NIFI-11781 Correct OIDC Claim Identity Processing #7468
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
NIFI-11781 Corrects OIDC username claim to application identity mapping when using optional or fallback claim properties.
Following OIDC refactoring to support refresh tokens for NIFI-4890, use of optional or fallback ID Token Claims resulted in runtime access problems. The standard Spring Security Client Registration includes a
userNameAttributeName
property that drives username identity resolution during the login process. This works as expected when the OIDC User Information endpoint always includes the configured claim name, such asemail
. However, this approach does not work when the configured claim name may be absent, requiring optional fallback claim names to be configured.The OpenID Connect 1.0 specification requires the
sub
claim to be present in OIDC User Information that the Identity Provider returns, so changes include settingsub
as theuserNameAttributeName
to avoid unexpected failures. A newStandardOidcUserService
extends that Spring SecurityOidcUserService
and implements support for using the first available fallback claim from the combination of OIDC User Information and OIDC ID Token Claims. This approach restores the supported behavior from NiFi 1.20.0.Tracking
Please complete the following tracking steps prior to pull request creation.
Issue Tracking
Pull Request Tracking
NIFI-00000
NIFI-00000
Pull Request Formatting
main
branchVerification
Please indicate the verification steps performed prior to pull request creation.
Build
mvn clean install -P contrib-check
Licensing
LICENSE
andNOTICE
filesDocumentation