Details
-
Improvement
-
Status: Resolved
-
Minor
-
Resolution: Fixed
-
1.12.1
-
None
Description
Currently, 'nifi.security.user.oidc.claim.identifying.user' NiFi configuration sets only one claim to bind ID token to username. There are corner-case where fallback claim should search in case the configured claim is not found in ID token.
For example, not all user directory objects has email address in Azure Activity Directory (https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#email). We need a fallback claim support so that when there is no email address claim available for a user, the OIDC identity provider should pick up fallback claim(s) for the user name. For other users with emails, it should continue to use the configured claim to set user name.
I will introduce 'nifi.security.user.oidc.fallback.claims.identifying.user' in NiFi properties and implement the fallback logic .
Attachments
Issue Links
- links to