[
https://issues.apache.org/jira/browse/NIFI-10177?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17642095#comment-17642095
]
ASF subversion and git services commented on NIFI-10177:
--------------------------------------------------------
Commit fba7b4dd265f5ad4d2d4b63b8e4358f5dceef5e9 in nifi's branch
refs/heads/support/nifi-1.19 from Emilio Setiadarma
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=fba7b4dd26 ]
NIFI-10177: Implemented ID token logout and revoke access token logout for NiFi
Registry when using OIDC/OAuth 2.0 providers
NIFI-10177: Addressed latest PR reviews. Reworded comments in the logout
endpoint, use nifi registry properties to configure HTTP client timeouts for
OIDC logout request, used NiFiUserUtils.getNiFiUserIdentity to retrieve
identity used to delete the key
Signed-off-by: Nathan Gough <[email protected]>
This closes #6637.
> Nifi Registry logout via OIDC
> -----------------------------
>
> Key: NIFI-10177
> URL: https://issues.apache.org/jira/browse/NIFI-10177
> Project: Apache NiFi
> Issue Type: Bug
> Components: NiFi Registry
> Affects Versions: 1.16.3
> Reporter: kim myungwon
> Assignee: Emilio Setiadarma
> Priority: Major
> Fix For: 1.20.0, 1.19.1
>
> Attachments: image-2022-06-29-12-41-52-164.png,
> image-2022-06-29-12-42-48-430.png, image-2022-06-29-12-43-25-441.png,
> image-2022-06-29-12-43-48-726.png
>
> Time Spent: 2h 40m
> Remaining Estimate: 0h
>
> I am trying to login and logout via {*}OIDC{*}.
> Login via OIDC is well. but *{color:#de350b}logout via OIDC is not
> working.{color}*
>
> {color:#172b4d}When I logout, NiFi Registry shows "Please contact your System
> Administrator." error message.{color}
> !image-2022-06-29-12-41-52-164.png|width=1134,height=213!
>
> nifi-registry-app.log (debug level)
> {code:java}
> 022-06-29 13:32:35,691 DEBUG [NiFi Registry Web Server-15]
> o.a.nifi.registry.db.DatabaseKeyService Deleting key with identity='myungwon'.
> 2022-06-29 13:32:35,697 INFO [NiFi Registry Web Server-15]
> o.a.n.r.w.s.a.jwt.JwtService Deleted token from database.
> 2022-06-29 13:32:35,797 DEBUG [NiFi Registry Web Server-21]
> o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using
> X509IdentityProvider
> 2022-06-29 13:32:35,797 DEBUG [NiFi Registry Web Server-21]
> o.a.n.r.w.s.a.x.X509CertificateExtractor No client certificate found in
> request.
> 2022-06-29 13:32:35,797 DEBUG [NiFi Registry Web Server-21]
> o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using
> JwtIdentityProvider
> 2022-06-29 13:32:35,797 DEBUG [NiFi Registry Web Server-21]
> o.a.n.r.s.a.BearerAuthIdentityProvider HTTP Bearer Auth credentials not
> present. Not attempting to extract credentials for authentication.
> 2022-06-29 13:32:35,797 DEBUG [NiFi Registry Web Server-21]
> o.a.n.r.w.s.a.AnonymousIdentityFilter Set SecurityContextHolder to anonymous
> SecurityContext
> 2022-06-29 13:32:35,797 DEBUG [NiFi Registry Web Server-21]
> o.a.n.r.w.s.a.ResourceAuthorizationFilter Request filter authorization check
> is not required for this HTTP Method on this resource. Allowing request to
> proceed. An additional authorization check might be performed downstream of
> this filter.
> 2022-06-29 13:32:35,799 INFO [NiFi Registry Web Server-21]
> o.a.n.r.w.m.IllegalStateExceptionMapper java.lang.IllegalStateException:
> Kerberos service ticket login not supported by this NiFi Registry. Returning
> Conflict response.
