[
https://issues.apache.org/jira/browse/NIFI-7584?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17221786#comment-17221786
]
ASF subversion and git services commented on NIFI-7584:
-------------------------------------------------------
Commit bf962f62275071dfe5f00aedd028b8231680450c in nifi's branch
refs/heads/main from mtien
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=bf962f6 ]
NIFI-7584 Added OIDC logout mechanism.
Added method to validate the OIDC Access Token for the revoke endpoint.
Created a new callback URI of oidc/logoutCallback to handle certain OIDC logout
cases.
Changed method to exchange the Authorization Code for a Login Authentication
Token.
Added a new method to exchange the AuthN Code for an Access Token.
Changed method to convert OIDC Token to a Login AuthN Token instead of a NiFi
JWT.
Created new OidcServiceGroovyTest class.
NIFI-7584-rebase Added test.
NIFI-7584 Fixed a checkstyle issue.
NIFI-7584 Removed a dependency not in use.
NIFI-7584 Made revisions based on PR review.
Refactored revoke endpoint POST request to a private method.
Removed unnecessary dependencies.
Fixed Regex Pattern to search for literal dot character.
Fixed logging the Exception message.
Fixed caught Exception.
Changed timeout value to a static variable.
Changed repeating error messages to a static string.
Reduced sleep duration in unit test.
Refactored cookie generation to private method.
NIFI-7584 Fixed the snapshot version.
Signed-off-by: Nathan Gough <[email protected]>
This closes #4593.
> LOG OUT button does not work when OpenID Connect is used for authentication
> ---------------------------------------------------------------------------
>
> Key: NIFI-7584
> URL: https://issues.apache.org/jira/browse/NIFI-7584
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core UI
> Affects Versions: 1.11.4, 1.12.1
> Environment: CentOS Linux 7
> Reporter: W Chang
> Assignee: M Tien
> Priority: Critical
> Labels: UI, bug, logout, oidc
> Time Spent: 5h 20m
> Remaining Estimate: 0h
>
> When nifi-1.11.4 is integrated with Okta OpenID Connect for authentication,
> 'LOG OUT' button on the front page does not work. It does not log a user out
> properly without redirecting to the Logout Redirect URL.
> When the button is clicked, the following message is displayed on the browser
> {code:java}
> {"errorCode":"invalid_client","errorSummary":"Invalid value for 'client_id'
> parameter.","errorLink":"invalid_client","errorId":"oae_YfJRUHCQe-BqYnPw6opFg","errorCauses":[]}{code}
> The button makes a GET request to the following address.
> [https://\{hostname}.okta.com/oauth2/v1/logout?post_logout_redirect_uri=https%3A%2F%2F\{nifi
> server dns name}%3A\{port
> number}%2Fnifi-api%2F..%2Fnifi|https://dev-309877.okta.com/oauth2/v1/logout?post_logout_redirect_uri=https%3A%2F%2Fplanet-dl-dev-1.mitre.org%3A9443%2Fnifi-api%2F..%2Fnifi]
> According to Okta document
> [https://developer.okta.com/blog/2020/03/27/spring-oidc-logout-options,] the
> logout endpoint format should be as shown below:
> {{[https://dev-123456.okta.com/oauth2/default/v1/logout?id_token_hint=]<id-token>&post_logout_redirect_uri=[http://localhost:8080/]}}
>
> {{And it seems that post_logout_redirect_uri should be "https://\{nifi
> server dns name}:\{port number}/nifi-api/access/oidc/logout"}}
>
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
