[ https://issues.apache.org/jira/browse/NIFI-10332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17627424#comment-17627424 ]
ASF subversion and git services commented on NIFI-10332: -------------------------------------------------------- Commit c40639a51f7a2bac0054053696ff2300d9fa7eaf in nifi's branch refs/heads/main from Nathan Gough [ https://gitbox.apache.org/repos/asf?p=nifi.git;h=c40639a51f ] NIFI-10332 Selected OIDC Logout method using Discovery URLs This closes #6594 Signed-off-by: David Handermann <exceptionfact...@apache.org> > Add ID_TOKEN_LOGOUT support for general OpenID connect server, e.g. Keycloak > ---------------------------------------------------------------------------- > > Key: NIFI-10332 > URL: https://issues.apache.org/jira/browse/NIFI-10332 > Project: Apache NiFi > Issue Type: Improvement > Components: Core UI > Affects Versions: 1.17.0 > Environment: NiFi 1.17.0, Keycloak 18.0.1 > Reporter: macdoor615 > Assignee: Nathan Gough > Priority: Major > Attachments: image-2022-08-09-16-56-25-791.png > > Time Spent: 0.5h > Remaining Estimate: 0h > > I deploy a NiFi 1.170 and authenticate with OpenID connect. Authentication > server is Keycloak 18.0.1. > I can log in and I can use UI properly. > But when I logout. I get an error, can not redirect to NiFi UI or keycloak > login UI > !image-2022-08-09-16-56-25-791.png|width=782,height=347! > [https://36.133.55.100:8943/realms/zznode/protocol/openid-connect/logout?post_logout_redirect_uri=https%3A%2F%2F36.138.166.203%3A18089%2Fhb3-dmz-repos-000-nifi%2Fnifi-api%2F..%2Fnifi%2Flogout-complete] > I made some investigation into source code. I found NiFi only support > ID_TOKEN_LOGOUT for okta service. Keycloak and other Authentication server > can not be supported. > Keycloak say it is compliance OpenID connect spec. > I modified a few lines of source code. Let it support ID_TOKEN_LOGOUT for > keycloak. Now I can log out NiFi and redirect to keycloak login UI, and than > login NiFi again. > I suggest making nifi to support ID_TOKEN_LOGOUT in later version for general > OpenID connect server. > I modified the file, > [https://github.com/apache/nifi/blob/main/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/OIDCAccessResource.java] > start from line 403 > {code:java} > private String determineLogoutMethod(String oidcDiscoveryUrl) { > Matcher accessTokenMatcher = > REVOKE_ACCESS_TOKEN_LOGOUT_FORMAT.matcher(oidcDiscoveryUrl); > Matcher idTokenMatcher = > ID_TOKEN_LOGOUT_FORMAT.matcher(oidcDiscoveryUrl); > > if (accessTokenMatcher.find()) { > return REVOKE_ACCESS_TOKEN_LOGOUT; > } else { > return ID_TOKEN_LOGOUT; > } > } > > {code} > -- This message was sent by Atlassian Jira (v8.20.10#820010)