Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-11438

OIDC requests all available scopes

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 1.21.0
    • 2.0.0-M1, 1.22.0
    • Security
    • None
    • Windows ADFS used for OIDC

    Description

      OIDC configuration that works with 1.20.0 fails to login with version 1.21.0.

      Logging exceptions in ADFS that indicate NiFi is requesting forbidden resources.

      NiFi is requesting all scopes listed in ../adfs/.well-known/openid-configuration under scopes_supported

      Expected only request scopes "openid email" plus values in "nifi.security.user.oidc.additional.scopes"

      Source code affecting scope selection: https://github.com/apache/nifi/blob/3322ad7a20c99dec01ee0c3f530c0566acd13258/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProvider.java#L80

       

      Attachments

        Issue Links

          fixes

          Bug - A problem which impairs or prevents the functions of the product. NIFI-11469 OpenID Connect StandardClientRegistrationProvider scopes should be configurable

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved
          is caused by

          Improvement - An improvement or enhancement to an existing feature or task. NIFI-4890 OIDC Token Refresh should be supported

          • Major - Major loss of function.
          • Resolved
          links to

          Web Link GitHub Pull Request #7168

          Activity

            People

              exceptionfactory David Handermann
              dbmxer Jody DesRoches
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 20m
                  20m