NIFI-7924: add fallback claims for identifying user

[sjyang18]

Thank you for submitting a contribution to Apache NiFi.

Please provide a short description of the PR here:

Description of PR

NIFI-7924: add fallback claims for identifying user

In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:

For all changes:

• Is there a JIRA ticket associated with this PR? Is it referenced
  in the commit message?

• Does your PR title start with NIFI-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.

• Has your PR been rebased against the latest commit within the target branch (typically main)?

• Is your initial contribution a single, squashed commit? Additional commits in response to PR reviewer feedback should be made on this branch and pushed to allow change tracking. Do not squash or use --force when pushing to allow for clean monitoring of changes.

For code changes:

• Have you ensured that the full suite of tests is executed via mvn -Pcontrib-check clean install at the root nifi folder?
• Have you written or updated unit tests to verify your changes?
• Have you verified that the full build is successful on JDK 8?
• Have you verified that the full build is successful on JDK 11?
• If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
• If applicable, have you updated the LICENSE file, including the main LICENSE file under nifi-assembly?
• If applicable, have you updated the NOTICE file, including the main NOTICE file found under nifi-assembly?
• If adding new Properties, have you added .displayName in addition to .name (programmatic access) for each of the new properties?

For documentation related changes:

• Have you ensured that format looks appropriate for the output in which it is rendered?

Note:

Please ensure that once the PR is submitted, you check GitHub Actions CI for build issues and submit an update to your PR as soon as possible.

[mtien-apache]

@sjyang18 Thank you for submitting this. I've reviewed it and the functionality LGTM. I verified I can log in with OIDC enabled and verified the tests will use the listed fallback claim when email is not available.

One suggestion is to update the NiFi docs with a description of the new fallback claim property. Here's a link to the docs section I'm referring to:

http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#openid_connect

I can give a +1 once this is updated. Thanks!

[sjyang18]

@mtien-apache
I have added the fallback property explanation to admin doc. Will this work?

[jfrazee]

@mtien-apache @sjyang18 I've been looking at this and was wondering which identity providers this has been tested against?

[MuazmaZ]

@jfrazee I have tested this with Azure. I have also verified the functionality and it works as expected.

[mtien-apache]

@jfrazee I tested it with Azure, Google, and Okta.

[mtien-apache]

+1 Reviewed and verified all changes work as expected. Admin doc addition look good. Thank you.

[sushilkm]

Not sure why do we want to add another property.
I think it would be simpler for users to update nifi.security.user.oidc.claim.identifying.user with the comma separated value(s) that we are intending to put for nifi.security.user.oidc.fallback.claims.identifying.user

[mtien-apache]

@sushilkm I believe nifi.security.user.oidc.claim.identifying.user does not allow comma separated values.

[sushilkm]

@mtien-apache what i mean to say was instead of adding another property we could make the existing property to behave like that comma-separated value. it should not be breaking change.

[jfrazee]

@sushilkm I think that's a valid question. I haven't been able to convince myself which configuration experience is the right one.

@mcgilman You did a bunch of work on the OIDC code, can you weigh in on this? (I.e., whether it's better for the user to have a distinct fallback claim configuration or to overload/enhance the existing one to be an ordered list.)

[sjyang18]

There are existing test cases that we need to update if we modify the semantics of existing property, and I choose not to modify existing semantics and logics.

[bbende]

If we had done this from the beginning, I definitely think we should have used a single property with an ordered list of claims, and used "claims" in the name instead of "claim", but since we have the existing property I'm not sure either approach has a major advantage...

On one hand, using the existing property is easier for anyone already referencing the property in some way, and it can be done without breaking anything.

On the other hand, the work is already done to add the second property, and it does create very specific semantics where the original "claim" property is a single claim, and the second one with "claims" is a list.

[jfrazee]

Thanks @bbende That's sort of where my head was at. Neither seems like it results in a bad outcome and the current path makes it clear what the additional values are.

Provided we make the small change to filter empty values, I'm happy to see this go in.

[jfrazee]

Suggested change

	void testconvertOIDCTokenToLoginAuthenticationTokenShouldHandleNoEmailClaimHasFallbackClaims() {
	@Test
	void testConvertOIDCTokenToLoginAuthenticationTokenShouldHandleNoEmailClaimHasFallbackClaims() {

[jfrazee]

Suggested change

[jfrazee]

Suggested change