[jira] [Commented] (NIFI-7924) Fallback claim(s) support in OIDC based authentication

Wed, 28 Oct 2020 19:06:49 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-7924?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17222659#comment-17222659
 ] 

Seokwon Yang commented on NIFI-7924:
------------------------------------

In my customer's scenario with Azure Active directory, it is natural to use 
email as default claims, but some user directory object (none guest user 
accounts) only has UPN claim, not user email.  So, having one claim would not 
work for our scenario. UserInfo endpoint for our case does not include  upn 
claim.

And, we need a feature to configure default and fallback claims, so that we use 
the same configuration in UserGroupProvider for Azure Active Directory. I have 
the corresponding PR ([https://github.com/apache/nifi/pull/4367] ).

 

 

 

> Fallback claim(s) support in OIDC based authentication
> ------------------------------------------------------
>
>                 Key: NIFI-7924
>                 URL: https://issues.apache.org/jira/browse/NIFI-7924
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework
>    Affects Versions: 1.12.1
>            Reporter: Seokwon Yang
>            Assignee: Seokwon Yang
>            Priority: Minor
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Currently, 'nifi.security.user.oidc.claim.identifying.user' NiFi 
> configuration sets only one claim to bind ID token to username. There are 
> corner-case where fallback claim should search in case the configured claim 
> is not found in ID token.
> For example, not all user directory objects has email address in Azure 
> Activity Directory 
> ([https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#email]).
>  We need a fallback claim support so that when there is no email address 
> claim available for a user, the OIDC identity provider should pick up 
> fallback claim(s) for the user name. For other users with emails, it should 
> continue to use the configured claim to set user name.
>  
> I will introduce 'nifi.security.user.oidc.fallback.claims.identifying.user' 
> in NiFi properties and implement the fallback logic .
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to