[
https://issues.apache.org/jira/browse/NIFI-4698?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Raghu Somasundaram updated NIFI-4698:
-------------------------------------
Description:
While integrating with Microsoft Azure Active Directory through OpenIDConnect,
Azure AD sends back Json response without "email" attribute. This causes Nifi
to throw following exception:
2017-12-12 16:34:20,442 ERROR [NiFi Web Server-67]
org.apache.nifi.web.api.AccessResource Unable to exchange authorization for ID
token: Unable to extract email from the UserInfo token.
java.lang.IllegalStateException: Unable to extract email from the UserInfo
token.
at
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.lookupEmail(StandardOidcIdentityProvider.java:352)
at
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.exchangeAuthorizationCode(StandardOidcIdentityProvider.java:306)
at
org.apache.nifi.web.security.oidc.OidcService.exchangeAuthorizationCode(OidcService.java:192)
at
org.apache.nifi.web.api.AccessResource.oidcCallback(AccessResource.java:256)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
at
com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$VoidOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:167)
at
com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
The workaround is to extract "upn" attribute for email. This code fix checks
the json response for "email" attribute. If email is empty, it returns "upn"
value as email. If both email and upn are empty, we thrown the same exception
as above.
was:
While integrating with Microsoft Azure Active Directory through OpenIDConnect,
Azure AD sends back Json response without "email" attribute. This cause Nifi to
throw following exception:
2017-12-12 16:34:20,442 ERROR [NiFi Web Server-67]
org.apache.nifi.web.api.AccessResource Unable to exchange authorization for ID
token: Unable to extract email from the UserInfo token.
java.lang.IllegalStateException: Unable to extract email from the UserInfo
token.
at
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.lookupEmail(StandardOidcIdentityProvider.java:352)
at
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.exchangeAuthorizationCode(StandardOidcIdentityProvider.java:306)
at
org.apache.nifi.web.security.oidc.OidcService.exchangeAuthorizationCode(OidcService.java:192)
at
org.apache.nifi.web.api.AccessResource.oidcCallback(AccessResource.java:256)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
at
com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$VoidOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:167)
at
com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
The workaround is to extract "upn" attribute for email. This code fix checks
the json response for "email". If email is empty, it returns "upn" value as
email. If both email and upn are empty, we thrown the same exception as above.
> Nifi Open ID Connect with Azure Active Directory fails to extract email from
> UserInfoToken
> ------------------------------------------------------------------------------------------
>
> Key: NIFI-4698
> URL: https://issues.apache.org/jira/browse/NIFI-4698
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core Framework
> Affects Versions: 1.4.0
> Environment: Microsoft Azure
> Reporter: Raghu Somasundaram
> Fix For: 1.5.0
>
>
> While integrating with Microsoft Azure Active Directory through
> OpenIDConnect, Azure AD sends back Json response without "email" attribute.
> This causes Nifi to throw following exception:
> 2017-12-12 16:34:20,442 ERROR [NiFi Web Server-67]
> org.apache.nifi.web.api.AccessResource Unable to exchange authorization for
> ID token: Unable to extract email from the UserInfo token.
> java.lang.IllegalStateException: Unable to extract email from the UserInfo
> token.
> at
> org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.lookupEmail(StandardOidcIdentityProvider.java:352)
> at
> org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.exchangeAuthorizationCode(StandardOidcIdentityProvider.java:306)
> at
> org.apache.nifi.web.security.oidc.OidcService.exchangeAuthorizationCode(OidcService.java:192)
> at
> org.apache.nifi.web.api.AccessResource.oidcCallback(AccessResource.java:256)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
> at
> com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$VoidOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:167)
> at
> com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
> The workaround is to extract "upn" attribute for email. This code fix checks
> the json response for "email" attribute. If email is empty, it returns "upn"
> value as email. If both email and upn are empty, we thrown the same exception
> as above.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
