the
> metadata contains this scope. Otherwise the function *lookupEmail()* (line
> 336) is called to get the email out of the UserInfo endpoint using the Bearer
> token. This also will never work, because the Bearer token doesn't contain
> the email scope, thus it will never be returned.
> Therefore I would remove the check in the constructor as well as the function
> (lookupEmail()) completely, add the *email* scope to every request and throw
> an exception, if the email address is not provided.
> This can all be tested and simulated by connecting to Google OIDC, but
> commenting the code in the *getScopes()* function so that the email scope is
> not sent (line 258).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
