Denis, Thanks for reporting this issue and providing the details.
This is a good list to use, but please subscribe [1] to the list in order to send and receive further updates. After reviewing the implementation code, there appears to be a problem with the background Bearer Token Refresh Filter processing, dropping the group membership as you described. I created NIFI-12418 [2] to track the issue. Resolving the problem looks like it will require some internal adjustments to the refresh handling process that generates the updated application bearer token. Regards, David Handermann [1] https://nifi.apache.org/mailing_lists.html [2] https://issues.apache.org/jira/browse/NIFI-12418 On Mon, Nov 27, 2023 at 8:56 AM Denis Podkovirkin (Nokia) <[email protected]> wrote: > > Good day! > > I trying to configure Apache nifi authentication\authorization via Keycloak. > I configure integration through OIDC, set endpoints, scopes, and ID token > group claim as "groups". The "nifi.security.user.authorizer" set as > "managed-authorize" where the admin account set as Initial. > After that I sign in as admin and create some same groups in nifi and > keycloak. > > The authentication works fine, and user can login to Keycloak and Keycloak > sends groups to the token: > "/nifi-api/access/oidc/callback" response header contains token with payload: > { > "sub": "nokia", > "aud": "http%3A%2F%2F10.184.215.35%3A8080%2Frealms%2Fmaster", > "nbf": 1701094933, > "iss": "http%3A%2F%2F10.184.215.35%3A8080%2Frealms%2Fmaster", > "groups": [ > "viewer" > ], > "preferred_username": "nokia", > "exp": 1701094993, > "iat": 1701094933, > "jti": "131ecf66-fa73-4e7d-a8e7-a91e1bf53c8d" > } > > And it's save until the "/nifi-api/flow/current-user" request that change my > cookie token to: > > { > "sub": "nokia", > "aud": "https%3A%2F%2F10.184.215.34%3A8443%2F", > "nbf": 1701095346, > "iss": "https%3A%2F%2F10.184.215.34%3A8443%2F", > "groups": [], > "preferred_username": "nokia", > "exp": 1701095406, > "iat": 1701095346, > "jti": "b9b16cda-95ef-457b-b667-b986e28f6d53" > } > After page loading is done, I can see the "Insufficient Permissions" page. > > Apache nifi version is 1.23.2 > > Please, let me know what I do wrong. > > Excuse me if I send the email to the wrong address. > > -- > Best Regards, > Denis Podkovyrkin > CNS C&CS SP DOA, Automation Specialist > +351 931 499 265
