[
https://issues.apache.org/jira/browse/NIFI-10322?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17576336#comment-17576336
]
macdoor615 commented on NIFI-10322:
-----------------------------------
[~exceptionfactory] Thank you.
Long story short. After NiFi 1.17.0 session times out. There is a Set-Cookie
header containing the __{{{}Secure-Authorization-Bearer{}}} paremeter, But
content is empty.
*NiFi 1.17.0 screenshot in session.*
!image-2022-08-07-15-37-29-739.png|width=1565,height=1164!
Response Headers:
#
Cache-Control:
private, no-cache, no-store, no-transform
#
Connection:
keep-alive
#
Content-Encoding:
gzip
#
Content-Length:
216
#
Content-Security-Policy:
frame-ancestors 'self'
#
Content-Type:
application/json
#
Date:
Sun, 07 Aug 2022 07:35:04 GMT
#
Server:
nginx
#
Strict-Transport-Security:
max-age=31536000 ; includeSubDomains
#
Vary:
Accept-Encoding
#
X-Content-Type-Options:
nosniff
#
X-Frame-Options:
SAMEORIGIN
#
X-ProxiedEntitiesAccepted:
true
#
X-XSS-Protection:
1; mode=block
Request Headers:
#
Accept:
application/json, text/javascript, */*; q=0.01
#
Accept-Encoding:
gzip, deflate, br
#
Accept-Language:
zh-CN,zh;q=0.9
#
Connection:
keep-alive
#
Cookie:
__Secure-Request-Token=ff6b6664-2e61-4abb-86f4-4bfd8592b461;
__Secure-Authorization-Bearer=eyJraWQiOiJmNTVlZmM4OS0yMTI3LTRmNjgtYjVjNi03NTdjN2YxMjk1N2IiLCJhbGciOiJQUzUxMiJ9.eyJzdWIiOiJhZG1pbi5uaWZpQGd1bWhiMy5jb20iLCJhdWQiOiJodHRwcyUzQSUyRiUyRjM2LjEzMy41NS4xMDAlM0E4OTQzJTJGcmVhbG1zJTJGenpub2RlIiwibmJmIjoxNjU5ODU3NjY3LCJpc3MiOiJodHRwcyUzQSUyRiUyRjM2LjEzMy41NS4xMDAlM0E4OTQzJTJGcmVhbG1zJTJGenpub2RlIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ubmlmaUBndW1oYjMuY29tIiwiZXhwIjoxNjU5ODU3OTY2LCJpYXQiOjE2NTk4NTc2NjcsImp0aSI6IjJmMzgyYzQ0LTJkMzEtNDFjMC1iY2E3LWRiZjVhNzBhZTk5MCJ9.kVtyE-EIijCdD-SyduFL6BeYOCzSbb7aDGw0KrSSMXJfpPpL3m_LO0LuLpfuKEZ-ZgxKUd5A0oOCDMGwmiGDRMqEOPMvsa8jj2JgHczwhGZAolo9nsxdQoDiFMmTOOeNpy371WHd5ygUN-mBb6ALODfwSMIM0EUlNB-cOL_oDT-RnvJSKuaywZ5ywrAMLvfATf1aaZaGp9WI8Bjvo1-iEXLcB4J4AmRyGsMR7qMzrVUHHRS5EYNqZ_7wGJSp5OCGcl6PD1iLjU37WOsvHaZ1gDQfAihoQx-HIlKFwFu0KfUbEeQAsuPRIFcbDC7SamCXdDs-uOkK5xMr4TqP34yqdADt4smFCbPvDSK_bP61ObgF0NkUYwKPRJE8NgPTcbrKX1TE_4zTGJ25O0LugCXO4iFhCg67vfbNBWLs1yMfnUC06fqjNM2Iis9yzSsC3LR9d96eZIBwrjT7o6AvXdGQJNQpeopoSuRaZcb4mpPz504csxs7_jNj6TFzu5Rq7CKMFwmhicpUvmzXHcgnigJcbOTY-FDerDbZNtGY2Lvo48wPvSgEzfGXLDlJIAtcJzKqGZps0zeAl6ykZgNj12kNVDmJEb0ZcmEiYd84pXoGbsFsRFw5GNeh2YjK-HUL2b2ck9c26tCefz_8FGZO-NkhoNZnidD4Z-DGDPrfwIgIKkQ
#
DNT:
1
#
Host:
36.138.166.203:18089
#
Referer:
https://36.138.166.203:18089/zqjkcj_nanjing-nifi/nifi/
#
Request-Token:
ff6b6664-2e61-4abb-86f4-4bfd8592b461
#
sec-ch-ua:
".Not/A)Brand";v="99", "Google Chrome";v="103", "Chromium";v="103"
#
sec-ch-ua-mobile:
?0
#
sec-ch-ua-platform:
"macOS"
#
Sec-Fetch-Dest:
empty
#
Sec-Fetch-Mode:
cors
#
Sec-Fetch-Site:
same-origin
#
User-Agent:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/103.0.0.0 Safari/537.36
#
X-Requested-With:
XMLHttpRequest
*NiFi 1.17.0 screenshot after session times out*
!image-2022-08-07-16-11-38-180.png|width=1462,height=1102!
