David Handermann created NIFI-8766:
--------------------------------------
Summary: Improve JWT Authentication Handling
Key: NIFI-8766
URL: https://issues.apache.org/jira/browse/NIFI-8766
Project: Apache NiFi
Issue Type: Improvement
Components: Core UI, Security
Affects Versions: 1.13.2
Reporter: David Handermann
Assignee: David Handermann
NiFi access for username and password authentication currently leverages
several custom classes to handle JWT generation, signing, and verification.
The JWT service uses symmetric keys generated for each user with the HMAC
SHA256 signing algorithm, and stores signing keys in the local node database.
NiFi deletes the symmetric signing key for each user on logout.
The Spring Security OAuth2 library provides more standardized components to
handle JWT verification, which will reduce the need for custom Spring Security
authentication provider classes. The JWT generation process should be
evaluated and refactored to support more frequent key rotation. Transitioning
to asymmetric keys for JWT signing and avoiding persistence of private signing
keys should also be considered.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
