[
https://issues.apache.org/jira/browse/NIFI-10322?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17576891#comment-17576891
]
macdoor615 commented on NIFI-10322:
-----------------------------------
[~exceptionfactory] Thank you for your explanation. I took more screenshot.
*NiFi 1.17.0 screenshot after session times out and try to login again.*
!image-2022-08-08-23-35-02-773.png|width=1292,height=975!
Request URL
{code:java}
https://36.138.166.203:18089/zqjkcj_nanjing-nifi/nifi-api/access/oidc/callback?state=qh1rso8umf2h934jnevkvl1ba4&session_state=f7bf8a87-8530-4f65-a21a-0f9ff3c34505&code=107fb3ab-af9b-46eb-9468-bcd3093754a8.f7bf8a87-8530-4f65-a21a-0f9ff3c34505.61127d6f-8931-4b59-9ee1-022299ce258b{code}
Response Headers
#
Connection:
keep-alive
#
Content-Length:
182
#
Content-Security-Policy:
frame-ancestors 'self'
#
Content-Type:
text/plain;charset=iso-8859-1
#
Date:
Mon, 08 Aug 2022 15:34:39 GMT
#
Server:
nginx
#
Set-Cookie:
__Secure-Authorization-Bearer=; Path=/zqjkcj_nanjing-nifi;
Domain=36.138.166.203; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT;
Secure; HttpOnly
#
Strict-Transport-Security:
max-age=31536000 ; includeSubDomains
#
WWW-Authenticate:
Bearer error="invalid_token", error_description="An error occurred while
attempting to decode the Jwt: Expired JWT",
error_uri="https://tools.ietf.org/html/rfc6750#section-3.1";
#
X-Content-Type-Options:
nosniff
#
X-Frame-Options:
SAMEORIGIN
#
X-ProxiedEntitiesAccepted:
true
#
X-XSS-Protection:
1; mode=block
Request Headers
#
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
#
Accept-Encoding:
gzip, deflate, br
#
Accept-Language:
zh-CN,zh;q=0.9
#
Connection:
keep-alive
#
Cookie:
__Secure-Request-Token=a7af6478-0789-4296-83d5-1da943fad995;
__Secure-Authorization-Bearer=eyJraWQiOiI4ZGFjNTViNy1iNjhlLTQ5MmEtOWQxZC0zOTdhZmU1Y2M1ZDkiLCJhbGciOiJQUzUxMiJ9.eyJzdWIiOiJhZG1pbi5uaWZpQGd1bWhiMy5jb20iLCJhdWQiOiJodHRwcyUzQSUyRiUyRjM2LjEzMy41NS4xMDAlM0E4OTQzJTJGcmVhbG1zJTJGenpub2RlIiwibmJmIjoxNjU5OTcyMTg5LCJpc3MiOiJodHRwcyUzQSUyRiUyRjM2LjEzMy41NS4xMDAlM0E4OTQzJTJGcmVhbG1zJTJGenpub2RlIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ubmlmaUBndW1oYjMuY29tIiwiZXhwIjoxNjU5OTcyNDg4LCJpYXQiOjE2NTk5NzIxODksImp0aSI6IjE0YmQ0NmQ0LTFmMzQtNGU1NS1iZmQzLWVkMmFkOGIwMzMzZCJ9.fLbNehCN-nmhz6YmYFnr_A6WSPV7kKj-h24o3OXieSS7dXjRn0fpwAn2gwItidH0OmwQKU6vVon1fHdhUtvsSMbw4uP-DvfDaCLTMgd3lFW_75gHxwlsXTB-ZDgUolermeNQ9o4Fl9_jZTupcfTdVcXLxV4i4gd2HMy_8IkYZbBYDWcSBYXJkxCKIZS-JjkBd9TRH0cdpRWVC8FxvHOvRuM3FdBzME7SKB0yltl_kl-U3gnmEQL5ZEng4v7H6uEdrV0eh7fTPOJOuY9tIJ1lN8xswKvTkmVj7hAvqtK5Y9mu6gjSK7n-Bez4Md3X7smEfqJ3pGsHUOaWrioHqn6BMH_n28o8r4RpBx0XJ6ED-27UoYCctvkd7tFl3LEgBCGxnzddLo8gfKsZZSqctVtYxA2tYwr3Nxr2vobZBuN9xXemAJTxMURa9sLRTMs6P6tti2B4NT_EqigztCIRRC3ogPy8hFJhjvg16Cbq-tUiHtqw6humT1UQ5Cvu-w3bpq5hDEgJxB4dG-eR2zdyv9i82xs-d-nAPmWx9rOZm9rFAANgiEJIHNZ6aKFe6GflJIhNu1s2e2EbiUAZ1aHUXM1JGC7nMUjXDrMNtX-Dts12K42zE6Qg8rrY3o6V7kMvtIvLgIZRRwmVp1Jhwdm8WIOhV0rzXfULNTKuJSXOBbIDWpg;
nifi-oidc-request-identifier=eacf0292-ebb3-452b-884a-b374f4e17440
#
DNT:
1
#
Host:
36.138.166.203:18089
#
sec-ch-ua:
".Not/A)Brand";v="99", "Google Chrome";v="103", "Chromium";v="103"
#
sec-ch-ua-mobile:
?0
#
sec-ch-ua-platform:
"macOS"
#
Sec-Fetch-Dest:
document
#
Sec-Fetch-Mode:
navigate
#
Sec-Fetch-Site:
cross-site
#
Upgrade-Insecure-Requests:
1
#
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/103.0.0.0 Safari/537.36
*NiFi 1.16.3 screenshot after session times out and refresh browser and login
again successfully.*
!image-2022-08-08-23-59-12-471.png|width=1310,height=955!
Request URL:
[https://36.138.166.203:18089/zqjkcj_nanjing-nifi/nifi-api/access/oidc/callback?state=grtd4u98nbh9ljclha6p3mht97&session_state=31d13a5d-c107-4f05-a002-62322f2fa588&code=cc5f3833-00b0-4c6f-b9db-da0a1812d78c.31d13a5d-c107-4f05-a002-62322f2fa588.61127d6f-8931-4b59-9ee1-022299ce258b]
Response Headers
#
Connection:
keep-alive
#
Content-Security-Policy:
frame-ancestors 'self'
#
Date:
Mon, 08 Aug 2022 15:58:27 GMT
#
Location:
https://36.138.166.203:18089/zqjkcj_nanjing-nifi/nifi/
#
Server:
nginx
#
Strict-Transport-Security:
max-age=31540000
#
Transfer-Encoding:
chunked
#
X-Content-Type-Options:
nosniff
#
X-Frame-Options:
SAMEORIGIN
#
X-XSS-Protection:
1; mode=block
Reqeust Headers
#
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
#
Accept-Encoding:
gzip, deflate, br
#
Accept-Language:
zh-CN,zh;q=0.9
#
Connection:
keep-alive
#
Cookie:
__Secure-Authorization-Bearer=eyJraWQiOiJkYjUxNzlhMy0xOGMwLTQ2NjUtYTk2OS04NGQ5ZGM0NzQ2M2MiLCJhbGciOiJQUzUxMiJ9.eyJzdWIiOiJhZG1pbi5uaWZpQGd1bWhiMy5jb20iLCJhdWQiOiJodHRwcyUzQSUyRiUyRjM2LjEzMy41NS4xMDAlM0E4OTQzJTJGcmVhbG1zJTJGenpub2RlIiwibmJmIjoxNjU5OTczODc5LCJpc3MiOiJodHRwcyUzQSUyRiUyRjM2LjEzMy41NS4xMDAlM0E4OTQzJTJGcmVhbG1zJTJGenpub2RlIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ubmlmaUBndW1oYjMuY29tIiwiZXhwIjoxNjU5OTc0MTc5LCJpYXQiOjE2NTk5NzM4NzksImp0aSI6ImExYjZmMThkLTYyNjQtNGY2Mi04OTY3LTU4YzExNmNhM2NkMSJ9.Ex5aaYEWZrIRHff2NZcdOf8sZwPWHldj9sHL9vr8Yh0Wbnp1fOSR2RdbSrT7rfNRO-mjywSUx-9omAeIt7Uh94ylvJe3-HtOD0zXr9XgBOaoqxQGH9n00hDIPifxyALQ3mE5tZ8yTisyKwOFSKxFmjBusTvfnrn4nxfOgST_qHBj7mSR0_nGPLc-Wb_wgSmS2K3rMGvFBTOc7L-mPFkY4JRSz92qwIvPj_p5qdoGJXyFNwGh8XVj-iBfWzE9Ir0FEGd55_O3VLepqSzM1WLZWDdRB7b9RUHefAKJbgCI8GaXYt9Ywoy_xKMXFCW_v47uqHqai1IFIbmUclmscLEBwRqtrsBcrFAZvQzIJJXpEvOC9GndVsYQsHtWvA7cRu9vA22JMogzOFJXYfF-Msdje-6e5PiuPU-CFUphDYrzxKBQ1FzZH7eaDaTXqxMhbvpZ9kyxkqkOyCcLx6P8i2l9lfC9GjW2pSkmPNokoQjX6QFwnUMinFPv6zam7vHxTLIWEfQiUhWswow6jXzqsfK2IEUB38UdHvn63EAWeKNm3Mm4dKqTTppwCBqBnmJ8ly_Lhh2zxXtK3AigeYx7Yp_fWh1lJxVKJfgu93mwudwsjje9MGsyJhV_4WvqCgQLWhAYpC1W68lqLaMYTGRGk2LApGxJ7vB4JRXtbkVjGdqufm4;
__Secure-Request-Token=ecb9bca5-ca7a-4677-a2eb-de322899b485;
nifi-oidc-request-identifier=5b0cd111-0e44-406f-907b-39d57d9f724c
#
DNT:
1
#
Host:
36.138.166.203:18089
#
sec-ch-ua:
".Not/A)Brand";v="99", "Google Chrome";v="103", "Chromium";v="103"
#
sec-ch-ua-mobile:
?0
#
sec-ch-ua-platform:
"macOS"
#
Sec-Fetch-Dest:
document
#
Sec-Fetch-Mode:
navigate
#
Sec-Fetch-Site:
cross-site
#
Upgrade-Insecure-Requests:
1
#
User-Agent:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/103.0.0.0 Safari/537.36
I uploaded NiFi 1.16.3 & 1.17.0 nifi-request.log & nifi-user.log, and nginx
access.log
> invalid_token error after OpenID connect session timeout
> --------------------------------------------------------
>
> Key: NIFI-10322
> URL: https://issues.apache.org/jira/browse/NIFI-10322
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core UI
> Affects Versions: 1.17.0
> Reporter: macdoor615
> Priority: Major
> Fix For: 1.18.0
>
> Attachments: image-2022-08-05-22-48-17-835.png,
> image-2022-08-05-22-48-52-057.png, image-2022-08-07-14-28-09-058.png,
> image-2022-08-07-15-22-36-213.png, image-2022-08-07-15-27-18-902.png,
> image-2022-08-07-15-37-29-739.png, image-2022-08-07-15-43-14-922.png,
> image-2022-08-07-15-47-57-158.png, image-2022-08-07-15-53-47-220.png,
> image-2022-08-07-16-00-11-443.png, image-2022-08-07-16-11-38-180.png,
> image-2022-08-08-23-33-30-220.png, image-2022-08-08-23-35-02-773.png,
> image-2022-08-08-23-59-12-471.png, nginx-access.log.zip,
> nifi-1.16.3-logs.zip, nifi-1.17.0-logs.zip
>
>
> I follow
> [https://bryanbende.com/development/2017/10/03/apache-nifi-openid-connect] to
> config NIFI 1.16.3 and it is work properly. If the session times out, login
> again and it will work again
> I configured 1.17.0 in the same way. I can login and operate nifi UI. But
> when session times out. I got the following error.