Response Headers:
#
Connection:
keep-alive
#
Content-Length:
182
#
Content-Security-Policy:
frame-ancestors 'self'
#
Content-Type:
text/plain;charset=iso-8859-1
#
Date:
Sun, 07 Aug 2022 08:09:29 GMT
#
Server:
nginx
#
Set-Cookie:
*__Secure-Authorization-Bearer=; Path=/zqjkcj_nanjing-nifi;
Domain=36.138.166.203; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT;
Secure; HttpOnly*
#
Strict-Transport-Security:
max-age=31536000 ; includeSubDomains
#
WWW-Authenticate:
Bearer error="invalid_token", error_description="An error occurred while
attempting to decode the Jwt: Expired JWT",
error_uri="https://tools.ietf.org/html/rfc6750#section-3.1";
#
X-Content-Type-Options:
nosniff
#
X-Frame-Options:
SAMEORIGIN
#
X-ProxiedEntitiesAccepted:
true
#
X-XSS-Protection:
1; mode=block
Request Headers:
#
Accept:
application/json, text/javascript, */*; q=0.01
#
Accept-Encoding:
gzip, deflate, br
#
Accept-Language:
zh-CN,zh;q=0.9
#
Connection:
keep-alive
#
Cookie:
__Secure-Request-Token=857027eb-048b-4557-98fe-416de79c1499;
__Secure-Authorization-Bearer=eyJraWQiOiIzMjIzMWQzMy1lYzQ2LTQyZTktYWUwZC0zNmI0ODcyNzNhMTkiLCJhbGciOiJQUzUxMiJ9.eyJzdWIiOiJhZG1pbi5uaWZpQGd1bWhiMy5jb20iLCJhdWQiOiJodHRwcyUzQSUyRiUyRjM2LjEzMy41NS4xMDAlM0E4OTQzJTJGcmVhbG1zJTJGenpub2RlIiwibmJmIjoxNjU5ODU5NDAzLCJpc3MiOiJodHRwcyUzQSUyRiUyRjM2LjEzMy41NS4xMDAlM0E4OTQzJTJGcmVhbG1zJTJGenpub2RlIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ubmlmaUBndW1oYjMuY29tIiwiZXhwIjoxNjU5ODU5NzAzLCJpYXQiOjE2NTk4NTk0MDMsImp0aSI6IjM4Mzk3Mjc5LTM1NzMtNGRkOS04NjBhLTViMDliMjU3ZDE0MCJ9.sP5sdW8HgojczM4t5ZVmUeX9lIs7YY1M7Pho4yQd0k10qFLupEvbPuZSdvW0avgkF9wzk-M6FlwfLL1Umg0VdQHP7yaFkQqFKN5MaHLPLrwB-oxvof6XyCWtoM7q11m62XP9D3YGCnallbdD5odCk6bt6pmepNxpSkKgl4_CPcsE8ajjPn3hOsbkO50KWDDnK_bJBZenXywo938ENjuUwCs1k6KGVrE-sEehTqPhuc7v5lK_QEGKWTp5agDg3sUGGocIbrOnHFSEhY38m_nwfhSxn7_zlfXxvehnVEMrno4hXY-dzMtu4JJMA4bHuOs6LM7O7PO-29HIhvS_ufDwDPwHKPOcHtSOBWByFQ5fKPAwygcjYCy3J3ZObkPTPLjKcga_IvDt-3USSuvgFbv6DTW9OnQzjh7Tz25xTMZ5aPba9vyv-UjcB-XG4Q-QAq80xQpORjIzAFtTJqDlsnSFTgfS_HJwmcwxsPKwFOUSjXR2QZQdi99abekcT9jyLLVQqbbVpw0adoTmLwL2ZfL1iukkbTxhsb2msU9pAxl-E_ouXNrRQQNZNytQv9lwsxPtWJ0U67qEzCxPNo4zvK67IraEX3sfpYZKdftz3I1RbEZPpoY2Z_7Joq32MCu4gH9ZqW39rRUzW9eVnHXcyusrN0VeLONhqzG4qhxBahJaebE
#
DNT:
1
#
Host:
36.138.166.203:18089
#
Referer:
https://36.138.166.203:18089/zqjkcj_nanjing-nifi/nifi/
#
Request-Token:
857027eb-048b-4557-98fe-416de79c1499
#
sec-ch-ua:
".Not/A)Brand";v="99", "Google Chrome";v="103", "Chromium";v="103"
#
sec-ch-ua-mobile:
?0
#
sec-ch-ua-platform:
"macOS"
#
Sec-Fetch-Dest:
empty
#
Sec-Fetch-Mode:
cors
#
Sec-Fetch-Site:
same-origin
#
User-Agent:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/103.0.0.0 Safari/537.36
#
X-Requested-With:
XMLHttpRequest
*NiFi 1.17.0 screenshot after session times out and try to login again.*
!image-2022-08-07-15-47-57-158.png|width=1573,height=1157!
