Seokwon Yang created NIFI-7924:
----------------------------------
Summary: Fallback claim(s) support in OIDC based authentication
Key: NIFI-7924
URL: https://issues.apache.org/jira/browse/NIFI-7924
Project: Apache NiFi
Issue Type: Improvement
Components: Core Framework
Affects Versions: 1.12.1
Reporter: Seokwon Yang
Assignee: Seokwon Yang
Fix For: 1.13.0
Currently, 'nifi.security.user.oidc.claim.identifying.user' NiFi configuration
sets only one claim to bind ID token to username. There are corner-case where
fallback claim should search in case the configured claim is not found in ID
token.
For example, not all user directory objects has email address in Azure Activity
Directory
([https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#email]).
We need a fallback claim support so that when there is no email address claim
available for a user, the OIDC identity provider should pick up fallback
claim(s) for the user name. For other users with emails, it should continue to
use the configured claim to set user name.
I will introduce 'nifi.security.user.oidc.fallback.claims.identifying.user' in
NiFi properties and implement the fallback logic .
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
