Details
Description
OIDC configuration that works with 1.20.0 fails to login with version 1.21.0.
Logging exceptions in ADFS that indicate NiFi is requesting forbidden resources.
NiFi is requesting all scopes listed in ../adfs/.well-known/openid-configuration under scopes_supported.
Expected only request scopes "openid email" plus values in "nifi.security.user.oidc.additional.scopes"
Source code affecting scope selection: https://github.com/apache/nifi/blob/3322ad7a20c99dec01ee0c3f530c0566acd13258/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProvider.java#L80
Attachments
Issue Links
- fixes
-
NIFI-11469 OpenID Connect StandardClientRegistrationProvider scopes should be configurable
- Resolved
- is caused by
-
NIFI-4890 OIDC Token Refresh should be supported
- Resolved
- links to