Response Headers:
#
cache-control:
no-store, must-revalidate, max-age=0
#
content-length:
0
#
location:
https://36.138.166.203:18089/zqjkcj_nanjing-nifi/nifi-api/access/oidc/callback?state=n0fsrka3bcq8kgf0mgtcepp5mr&session_state=92191b75-936b-43b0-ab8d-a5dee49f8a64&code=30ae2c5a-7680-4493-b644-d552681da2e8.92191b75-936b-43b0-ab8d-a5dee49f8a64.61127d6f-8931-4b59-9ee1-022299ce258b
#
p3p:
CP="This is not a P3P policy!"
#
referrer-policy:
no-referrer
#
set-cookie:
KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIxZjMyODA1Ny04NjkwLTRkMzgtYmUwZS1kM2YwNDlkZjAwMDAifQ.eyJjaWQiOiJuaWZpLnNlcnZlciIsInB0eSI6Im9wZW5pZC1jb25uZWN0IiwicnVyaSI6Imh0dHBzOi8vMzYuMTM4LjE2Ni4yMDM6MTgwODkvenFqa2NqX25hbmppbmctbmlmaS9uaWZpLWFwaS9hY2Nlc3Mvb2lkYy9jYWxsYmFjayIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIGVtYWlsIiwiaXNzIjoiaHR0cHM6Ly8zNi4xMzMuNTUuMTAwOjg5NDMvcmVhbG1zL3p6bm9kZSIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cHM6Ly8zNi4xMzguMTY2LjIwMzoxODA4OS96cWprY2pfbmFuamluZy1uaWZpL25pZmktYXBpL2FjY2Vzcy9vaWRjL2NhbGxiYWNrIiwic3RhdGUiOiJuMGZzcmthM2JjcThrZ2YwbWd0Y2VwcDVtciJ9fQ.Hlv-Mg6j-YOC4dYkj7NwIXGStqeBs_O1LwSFJB2_U4M;
Version=1; Path=/realms/zznode/; HttpOnly
#
set-cookie:
KEYCLOAK_LOCALE=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970
00:00:10 GMT; Max-Age=0; Path=/realms/zznode/; HttpOnly
#
set-cookie:
KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
Path=/realms/zznode/; HttpOnly
#
set-cookie:
KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIxZjMyODA1Ny04NjkwLTRkMzgtYmUwZS1kM2YwNDlkZjAwMDAifQ.eyJleHAiOjE2NTk4OTQzNTAsImlhdCI6MTY1OTg1ODM1MCwianRpIjoiMmM3ZTkyZmEtZGFlNC00N2U1LThhM2YtMGExOTdiMDY3ZTI4IiwiaXNzIjoiaHR0cHM6Ly8zNi4xMzMuNTUuMTAwOjg5NDMvcmVhbG1zL3p6bm9kZSIsInN1YiI6ImUzNWYyYjE2LWQxNzYtNDQ1MC1iOWU1LTgzYjEzZDAwZGExMyIsInR5cCI6IlNlcmlhbGl6ZWQtSUQiLCJzZXNzaW9uX3N0YXRlIjoiOTIxOTFiNzUtOTM2Yi00M2IwLWFiOGQtYTVkZWU0OWY4YTY0Iiwic2lkIjoiOTIxOTFiNzUtOTM2Yi00M2IwLWFiOGQtYTVkZWU0OWY4YTY0Iiwic3RhdGVfY2hlY2tlciI6Ikxxd3lHUV9majdQSWM2ekx3Vzd0aU5EY3JtcEZtdWxCcjF1a1QzNmJzdWcifQ.IPLfGY_QgNHyt1xSRyBLs7WxsjhS3FCAHnmjx_xzzrA;
