[
https://issues.apache.org/jira/browse/NIFI-11438?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jody DesRoches updated NIFI-11438:
----------------------------------
Description:
OIDC configuration that works with 1.20.0 fails to login with version 1.21.0.
Logging exceptions in ADFS that indicate NiFi is requesting forbidden resources.
NiFi is requesting all scopes listed in
../adfs/.well-known/openid-configuration under {_}scopes_supported{_}.
*Expected* only request scopes "{_}openid{_} _email"_ plus values in
"{_}nifi.security.user.oidc.additional.scopes"{_}
Source code affecting scope selection:
[https://github.com/apache/nifi/blob/3322ad7a20c99dec01ee0c3f530c0566acd13258/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProvider.java#L80]
was:
OIDC configuration that works with 1.20.0 fails to login with version 1.21.0.
Logging exceptions in ADFS that indicate NiFi is requesting forbidden resources.
NiFi is requesting all scopes listed in
../adfs/.well-known/openid-configuration under {_}scopes_supported{_}.
*Expected* only request scopes "{_}openid{_} ** _email"_ plus values in
"{_}nifi.security.user.oidc.additional.scopes"{_}
Source code affecting scope selection:
https://github.com/apache/nifi/blob/3322ad7a20c99dec01ee0c3f530c0566acd13258/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProvider.java#L80
> OIDC requests all available scopes
> ----------------------------------
>
> Key: NIFI-11438
> URL: https://issues.apache.org/jira/browse/NIFI-11438
> Project: Apache NiFi
> Issue Type: Bug
> Components: Security
> Affects Versions: 1.21.0
> Environment: Windows ADFS used for OIDC
> Reporter: Jody DesRoches
> Priority: Major
>
> OIDC configuration that works with 1.20.0 fails to login with version 1.21.0.
> Logging exceptions in ADFS that indicate NiFi is requesting forbidden
> resources.
> NiFi is requesting all scopes listed in
> ../adfs/.well-known/openid-configuration under {_}scopes_supported{_}.
> *Expected* only request scopes "{_}openid{_} _email"_ plus values in
> "{_}nifi.security.user.oidc.additional.scopes"{_}
> Source code affecting scope selection:
> [https://github.com/apache/nifi/blob/3322ad7a20c99dec01ee0c3f530c0566acd13258/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProvider.java#L80]
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
