mcgilman commented on a change in pull request #3398: NIFI-6171 always send
email scope for OIDC
URL: https://github.com/apache/nifi/pull/3398#discussion_r277326536
##########
File path:
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java
##########
@@ -307,17 +296,22 @@ public String exchangeAuthorizationCode(final
AuthorizationGrant authorizationGr
// validate the token - no nonce required for authorization
code flow
final IDTokenClaimsSet claimsSet =
tokenValidator.validate(oidcJwt, null);
- // attempt to extract the email from the id token if possible
- String email = claimsSet.getStringClaim(EMAIL_CLAIM_NAME);
- if (StringUtils.isBlank(email)) {
+ // attempt to extract the configured claim to access the
user's identity; default is 'email'
+ String identity =
claimsSet.getStringClaim(properties.getOidcClaimIdentifyingUser());
+ if (StringUtils.isBlank(identity)) {
+ // explicitly try to get the identity from the UserInfo
endpoint with the 'email' claim
+ logger.warn("The identity of the user was tried to get
with the claim '" +
+ properties.getOidcClaimIdentifyingUser() + "'. The
according additional scope is not " +
+ "configured correctly. Trying to get it with the
'email' claim.");
Review comment:
Assuming we update `lookupEmail` we should probably adjust this log message.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