Version=1; Path=/realms/zznode/; SameSite=None; Secure; HttpOnly
#
set-cookie:
KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIxZjMyODA1Ny04NjkwLTRkMzgtYmUwZS1kM2YwNDlkZjAwMDAifQ.eyJleHAiOjE2NTk4OTQzNTAsImlhdCI6MTY1OTg1ODM1MCwianRpIjoiMmM3ZTkyZmEtZGFlNC00N2U1LThhM2YtMGExOTdiMDY3ZTI4IiwiaXNzIjoiaHR0cHM6Ly8zNi4xMzMuNTUuMTAwOjg5NDMvcmVhbG1zL3p6bm9kZSIsInN1YiI6ImUzNWYyYjE2LWQxNzYtNDQ1MC1iOWU1LTgzYjEzZDAwZGExMyIsInR5cCI6IlNlcmlhbGl6ZWQtSUQiLCJzZXNzaW9uX3N0YXRlIjoiOTIxOTFiNzUtOTM2Yi00M2IwLWFiOGQtYTVkZWU0OWY4YTY0Iiwic2lkIjoiOTIxOTFiNzUtOTM2Yi00M2IwLWFiOGQtYTVkZWU0OWY4YTY0Iiwic3RhdGVfY2hlY2tlciI6Ikxxd3lHUV9majdQSWM2ekx3Vzd0aU5EY3JtcEZtdWxCcjF1a1QzNmJzdWcifQ.IPLfGY_QgNHyt1xSRyBLs7WxsjhS3FCAHnmjx_xzzrA;
Version=1; Path=/realms/zznode/; HttpOnly
#
set-cookie:
KEYCLOAK_SESSION=zznode/e35f2b16-d176-4450-b9e5-83b13d00da13/92191b75-936b-43b0-ab8d-a5dee49f8a64;
Version=1; Expires=Sun, 07-Aug-2022 17:45:50 GMT; Max-Age=36000;
Path=/realms/zznode/; SameSite=None; Secure
#
set-cookie:
KEYCLOAK_SESSION_LEGACY=zznode/e35f2b16-d176-4450-b9e5-83b13d00da13/92191b75-936b-43b0-ab8d-a5dee49f8a64;
Version=1; Expires=Sun, 07-Aug-2022 17:45:50 GMT; Max-Age=36000;
Path=/realms/zznode/
#
set-cookie:
KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu,
01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/realms/zznode/; HttpOnly
#
strict-transport-security:
max-age=31536000; includeSubDomains
#
x-content-type-options:
nosniff
#
x-xss-protection:
1; mode=block
Request Header:
#
:authority:
36.133.55.100:8943
#
:method:
GET
#
:path:
/realms/zznode/protocol/openid-connect/auth?client_id=nifi.server&response_type=code&scope=openid+email&state=n0fsrka3bcq8kgf0mgtcepp5mr&redirect_uri=https%3A%2F%2F36.138.166.203%3A18089%2Fzqjkcj_nanjing-nifi%2Fnifi-api%2Faccess%2Foidc%2Fcallback
#
:scheme:
https
#
accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
#
accept-encoding:
gzip, deflate, br
#
accept-language:
zh-CN,zh;q=0.9
#
cookie:
AUTH_SESSION_ID=92191b75-936b-43b0-ab8d-a5dee49f8a64.hb3-ifz-gitlab-000-40622;
AUTH_SESSION_ID_LEGACY=92191b75-936b-43b0-ab8d-a5dee49f8a64.hb3-ifz-gitlab-000-40622;
KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIxZjMyODA1Ny04NjkwLTRkMzgtYmUwZS1kM2YwNDlkZjAwMDAifQ.eyJleHAiOjE2NTk4OTM2NjYsImlhdCI6MTY1OTg1NzY2NiwianRpIjoiNDIxOWU5MTMtMTBjNC00NmM0LTljMjQtMmM4ZWYxMGZlM2U5IiwiaXNzIjoiaHR0cHM6Ly8zNi4xMzMuNTUuMTAwOjg5NDMvcmVhbG1zL3p6bm9kZSIsInN1YiI6ImUzNWYyYjE2LWQxNzYtNDQ1MC1iOWU1LTgzYjEzZDAwZGExMyIsInR5cCI6IlNlcmlhbGl6ZWQtSUQiLCJzZXNzaW9uX3N0YXRlIjoiOTIxOTFiNzUtOTM2Yi00M2IwLWFiOGQtYTVkZWU0OWY4YTY0Iiwic2lkIjoiOTIxOTFiNzUtOTM2Yi00M2IwLWFiOGQtYTVkZWU0OWY4YTY0Iiwic3RhdGVfY2hlY2tlciI6Ikxxd3lHUV9majdQSWM2ekx3Vzd0aU5EY3JtcEZtdWxCcjF1a1QzNmJzdWcifQ.KYgQKv_lNCtkouaPFYHoRh3bQ5GSvJjq_XRfwXwxsNM;
KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIxZjMyODA1Ny04NjkwLTRkMzgtYmUwZS1kM2YwNDlkZjAwMDAifQ.eyJleHAiOjE2NTk4OTM2NjYsImlhdCI6MTY1OTg1NzY2NiwianRpIjoiNDIxOWU5MTMtMTBjNC00NmM0LTljMjQtMmM4ZWYxMGZlM2U5IiwiaXNzIjoiaHR0cHM6Ly8zNi4xMzMuNTUuMTAwOjg5NDMvcmVhbG1zL3p6bm9kZSIsInN1YiI6ImUzNWYyYjE2LWQxNzYtNDQ1MC1iOWU1LTgzYjEzZDAwZGExMyIsInR5cCI6IlNlcmlhbGl6ZWQtSUQiLCJzZXNzaW9uX3N0YXRlIjoiOTIxOTFiNzUtOTM2Yi00M2IwLWFiOGQtYTVkZWU0OWY4YTY0Iiwic2lkIjoiOTIxOTFiNzUtOTM2Yi00M2IwLWFiOGQtYTVkZWU0OWY4YTY0Iiwic3RhdGVfY2hlY2tlciI6Ikxxd3lHUV9majdQSWM2ekx3Vzd0aU5EY3JtcEZtdWxCcjF1a1QzNmJzdWcifQ.KYgQKv_lNCtkouaPFYHoRh3bQ5GSvJjq_XRfwXwxsNM;
KEYCLOAK_SESSION=zznode/e35f2b16-d176-4450-b9e5-83b13d00da13/92191b75-936b-43b0-ab8d-a5dee49f8a64;
KEYCLOAK_SESSION_LEGACY=zznode/e35f2b16-d176-4450-b9e5-83b13d00da13/92191b75-936b-43b0-ab8d-a5dee49f8a64
#
dnt:
1
#
referer:
https://36.138.166.203:18089/
#
sec-ch-ua:
".Not/A)Brand";v="99", "Google Chrome";v="103", "Chromium";v="103"
#
sec-ch-ua-mobile:
?0
#
sec-ch-ua-platform:
"macOS"
#
sec-fetch-dest:
document
#
sec-fetch-mode:
navigate
#
sec-fetch-site:
cross-site
#
upgrade-insecure-requests:
1
#
user-agent:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/103.0.0.0 Safari/537.36
======================================================
I reverted NiFi to 1.16.3 on this server.
*NiFi 1.16.3 screenshot in session.*
!image-2022-08-07-15-53-47-220.png|width=1532,height=1155!
