Malthe Borch created NIFI-10400: ----------------------------------- Summary: Groups and/or roles via KnoxSSO Key: NIFI-10400 URL: https://issues.apache.org/jira/browse/NIFI-10400 Project: Apache NiFi Issue Type: New Feature Reporter: Malthe Borch
When using KnoxSSO with OIDC we're able to get both _roles_ and _groups_ as part of user authentication. {code:java} 2022-08-27 10:27:39,608 DEBUG filter.Pac4jIdentityAdapter (Pac4jIdentityAdapter.java:doFilter(92)) - User authenticated as: #OidcProfile# | id: [REDACTED] | attributes: {sub=[REDACTED], amr=["pwd"], roles=["Reader"], iss=https://sts.windows.net/[REDACTED]/, oid=[REDACTED], preferred_username=mbo...@gmail.com, tid=[REDACTED], ipaddr=[REDACTED], exp=Sat Aug 27 11:27:38 CEST 2022, iat=Sat Aug 27 10:22:38 CEST 2022, email=[REDACTED], ver=1.0, groups=["[\"[REDACTED]\",\"[REDACTED]\"]"], uti=[REDACTED], given_name=[REDACTED], token_expiration_advance=-1, aud=[[REDACTED]], unique_name=[REDACTED], nbf=Sat Aug 27 10:22:38 CEST 2022, idp=live.com, rh=[REDACTED], name=[REDACTED], expiration=Sat Aug 27 11:27:38 CEST 2022, family_name=[REDACTED]} | roles: [] | permissions: [] | isRemembered: false | clientName: OidcClient | linkedId: null | {code} The roles are more immediately useful because they can be plain text rather than opaque ids, for example I have assigned the role "Reader". Note that this is using Azure AD where roles are assigned using {_}app roles{_}. It would be very useful if any roles and/or groups were available as groups when authorizing the identity in NiFi: {code:java} 2022-08-27 10:27:40,056 INFO [NiFi Web Server-147] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[[REDACTED]], groups[] does not have permission to access the requested resource. Unknown user with identity '[REDACTED]'. Returning Forbidden response. {code} As shown above, the groups here are an empty array. -- This message was sent by Atlassian Jira (v8.20.10#820010)