[jira] [Resolved] (NIFI-6171) Fix OIDC implementation

Fri, 26 Apr 2019 13:44:05 -0700 


     [ 
https://issues.apache.org/jira/browse/NIFI-6171?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Matt Gilman resolved NIFI-6171.
-------------------------------
       Resolution: Fixed
    Fix Version/s: 1.10.0

> Fix OIDC implementation
> -----------------------
>
>                 Key: NIFI-6171
>                 URL: https://issues.apache.org/jira/browse/NIFI-6171
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 1.9.1
>            Reporter: Simon Linder
>            Priority: Minor
>              Labels: security
>             Fix For: 1.10.0
>
>          Time Spent: 3h 10m
>  Remaining Estimate: 0h
>
> The implementation using OIDC has some issues (see the class 
> *StandardOidcIdentityProvider* for all issues):
>  * when accessing an OIDC endpoint that doesn't provide any scopes, you'll 
> get a NullPointerException
>  * when accessing an OIDC endpoint that doesn't provide the *email* scope, 
> you'll never have the chance to login at all
> The first issue is just a wrong implementation of the check (line 151).
> The complete implementation is not correct in my opinion. The [OpenID spec 
> for the discovery 
> endpoint|https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata]
>  states that it is *RECOMMENDED* to send the *scopes_supported* within the 
> provider metadata. Therefore it is not assured to have those scopes. The 
> implementation of the *StandardOidcIdentityProvider* want's to throw an 
> exception within the constructor if neither the scope OPENID nor EMAIL is 
> provided (there is an error in the implementation, see line 151).
> On the other side in the overwritten function *getScopes()* (line 250), the 
> *openid* scope is always added, the *email* scope is only added when the 
> metadata contains this scope. Otherwise the function *lookupEmail()* (line 
> 336) is called to get the email out of the UserInfo endpoint using the Bearer 
> token. This also will never work, because the Bearer token doesn't contain 
> the email scope, thus it will never be returned.
> Therefore I would remove the check in the constructor as well as the function 
> (lookupEmail()) completely, add the *email* scope to every request and throw 
> an exception, if the email address is not provided.
> This can all be tested and simulated by connecting to Google OIDC, but 
> commenting the code in the *getScopes()* function so that the email scope is 
> not sent (line 258).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to