thenatog commented on a change in pull request #4593:
URL: https://github.com/apache/nifi/pull/4593#discussion_r509539937
##########
File path:
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
##########
@@ -851,6 +1086,47 @@ private void forwardToMessagePage(final
HttpServletRequest httpServletRequest, f
uiContext.getRequestDispatcher("/WEB-INF/pages/message-page.jsp").forward(httpServletRequest,
httpServletResponse);
}
+ private String determineLogoutMethod(String oidcDiscoveryUrl) {
+ Matcher accessTokenMatcher =
REVOKE_ACCESS_TOKEN_LOGOUT_FORMAT.matcher(oidcDiscoveryUrl);
+ Matcher idTokenMatcher =
ID_TOKEN_LOGOUT_FORMAT.matcher(oidcDiscoveryUrl);
+
+ if (accessTokenMatcher.find()) {
+ return REVOKE_ACCESS_TOKEN_LOGOUT;
+ } else if (idTokenMatcher.find()) {
+ return ID_TOKEN_LOGOUT;
+ } else {
+ return STANDARD_LOGOUT;
+ }
+ }
+
+ private URI oidcRequestAuthorizationCode(@Context HttpServletResponse
httpServletResponse, String callback) {
+
+ final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+ // generate a cookie to associate this login sequence
+ final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER,
oidcRequestIdentifier);
Review comment:
Yes, from what I can tell the cookie is being used to maintain state for
the IDP login callback. Not exactly sure why this is a cookie. It's possible
the IDP strips headers for the callback redirect. Not sure if @mtien-apache saw
the JWT being stripped by the provider for callbacks? We could check with
mcgilman why it was set up to use a cookie.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