Request Headers:
#
Cache-Control:
private, no-cache, no-store, no-transform
#
Connection:
keep-alive
#
Content-Encoding:
gzip
#
Content-Length:
216
#
Content-Security-Policy:
frame-ancestors 'self'
#
Content-Type:
application/json
#
Date:
Sun, 07 Aug 2022 07:53:12 GMT
#
Expires:
Thu, 01 Jan 1970 00:00:00 GMT
#
Server:
nginx
#
Set-Cookie:
__Secure-Request-Token=; Path=/zqjkcj_nanjing-nifi/; Expires=Thu, 01-Jan-1970
00:00:00 GMT; Max-Age=0; Secure
#
Set-Cookie:
__Secure-Request-Token=dcd98abf-886d-4cbf-96a0-4ba3b48b0545;
Path=/zqjkcj_nanjing-nifi/; Secure
#
Strict-Transport-Security:
max-age=31540000
#
Vary:
Accept-Encoding
#
X-Content-Type-Options:
nosniff
#
X-Frame-Options:
SAMEORIGIN
#
X-ProxiedEntitiesAccepted:
true
#
X-XSS-Protection:
1; mode=block
Response Headers:
#
Accept:
application/json, text/javascript, */*; q=0.01
#
Accept-Encoding:
gzip, deflate, br
#
Accept-Language:
zh-CN,zh;q=0.9
#
Connection:
keep-alive
#
Cookie:
__Secure-Authorization-Bearer=eyJraWQiOiIyZmQ3YWIxNy1iMTU1LTQ1OGMtOGE5Zi05MzIzNGIxNWU5MjEiLCJhbGciOiJQUzUxMiJ9.eyJzdWIiOiJhZG1pbi5uaWZpQGd1bWhiMy5jb20iLCJhdWQiOiJodHRwcyUzQSUyRiUyRjM2LjEzMy41NS4xMDAlM0E4OTQzJTJGcmVhbG1zJTJGenpub2RlIiwibmJmIjoxNjU5ODU4NzczLCJpc3MiOiJodHRwcyUzQSUyRiUyRjM2LjEzMy41NS4xMDAlM0E4OTQzJTJGcmVhbG1zJTJGenpub2RlIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ubmlmaUBndW1oYjMuY29tIiwiZXhwIjoxNjU5ODU5MDcyLCJpYXQiOjE2NTk4NTg3NzMsImp0aSI6ImJjNjRhZjYwLWI4ZjQtNDVjOC1hNjdjLTM4OGNlYzRkMzBmOCJ9.ZhgCb39GRPA_kLB6l1Q3kX6rcYj9-paTjo6QfXq__aHFRzXBQrO_NEzpUSm_xu_TL2lHSSeMnpPe9zBux9Viqz64Zyty4DuMbC2i3MPZu4VjQR4_59hJV5n1vm4zlh6HK3gW6zvbZWw534b-ufU2nCNWs6z-4s3ZlobUIrUI8W8zqIOPj1y29FCe_5sXNeejIAS77MWiuqYzGKs8Y2N_NPCFceS7OSK3zYN_OhMXUEYUH955aOXTjEO2zX6chfKuuBUvZO1_Ib5vdBEFYLrMjPTLjwKkRdWj5xd-2MRy2PoOw5CyONrSgXsecbhx4ZQHp6e9fisQ33dl0pi2lAPi8LaEeMWpATV3dlDpxR-ST_g-DYZ66EgRwObDK--p_V07FC4svpcR14n4y9WHHXW0i8i2BqY5GFx65qT5piAWBRL5fYcQeSOzq7Re2-pxdTusKVSx4xhFd9BxHhPiAWNaa2gZXuJKIf-jIMKeeBLaLw-eCqrA44OA7T3D0Xc2sIddZ229-iFjr8OKYjvd7JImvczaF84bCeo_P8OjPBJTAvZ09Y6xTNOYDoOKqe0EfIPEysm3viTZsgjsZvl9QRe9JI2Xcy-2kUfwgwW1YsyjGKQb0fLjqY4CvSeMboajXXjrhq2jLHSBtHyXk1zXBvRs3fnwhzF-z94nmoeqpu4VIs0;
__Secure-Request-Token=dcd98abf-886d-4cbf-96a0-4ba3b48b0545
#
DNT:
1
#
Host:
36.138.166.203:18089
#
Referer:
https://36.138.166.203:18089/zqjkcj_nanjing-nifi/nifi/
#
Request-Token:
dcd98abf-886d-4cbf-96a0-4ba3b48b0545
#
sec-ch-ua:
".Not/A)Brand";v="99", "Google Chrome";v="103", "Chromium";v="103"
#
sec-ch-ua-mobile:
?0
#
sec-ch-ua-platform:
"macOS"
#
Sec-Fetch-Dest:
empty
#
Sec-Fetch-Mode:
cors
#
Sec-Fetch-Site:
same-origin
#
User-Agent:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/103.0.0.0 Safari/537.36
#
X-Requested-With:
XMLHttpRequest
*NiFi 1.16.3 screenshot after session times out.*
!image-2022-08-07-16-00-11-443.png|width=1502,height=1133!
