Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NIFI-11781 Correct OIDC Claim Identity Processing #7468

Closed
wants to merge 1 commit into from
Closed

NIFI-11781 Correct OIDC Claim Identity Processing #7468

wants to merge 1 commit into from

Conversation

exceptionfactory
Copy link
Contributor

Summary

NIFI-11781 Corrects OIDC username claim to application identity mapping when using optional or fallback claim properties.

Following OIDC refactoring to support refresh tokens for NIFI-4890, use of optional or fallback ID Token Claims resulted in runtime access problems. The standard Spring Security Client Registration includes a userNameAttributeName property that drives username identity resolution during the login process. This works as expected when the OIDC User Information endpoint always includes the configured claim name, such as email. However, this approach does not work when the configured claim name may be absent, requiring optional fallback claim names to be configured.

The OpenID Connect 1.0 specification requires the sub claim to be present in OIDC User Information that the Identity Provider returns, so changes include setting sub as the userNameAttributeName to avoid unexpected failures. A new StandardOidcUserService extends that Spring Security OidcUserService and implements support for using the first available fallback claim from the combination of OIDC User Information and OIDC ID Token Claims. This approach restores the supported behavior from NiFi 1.20.0.

Tracking

Please complete the following tracking steps prior to pull request creation.

Issue Tracking

Pull Request Tracking

  • Pull Request title starts with Apache NiFi Jira issue number, such as NIFI-00000
  • Pull Request commit message starts with Apache NiFi Jira issue number, as such NIFI-00000

Pull Request Formatting

  • Pull Request based on current revision of the main branch
  • Pull Request refers to a feature branch with one commit containing changes

Verification

Please indicate the verification steps performed prior to pull request creation.

Build

  • Build completed using mvn clean install -P contrib-check
    • JDK 17

Licensing

  • New dependencies are compatible with the Apache License 2.0 according to the License Policy
  • New dependencies are documented in applicable LICENSE and NOTICE files

Documentation

  • Documentation formatting appears as expected in rendered files

@exceptionfactory
NIFI-11781 Corrected OIDC Claim Identity Processing
55bbc15 
- Added StandardOidcUserService supporting fallback claim names
- Updated StandardClientRegistrationProvider to use standard Subject claim
- Updated OIDC Security Configuration to use customized OidcUserService for claim handling
gresockj
gresockj approved these changes Jul 15, 2023
View reviewed changes
Copy link
Contributor

@gresockj gresockj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good -- test this out and it worked as described.

Thanks!

@asfgit asfgit closed this in 95bb23d Jul 15, 2023
asfgit pushed a commit that referenced this pull request Jul 15, 2023
@exceptionfactory @gresockj
NIFI-11781 Corrected OIDC Claim Identity Processing
1b0b37e 
- Added StandardOidcUserService supporting fallback claim names
- Updated StandardClientRegistrationProvider to use standard Subject claim
- Updated OIDC Security Configuration to use customized OidcUserService for claim handling

Signed-off-by: Joe Gresock <jgresock@gmail.com>
This closes #7468.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gresockj gresockj gresockj approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@exceptionfactory @gresockj