Seokwon Yang created NIFI-7924: ---------------------------------- Summary: Fallback claim(s) support in OIDC based authentication Key: NIFI-7924 URL: https://issues.apache.org/jira/browse/NIFI-7924 Project: Apache NiFi Issue Type: Improvement Components: Core Framework Affects Versions: 1.12.1 Reporter: Seokwon Yang Assignee: Seokwon Yang Fix For: 1.13.0
Currently, 'nifi.security.user.oidc.claim.identifying.user' NiFi configuration sets only one claim to bind ID token to username. There are corner-case where fallback claim should search in case the configured claim is not found in ID token. For example, not all user directory objects has email address in Azure Activity Directory ([https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#email]). We need a fallback claim support so that when there is no email address claim available for a user, the OIDC identity provider should pick up fallback claim(s) for the user name. For other users with emails, it should continue to use the configured claim to set user name. I will introduce 'nifi.security.user.oidc.fallback.claims.identifying.user' in NiFi properties and implement the fallback logic . -- This message was sent by Atlassian Jira (v8.3.4#803005)