Malthe Borch created NIFI-10400:
-----------------------------------
Summary: Groups and/or roles via KnoxSSO
Key: NIFI-10400
URL: https://issues.apache.org/jira/browse/NIFI-10400
Project: Apache NiFi
Issue Type: New Feature
Reporter: Malthe Borch
When using KnoxSSO with OIDC we're able to get both _roles_ and _groups_ as
part of user authentication.
{code:java}
2022-08-27 10:27:39,608 DEBUG filter.Pac4jIdentityAdapter
(Pac4jIdentityAdapter.java:doFilter(92)) - User authenticated as: #OidcProfile#
| id: [REDACTED] | attributes: {sub=[REDACTED], amr=["pwd"], roles=["Reader"],
iss=https://sts.windows.net/[REDACTED]/, oid=[REDACTED],
preferred_username=mbo...@gmail.com, tid=[REDACTED], ipaddr=[REDACTED], exp=Sat
Aug 27 11:27:38 CEST 2022, iat=Sat Aug 27 10:22:38 CEST 2022, email=[REDACTED],
ver=1.0, groups=["[\"[REDACTED]\",\"[REDACTED]\"]"], uti=[REDACTED],
given_name=[REDACTED], token_expiration_advance=-1, aud=[[REDACTED]],
unique_name=[REDACTED], nbf=Sat Aug 27 10:22:38 CEST 2022, idp=live.com,
rh=[REDACTED], name=[REDACTED], expiration=Sat Aug 27 11:27:38 CEST 2022,
family_name=[REDACTED]} | roles: [] | permissions: [] | isRemembered: false |
clientName: OidcClient | linkedId: null |
{code}
The roles are more immediately useful because they can be plain text rather
than opaque ids, for example I have assigned the role "Reader".
Note that this is using Azure AD where roles are assigned using {_}app roles{_}.
It would be very useful if any roles and/or groups were available as groups
when authorizing the identity in NiFi:
{code:java}
2022-08-27 10:27:40,056 INFO [NiFi Web Server-147]
o.a.n.w.a.c.AccessDeniedExceptionMapper identity[[REDACTED]], groups[] does not
have permission to access the requested resource. Unknown user with identity
'[REDACTED]'. Returning Forbidden response.
{code}
As shown above, the groups here are an empty array.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