Response Headers:
#
Connection:
keep-alive
#
Content-Security-Policy:
frame-ancestors 'self'
#
Date:
Sun, 07 Aug 2022 07:59:02 GMT
#
Server:
nginx
#
Strict-Transport-Security:
max-age=31540000
#
Transfer-Encoding:
chunked
#
WWW-Authenticate:
Bearer error="invalid_token", error_description="An error occurred while
attempting to decode the Jwt: Expired JWT",
error_uri="https://tools.ietf.org/html/rfc6750#section-3.1";
#
X-Content-Type-Options:
nosniff
#
X-Frame-Options:
SAMEORIGIN
#
X-ProxiedEntitiesAccepted:
true
#
X-XSS-Protection:
1; mode=block
Request Headers:
#
Accept:
application/json, text/javascript, */*; q=0.01
#
Accept-Encoding:
gzip, deflate, br
#
Accept-Language:
zh-CN,zh;q=0.9
#
Connection:
keep-alive
#
Cookie:
__Secure-Authorization-Bearer=eyJraWQiOiIyZmQ3YWIxNy1iMTU1LTQ1OGMtOGE5Zi05MzIzNGIxNWU5MjEiLCJhbGciOiJQUzUxMiJ9.eyJzdWIiOiJhZG1pbi5uaWZpQGd1bWhiMy5jb20iLCJhdWQiOiJodHRwcyUzQSUyRiUyRjM2LjEzMy41NS4xMDAlM0E4OTQzJTJGcmVhbG1zJTJGenpub2RlIiwibmJmIjoxNjU5ODU4NzczLCJpc3MiOiJodHRwcyUzQSUyRiUyRjM2LjEzMy41NS4xMDAlM0E4OTQzJTJGcmVhbG1zJTJGenpub2RlIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ubmlmaUBndW1oYjMuY29tIiwiZXhwIjoxNjU5ODU5MDcyLCJpYXQiOjE2NTk4NTg3NzMsImp0aSI6ImJjNjRhZjYwLWI4ZjQtNDVjOC1hNjdjLTM4OGNlYzRkMzBmOCJ9.ZhgCb39GRPA_kLB6l1Q3kX6rcYj9-paTjo6QfXq__aHFRzXBQrO_NEzpUSm_xu_TL2lHSSeMnpPe9zBux9Viqz64Zyty4DuMbC2i3MPZu4VjQR4_59hJV5n1vm4zlh6HK3gW6zvbZWw534b-ufU2nCNWs6z-4s3ZlobUIrUI8W8zqIOPj1y29FCe_5sXNeejIAS77MWiuqYzGKs8Y2N_NPCFceS7OSK3zYN_OhMXUEYUH955aOXTjEO2zX6chfKuuBUvZO1_Ib5vdBEFYLrMjPTLjwKkRdWj5xd-2MRy2PoOw5CyONrSgXsecbhx4ZQHp6e9fisQ33dl0pi2lAPi8LaEeMWpATV3dlDpxR-ST_g-DYZ66EgRwObDK--p_V07FC4svpcR14n4y9WHHXW0i8i2BqY5GFx65qT5piAWBRL5fYcQeSOzq7Re2-pxdTusKVSx4xhFd9BxHhPiAWNaa2gZXuJKIf-jIMKeeBLaLw-eCqrA44OA7T3D0Xc2sIddZ229-iFjr8OKYjvd7JImvczaF84bCeo_P8OjPBJTAvZ09Y6xTNOYDoOKqe0EfIPEysm3viTZsgjsZvl9QRe9JI2Xcy-2kUfwgwW1YsyjGKQb0fLjqY4CvSeMboajXXjrhq2jLHSBtHyXk1zXBvRs3fnwhzF-z94nmoeqpu4VIs0;
__Secure-Request-Token=dcd98abf-886d-4cbf-96a0-4ba3b48b0545
#
DNT:
1
#
Host:
36.138.166.203:18089
#
Referer:
https://36.138.166.203:18089/zqjkcj_nanjing-nifi/nifi/
#
Request-Token:
dcd98abf-886d-4cbf-96a0-4ba3b48b0545
#
sec-ch-ua:
".Not/A)Brand";v="99", "Google Chrome";v="103", "Chromium";v="103"
#
sec-ch-ua-mobile:
?0
#
sec-ch-ua-platform:
"macOS"
#
Sec-Fetch-Dest:
empty
#
Sec-Fetch-Mode:
cors
#
Sec-Fetch-Site:
same-origin
#
User-Agent:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/103.0.0.0 Safari/537.36
#
X-Requested-With:
XMLHttpRequest
> invalid_token error after OpenID connect session timeout
> --------------------------------------------------------
>
> Key: NIFI-10322
> URL: https://issues.apache.org/jira/browse/NIFI-10322
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core UI
> Affects Versions: 1.17.0
> Reporter: macdoor615
> Priority: Major
> Fix For: 1.18.0
>
> Attachments: image-2022-08-05-22-48-17-835.png,
> image-2022-08-05-22-48-52-057.png, image-2022-08-07-14-28-09-058.png,
> image-2022-08-07-15-22-36-213.png, image-2022-08-07-15-27-18-902.png,
> image-2022-08-07-15-37-29-739.png, image-2022-08-07-15-43-14-922.png,
> image-2022-08-07-15-47-57-158.png, image-2022-08-07-15-53-47-220.png,
> image-2022-08-07-16-00-11-443.png, image-2022-08-07-16-11-38-180.png
>
>
> I follow
> [https://bryanbende.com/development/2017/10/03/apache-nifi-openid-connect] to
> config NIFI 1.16.3 and it is work properly. If the session times out, login
> again and it will work again
> I configured 1.17.0 in the same way. I can login and operate nifi UI. But
> when session times out. I got the following error.
