[
https://issues.apache.org/jira/browse/NIFI-8766?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17401744#comment-17401744
]
ASF subversion and git services commented on NIFI-8766:
-------------------------------------------------------
Commit a652280fbb45c94b6ba9be5e7f4f9cd8c708f5ca in nifi's branch
refs/heads/main from David Handermann
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=a652280 ]
NIFI-8766 Implemented RS512 Algorithm for JWT Signing
- Replaced per-user symmetric-key HS256 with shared and rotated RSA
asymmetric-key RS512 implementation
- Added nifi.security.user.jws.key.rotation.period property for RSA Key Pair
rotation
- Added JSON Web Tokens section to Administration Guide
- Implemented persistent storage of RSA Public Keys for verification using
Local State Manager
- Implemented JWT revocation on logout with persistence using Local State
Manager
- Refactored JWT implementation using Spring Security OAuth2 and Nimbus JWT
- Refactored Spring Security Provider configuration using Java instead of XML
- Removed H2 storage of per-user keys
- Upgraded nimbus-jose-jwt from 7.9 to 9.11.2
NIFI-8766 Corrected AuthenticationException handling in
AccessResource.getAccessStatus
- Added nifi.user.security.jws.key.rotation.period to default nifi.properties
- Updated logging statements and clarified configuration and method
documentation
NIFI-8766 Changed Algorithm to PS512 and updated documentation
Signed-off-by: Nathan Gough <[email protected]>
This closes #5262.
> Improve JWT Authentication Handling
> -----------------------------------
>
> Key: NIFI-8766
> URL: https://issues.apache.org/jira/browse/NIFI-8766
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core UI, Security
> Affects Versions: 1.14.0, 1.13.2
> Reporter: David Handermann
> Assignee: David Handermann
> Priority: Major
> Labels: JWT, security
> Time Spent: 7.5h
> Remaining Estimate: 0h
>
> NiFi access for username and password authentication currently leverages
> several custom classes to handle JWT generation, signing, and verification.
> The JWT service uses symmetric keys generated for each user with the HMAC
> SHA256 signing algorithm, and stores signing keys in the local node database.
> NiFi deletes the symmetric signing key for each user on logout.
> The Spring Security OAuth2 library provides more standardized components to
> handle JWT verification, which will reduce the need for custom Spring
> Security authentication provider classes. The JWT generation process should
> be evaluated and refactored to support more frequent key rotation.
> Transitioning to asymmetric keys for JWT signing and avoiding persistence of
> private signing keys should also be considered.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
