[jira] [Commented] (NIFI-4698) Nifi Open ID Connect with Azure Active Directory fails to extract email from UserInfoToken

[Bruce Nelson (JIRA)]

    [ 
https://issues.apache.org/jira/browse/NIFI-4698?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16775593#comment-16775593
 ] 

Bruce Nelson commented on NIFI-4698:
------------------------------------

Verified the work around works with Nifi 1.8 and 1.9 - the fix seems solid 
enough it should be merged in. Tested with basic Oauth2 and ADFS redirect. 

> Nifi Open ID Connect with Azure Active Directory fails to extract email from 
> UserInfoToken
> ------------------------------------------------------------------------------------------
>
>                 Key: NIFI-4698
>                 URL: https://issues.apache.org/jira/browse/NIFI-4698
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework
>    Affects Versions: 1.4.0
>         Environment: Microsoft Azure
>            Reporter: Raghu Somasundaram
>            Priority: Major
>
> While integrating with Microsoft Azure Active Directory through 
> OpenIDConnect, Azure AD sends back Json response without "email" attribute. 
> This causes Nifi to throw following exception:
> 2017-12-12 16:34:20,442 ERROR [NiFi Web Server-67] 
> org.apache.nifi.web.api.AccessResource Unable to exchange authorization for 
> ID token: Unable to extract email from the UserInfo token.
> java.lang.IllegalStateException: Unable to extract email from the UserInfo 
> token.
>         at 
> org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.lookupEmail(StandardOidcIdentityProvider.java:352)
>         at 
> org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.exchangeAuthorizationCode(StandardOidcIdentityProvider.java:306)
>         at 
> org.apache.nifi.web.security.oidc.OidcService.exchangeAuthorizationCode(OidcService.java:192)
>         at 
> org.apache.nifi.web.api.AccessResource.oidcCallback(AccessResource.java:256)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>         at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:498)
>         at 
> com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
>         at 
> com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$VoidOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:167)
>         at 
> com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
> The workaround is to extract "upn" attribute for email. This code fix checks 
> the json response for "email" attribute. If email is empty, it returns "upn" 
> value as email. If both email and upn are empty, we thrown the same exception 
> as above.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)