>
> {code:java}
> Unauthorized error="invalid_token", error_description="An error occurred
> while attempting to decode the Jwt: Expired JWT",
> error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"{code}
>
> !image-2022-08-05-22-48-17-835.png|width=758,height=108!
> I try to login again and get a new error, and I cannot enter the NIFI
> interface.
>
> {code:java}
> Unauthorized error="invalid_token", error_description="An error occurred
> while attempting to decode the Jwt: Signed JWT rejected: Another algorithm
> expected, or no matching key(s) found",
> error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"{code}
>
> !image-2022-08-05-22-48-52-057.png|width=594,height=143!
> I did some research, and found
> After the session times out,
> NIFI 1.16.3 leaves 3 cookies in browser:
> * nifi-logout-request-identifier
> * nifi-oidc-request-identifier
> * __Secure-Request-Token
> NIFI 1.17.0 leaves 2 cookies:
> * *__Secure-Authorization-Bearer*
> * __Secure-Request-Token
> __Secure-Authorization-Bearer cookie contains a expired JWT:
> {code:java}
> eyJraWQiOiJhMDlhZDhlMy0xZDkzLTQyZTEtYjg0Ni0xMWU0ODRkODYwYWYiLCJhbGciOiJQUzUxMiJ9.eyJzdWIiOiJhZG1pbi5uaWZpQGd1bWhiMy5jb20iLCJhdWQiOiJodHRwcyUzQSUyRiUyRjM2LjEzMy41NS4xMDAlM0E4OTQzJTJGcmVhbG1zJTJGenpub2RlIiwibmJmIjoxNjU5NjExOTc0LCJpc3MiOiJodHRwcyUzQSUyRiUyRjM2LjEzMy41NS4xMDAlM0E4OTQzJTJGcmVhbG1zJTJGenpub2RlIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ubmlmaUBndW1oYjMuY29tIiwiZXhwIjoxNjU5NjEyMjc0LCJpYXQiOjE2NTk2MTE5NzQsImp0aSI6IjFiZTg5MjU4LTliZmYtNDhmOS04OGNmLWU0NDIzMDZjYzg4ZCJ9.Y9yE0hNH_q-W94_cFWOWGc7TPMP2xB9coaSRPT9twYqSyjTtudOiiXGxHEDUWsOvUFf7lT7wNH4RZ_LhOM-5WfTZ3o-DCVFnl0JjeZ-L9d-z3rO4dEspRxXpr46AewEGy_lpstSUFyihr4i8b2VI7IT0aFOCGAIXRWl7gfH75e5La_0tbsu9lgSRdyYBBv8rSjojJC5bBSqxj-BkrfjdMhyMuF9OdMCJNmyh18BrXbavwftNerytkd_Qf9eNLmzsZ3SOdKWpftKt4kClD_KeL0nOglhM-ENyb4QLwxr7l5lhUgQ-2am3x5okbRyYip_WV4YQ6DfmUnLL1FYFATWXa5CUimSRbSZzkqU2JEYerpvKsTf-prdsSNryPbrQdf5HqpwhlGbFrgm4jwtncZHTLEL4ZMciVe0H-zIcQ9vyDqamMpf6fyNWmQN8DdDP9A0Zpo7SL7yhOUjNGsjk1gV4OAHWgp4XQzj4KwoGf7ICjeOrzinECHFZw9Ccyi8KMooRx4u3oAuKPEx3mrZFNFDaiAzWX0kZ31c24-15cno2bLBMGOIx7ipjb6Pv7V6O9S2aA2vC3eVLnfAgHAox3I8_IzWLUKddHCqd6cfA1XW8ckSgg2QddKvgYHiCZpwVV4AMDpK4bI1J0ZbxbgOOke9IMMudNhZUFQdWJIXh-gx1bII{code}
> I manually delete __Secure-Authorization-Bearer cookie, and I can login NIFI
> 1.17.0 again.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
