[ https://issues.apache.org/jira/browse/NIFI-7584?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17221783#comment-17221783 ]
ASF subversion and git services commented on NIFI-7584: ------------------------------------------------------- Commit bf962f62275071dfe5f00aedd028b8231680450c in nifi's branch refs/heads/main from mtien [ https://gitbox.apache.org/repos/asf?p=nifi.git;h=bf962f6 ] NIFI-7584 Added OIDC logout mechanism. Added method to validate the OIDC Access Token for the revoke endpoint. Created a new callback URI of oidc/logoutCallback to handle certain OIDC logout cases. Changed method to exchange the Authorization Code for a Login Authentication Token. Added a new method to exchange the AuthN Code for an Access Token. Changed method to convert OIDC Token to a Login AuthN Token instead of a NiFi JWT. Created new OidcServiceGroovyTest class. NIFI-7584-rebase Added test. NIFI-7584 Fixed a checkstyle issue. NIFI-7584 Removed a dependency not in use. NIFI-7584 Made revisions based on PR review. Refactored revoke endpoint POST request to a private method. Removed unnecessary dependencies. Fixed Regex Pattern to search for literal dot character. Fixed logging the Exception message. Fixed caught Exception. Changed timeout value to a static variable. Changed repeating error messages to a static string. Reduced sleep duration in unit test. Refactored cookie generation to private method. NIFI-7584 Fixed the snapshot version. Signed-off-by: Nathan Gough <thena...@gmail.com> This closes #4593. > LOG OUT button does not work when OpenID Connect is used for authentication > --------------------------------------------------------------------------- > > Key: NIFI-7584 > URL: https://issues.apache.org/jira/browse/NIFI-7584 > Project: Apache NiFi > Issue Type: Bug > Components: Core UI > Affects Versions: 1.11.4, 1.12.1 > Environment: CentOS Linux 7 > Reporter: W Chang > Assignee: M Tien > Priority: Critical > Labels: UI, bug, logout, oidc > Time Spent: 5h 20m > Remaining Estimate: 0h > > When nifi-1.11.4 is integrated with Okta OpenID Connect for authentication, > 'LOG OUT' button on the front page does not work. It does not log a user out > properly without redirecting to the Logout Redirect URL. > When the button is clicked, the following message is displayed on the browser > {code:java} > {"errorCode":"invalid_client","errorSummary":"Invalid value for 'client_id' > parameter.","errorLink":"invalid_client","errorId":"oae_YfJRUHCQe-BqYnPw6opFg","errorCauses":[]}{code} > The button makes a GET request to the following address. > [https://\{hostname}.okta.com/oauth2/v1/logout?post_logout_redirect_uri=https%3A%2F%2F\{nifi > server dns name}%3A\{port > number}%2Fnifi-api%2F..%2Fnifi|https://dev-309877.okta.com/oauth2/v1/logout?post_logout_redirect_uri=https%3A%2F%2Fplanet-dl-dev-1.mitre.org%3A9443%2Fnifi-api%2F..%2Fnifi] > According to Okta document > [https://developer.okta.com/blog/2020/03/27/spring-oidc-logout-options,] the > logout endpoint format should be as shown below: > {{[https://dev-123456.okta.com/oauth2/default/v1/logout?id_token_hint=]<id-token>&post_logout_redirect_uri=[http://localhost:8080/]}} > > {{And it seems that post_logout_redirect_uri should be "https://\{nifi > server dns name}:\{port number}/nifi-api/access/oidc/logout"}} > > > -- This message was sent by Atlassian Jira (v8.3.4#803005)