emiliosetiadarma commented on code in PR #6637:
URL: https://github.com/apache/nifi/pull/6637#discussion_r1027559752
##########
nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/api/AccessResource.java:
##########
@@ -704,20 +707,131 @@ public void oidcLogout(@Context HttpServletRequest
httpServletRequest, @Context
throw new IllegalStateException("OpenId Connect is not
configured.");
}
- final String tokenHeader =
httpServletRequest.getHeader(JwtService.AUTHORIZATION);
- jwtService.logOutUsingAuthHeader(tokenHeader);
+ // Checks if OIDC service supports logout using either by
+ // 1. revoke access token method, or
+ // 2. ID token logout method.
+ // If either of the above methods are supported,
+ // redirects request to OP to request authorization that can be
exchanged for a token used for logout
Review Comment:
The access_token part is correct. For the id_token and end_session_endpoint
case, the thing is we don't store the id_token anywhere, so what this method
does is request an authorization code that can be eventually exchanged for an
id_token. The reason I didn't use the existing NiFi token is that in
`StandardOidcIdentityProvider.java`, the `convertOIDCTokenToNiFiToken` function
converts the OIDC token to an internal NiFi token, which I don't think can be
used for the `id_token_hint` parameter that needs to be sent
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