>
> {code:java}
> Unauthorized error="invalid_token", error_description="An error occurred
> while attempting to decode the Jwt: Expired JWT",
> error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"{code}
>
> !image-2022-08-05-22-48-17-835.png|width=758,height=108!
> I try to login again and get a new error, and I cannot enter the NIFI
> interface.
>
> {code:java}
> Unauthorized error="invalid_token", error_description="An error occurred
> while attempting to decode the Jwt: Signed JWT rejected: Another algorithm
> expected, or no matching key(s) found",
> error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"{code}
>
> !image-2022-08-05-22-48-52-057.png|width=594,height=143!
> I did some research, and found
> After the session times out,
> NIFI 1.16.3 leaves 3 cookies in browser:
> * nifi-logout-request-identifier
> * nifi-oidc-request-identifier
> * __Secure-Request-Token
> NIFI 1.17.0 leaves 2 cookies:
> * *__Secure-Authorization-Bearer*
> * __Secure-Request-Token
> __Secure-Authorization-Bearer cookie contains a expired JWT:
> {code:java}
> eyJraWQiOiJhMDlhZDhlMy0xZDkzLTQyZTEtYjg0Ni0xMWU0ODRkODYwYWYiLCJhbGciOiJQUzUxMiJ9.eyJzdWIiOiJhZG1pbi5uaWZpQGd1bWhiMy5jb20iLCJhdWQiOiJodHRwcyUzQSUyRiUyRjM2LjEzMy41NS4xMDAlM0E4OTQzJTJGcmVhbG1zJTJGenpub2RlIiwibmJmIjoxNjU5NjExOTc0LCJpc3MiOiJodHRwcyUzQSUyRiUyRjM2LjEzMy41NS4xMDAlM0E4OTQzJTJGcmVhbG1zJTJGenpub2RlIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ubmlmaUBndW1oYjMuY29tIiwiZXhwIjoxNjU5NjEyMjc0LCJpYXQiOjE2NTk2MTE5NzQsImp0aSI6IjFiZTg5MjU4LTliZmYtNDhmOS04OGNmLWU0NDIzMDZjYzg4ZCJ9.Y9yE0hNH_q-W94_cFWOWGc7TPMP2xB9coaSRPT9twYqSyjTtudOiiXGxHEDUWsOvUFf7lT7wNH4RZ_LhOM-5WfTZ3o-DCVFnl0JjeZ-L9d-z3rO4dEspRxXpr46AewEGy_lpstSUFyihr4i8b2VI7IT0aFOCGAIXRWl7gfH75e5La_0tbsu9lgSRdyYBBv8rSjojJC5bBSqxj-BkrfjdMhyMuF9OdMCJNmyh18BrXbavwftNerytkd_Qf9eNLmzsZ3SOdKWpftKt4kClD_KeL0nOglhM-ENyb4QLwxr7l5lhUgQ-2am3x5okbRyYip_WV4YQ6DfmUnLL1FYFATWXa5CUimSRbSZzkqU2JEYerpvKsTf-prdsSNryPbrQdf5HqpwhlGbFrgm4jwtncZHTLEL4ZMciVe0H-zIcQ9vyDqamMpf6fyNWmQN8DdDP9A0Zpo7SL7yhOUjNGsjk1gV4OAHWgp4XQzj4KwoGf7ICjeOrzinECHFZw9Ccyi8KMooRx4u3oAuKPEx3mrZFNFDaiAzWX0kZ31c24-15cno2bLBMGOIx7ipjb6Pv7V6O9S2aA2vC3eVLnfAgHAox3I8_IzWLUKddHCqd6cfA1XW8ckSgg2QddKvgYHiCZpwVV4AMDpK4bI1J0ZbxbgOOke9IMMudNhZUFQdWJIXh-gx1bII{code}
> I manually delete __Secure-Authorization-Bearer cookie, and I can login NIFI
> 1.17.0 again.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
