From 48dbb17440d52e5492cfacf4cd6f4e8069f81b90 Mon Sep 17 00:00:00 2001
From: exceptionfactory <exceptionfactory@apache.org>
Date: Wed, 12 Apr 2023 17:34:23 -0500
Subject: [PATCH] NIFI-11438 Set standard OpenID Connect Scopes

- Restored previous behavior of sending openid and email scopes for OpenID Connect token requests
- Added offline_access scope as the default value in nifi.properties to support Refresh Tokens
---
 .../src/main/asciidoc/administration-guide.adoc    |  2 +-
 .../nifi-framework/nifi-resources/pom.xml          |  3 ++-
 .../StandardClientRegistrationProvider.java        |  9 ++++++---
 .../StandardClientRegistrationProviderTest.java    | 14 ++++++++++++++
 4 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/nifi-docs/src/main/asciidoc/administration-guide.adoc b/nifi-docs/src/main/asciidoc/administration-guide.adoc
index 84f87b02f2eb..d094e51cdf84 100644
--- a/nifi-docs/src/main/asciidoc/administration-guide.adoc
+++ b/nifi-docs/src/main/asciidoc/administration-guide.adoc
@@ -542,7 +542,7 @@ OpenID Connect integration supports the following settings in _nifi.properties_.
 by the OpenID Connect Provider according to the specification. If this value is `HS256`, `HS384`, or `HS512`, NiFi will attempt to validate HMAC protected tokens using the specified client secret.
 If this value is `none`, NiFi will attempt to validate unsecured/plain tokens. Other values for this algorithm will attempt to parse as an RSA or EC algorithm to be used in conjunction with the
 JSON Web Key (JWK) provided through the jwks_uri in the metadata found at the discovery URL
-|`nifi.security.user.oidc.additional.scopes`                | Comma separated scopes that are sent to OpenID Connect Provider in addition to `openid` and `email`
+|`nifi.security.user.oidc.additional.scopes`                | Comma separated scopes that are sent to OpenID Connect Provider in addition to `openid` and `email`. Authorization Servers require the `offline_access` scope to return a Refresh Token.
 |`nifi.security.user.oidc.claim.identifying.user`           | Claim that identifies the authenticated user. The default value is `email`. Claim names may need to be requested using the `nifi.security.user.oidc.additional.scopes` property
 |`nifi.security.user.oidc.fallback.claims.identifying.user` | Comma-separated list of possible fallback claims used to identify the user when the `nifi.security.user.oidc.claim.identifying.user` claim is not found.
 |`nifi.security.user.oidc.claim.groups`                     | Name of the ID token claim that contains an array of group names of which the
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/pom.xml b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/pom.xml
index c7d736fcd6ec..f5731d934252 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/pom.xml
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/pom.xml
@@ -168,7 +168,8 @@
         <nifi.security.user.oidc.client.id />
         <nifi.security.user.oidc.client.secret />
         <nifi.security.user.oidc.preferred.jwsalgorithm />
-        <nifi.security.user.oidc.additional.scopes />
+        <!-- Set additional scopes to support Refresh Token retrieval -->
+        <nifi.security.user.oidc.additional.scopes>offline_access</nifi.security.user.oidc.additional.scopes>
         <nifi.security.user.oidc.claim.identifying.user />
         <nifi.security.user.oidc.fallback.claims.identifying.user />
         <nifi.security.user.oidc.claim.groups>groups</nifi.security.user.oidc.claim.groups>
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProvider.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProvider.java
index bc14c4ba811b..f2368c3eebf6 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProvider.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProvider.java
@@ -21,7 +21,6 @@
 import static com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod.NONE;
 
 import com.nimbusds.oauth2.sdk.ParseException;
-import com.nimbusds.oauth2.sdk.Scope;
 import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
 import org.apache.nifi.util.NiFiProperties;
 import org.apache.nifi.web.security.oidc.OidcConfigurationException;
@@ -30,8 +29,11 @@
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
+import org.springframework.security.oauth2.core.oidc.OidcScopes;
 import org.springframework.web.client.RestOperations;
 