> 2022-06-29 13:32:35,799 DEBUG [NiFi Registry Web Server-21]
> o.a.n.r.w.m.IllegalStateExceptionMapper
> java.lang.IllegalStateException: Kerberos service ticket login not supported
> by this NiFi Registry
> at
> org.apache.nifi.registry.web.api.AccessResource.createAccessTokenUsingKerberosTicket(AccessResource.java:348)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52)
> at
> org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:124)
> at
> org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:167)
> at
> org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:176)
> at
> org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:79)
> at
> org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:475)
> at
> org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:397)
> at
> org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:81)
> at
> org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:255)
> at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248)
> at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
> 2022-06-29 13:32:35,865 DEBUG [NiFi Registry Web Server-21]
> o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using
> X509IdentityProvider
> 2022-06-29 13:32:35,865 DEBUG [NiFi Registry Web Server-21]
> o.a.n.r.w.s.a.x.X509CertificateExtractor No client certificate found in
> request.
> 2022-06-29 13:32:35,865 DEBUG [NiFi Registry Web Server-21]
> o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using
> JwtIdentityProvider
> 2022-06-29 13:32:35,865 DEBUG [NiFi Registry Web Server-21]
> o.a.n.r.s.a.BearerAuthIdentityProvider HTTP Bearer Auth credentials not
> present. Not attempting to extract credentials for authentication.
> 2022-06-29 13:32:35,865 DEBUG [NiFi Registry Web Server-21]
> o.a.n.r.w.s.a.AnonymousIdentityFilter Set SecurityContextHolder to anonymous
> SecurityContext
> 2022-06-29 13:32:35,866 DEBUG [NiFi Registry Web Server-21]
> o.a.n.r.w.s.a.ResourceAuthorizationFilter Request filter authorization check
> is not required for this HTTP Method on this resource. Allowing request to
> proceed. An additional authorization check might be performed downstream of
> this filter.
> 2022-06-29 13:32:35,869 INFO [NiFi Registry Web Server-21]
> o.a.n.r.w.m.IllegalArgumentExceptionMapper
> java.lang.IllegalArgumentException: The login request identifier was not
> found in the request. Unable to continue.. Returning Bad Request response.
> 2022-06-29 13:32:35,870 DEBUG [NiFi Registry Web Server-21]
> o.a.n.r.w.m.IllegalArgumentExceptionMapper
> java.lang.IllegalArgumentException: The login request identifier was not
> found in the request. Unable to continue.
> at
> org.apache.nifi.registry.web.api.AccessResource.oidcExchange(AccessResource.java:674)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52)
> at
> org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:124)
> at
> org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:167)
> at
> org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:176)
> at
> org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:79)
> at
> org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:475)
> at
> org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:397)
> at
> org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:81)
> at
> org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:255)
> at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248)
> at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:244)
> at
> org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265)
> at
> org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:234)
> at org.glassfish.jersey{code}
>
> When I checked keyclock, Login event is good.
> !image-2022-06-29-12-42-48-430.png|width=448,height=302!
> Keyclock Client is configured.
> !image-2022-06-29-12-43-25-441.png!
> !image-2022-06-29-12-43-48-726.png!
>
> NiFi Registry is configured with OIDC authentification.
> *nifi-registry.properties*
> #OIDC #
> nifi.registry.security.user.oidc.discovery.url=[http://wonpc01:31234/auth/realms/won/.well-known/openid-configuration]
> nifi.registry.security.user.oidc.connect.timeout=5 secs
> nifi.registry.security.user.oidc.read.timeout=5 secs
> nifi.registry.security.user.oidc.client.id=registry
> nifi.registry.security.user.oidc.client.secret=VDumhSZFbtIKAJ0wYoF81GrIqCtdlhk0
> nifi.registry.security.user.oidc.preferred.jwsalgorithm=
> nifi.registry.security.user.oidc.claim.identifying.user=preferred_username
>
> NiFi and other services logout does not have this bug when i using this
> keyclock.
> Thank you.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