+import java.util.Arrays;
+import java.util.Collections;
 import java.util.LinkedHashMap;
 import java.util.LinkedHashSet;
 import java.util.List;
@@ -46,6 +48,8 @@ public class StandardClientRegistrationProvider implements ClientRegistrationPro
 
     private static final String REGISTRATION_REDIRECT_URI = String.format("{baseUrl}%s", OidcUrlPath.CALLBACK.getPath());
 
+    private static final Set<String> STANDARD_SCOPES = Collections.unmodifiableSet(new LinkedHashSet<>(Arrays.asList(OidcScopes.OPENID, OidcScopes.EMAIL)));
+
     private final NiFiProperties properties;
 
     private final RestOperations restOperations;
@@ -77,8 +81,7 @@ public ClientRegistration getClientRegistration() {
         final String jwkSetUri = providerMetadata.getJWKSetURI().toASCIIString();
         final String userInfoUri = providerMetadata.getUserInfoEndpointURI().toASCIIString();
 
-        final Scope metadataScope = providerMetadata.getScopes();
-        final Set<String> scope = new LinkedHashSet<>(metadataScope.toStringList());
+        final Set<String> scope = new LinkedHashSet<>(STANDARD_SCOPES);
         final List<String> additionalScopes = properties.getOidcAdditionalScopes();
         scope.addAll(additionalScopes);
 
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProviderTest.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProviderTest.java
index 97847926a199..164cd7c58c28 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProviderTest.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProviderTest.java
@@ -28,12 +28,16 @@
 import org.mockito.junit.jupiter.MockitoExtension;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.core.AuthenticationMethod;
+import org.springframework.security.oauth2.core.oidc.OidcScopes;
 import org.springframework.web.client.RestOperations;
 
 import java.net.URI;
+import java.util.Arrays;
 import java.util.Collections;
+import java.util.LinkedHashSet;
 import java.util.List;
 import java.util.Properties;
+import java.util.Set;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
@@ -61,6 +65,8 @@ class StandardClientRegistrationProviderTest {
 
     private static final String USER_NAME_ATTRIBUTE_NAME = "email";
 
+    private static final Set<String> EXPECTED_SCOPES = new LinkedHashSet<>(Arrays.asList(OidcScopes.OPENID, OidcScopes.EMAIL, OidcScopes.PROFILE));
+
     private static final String INVALID_CONFIGURATION = "{}";
 
     @Mock
@@ -92,6 +98,9 @@ void testGetClientRegistration() {
         assertEquals(USER_INFO_URI.toString(), userInfoEndpoint.getUri());
         assertEquals(USER_NAME_ATTRIBUTE_NAME, userInfoEndpoint.getUserNameAttributeName());
         assertEquals(AuthenticationMethod.HEADER, userInfoEndpoint.getAuthenticationMethod());
+
+        final Set<String> scopes = clientRegistration.getScopes();
+        assertEquals(EXPECTED_SCOPES, scopes);
     }
 
     @Test
@@ -120,6 +129,7 @@ private NiFiProperties getProperties() {
         properties.put(NiFiProperties.SECURITY_USER_OIDC_CLIENT_ID, CLIENT_ID);
         properties.put(NiFiProperties.SECURITY_USER_OIDC_CLIENT_SECRET, CLIENT_SECRET);
         properties.put(NiFiProperties.SECURITY_USER_OIDC_CLAIM_IDENTIFYING_USER, USER_NAME_ATTRIBUTE_NAME);
+        properties.put(NiFiProperties.SECURITY_USER_OIDC_ADDITIONAL_SCOPES, OidcScopes.PROFILE);
         return NiFiProperties.createBasicNiFiProperties(null, properties);
     }
 
@@ -131,6 +141,10 @@ private OIDCProviderMetadata getProviderMetadata() {
         providerMetadata.setUserInfoEndpointURI(USER_INFO_URI);
         providerMetadata.setAuthorizationEndpointURI(AUTHORIZATION_ENDPOINT_URI);
         final Scope scopes = new Scope();
+        scopes.add(OidcScopes.OPENID);
+        scopes.add(OidcScopes.EMAIL);
+        scopes.add(OidcScopes.PROFILE);
+        scopes.add(OidcScopes.ADDRESS);
         providerMetadata.setScopes(scopes);
         return providerMetadata;
     }