[
https://issues.apache.org/jira/browse/NIFI-4890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17678804#comment-17678804
]
Curtis W Ruck commented on NIFI-4890:
-------------------------------------
I tried digging into this a few months ago to make a PR. I'm fairly familiar
with OIDC implementations where you have a UI and an API. Where I ran into
problems is that the entire login initiation process is handled via the backend
nifi APIs through an OIDC confidential client. In all of my usages of OIDC,
the backend has always been a bearer-only client, and the UI has always been a
public client. This not only simplified configuration for refresh token usage,
but it separated lanes of responsibility. UI is responsible for initiating the
login and maintaining the tokens. The backend is only responsible for
validating the JWT on each request by checking the JWT's signature.
NIFI can't support the above process due to its custom authentication APIs,
none of which map to a modern authn/authz model via spring-security or servlet
filters.
I had talked with [~kdoran] 5 years ago about what AuthN/AuthZ apis should look
like in a Nifi 2.0 architecture, but I haven't seen any movement on redesigning
them in the current version of NiFi.
Multiple courses of action to fix this IMHO.
1) the cheating solution (would work but defeats the some of the OIDC/OpenID
purpose): just treat the JWT as valid for a `nifi.properties` configured time.
2) the better solution: Use the refresh cycle as nifi session lifespan, and
request new access tokens
Essentially the "easy" solution is to modify the Oidc components in Nifi to
remember the refresh token and update the access token... though honestly given
that Nifi creates a separate user session from the initial JWT, its already
decoupling the authorization components... this improves on #1 but doesn't
really let the session expire properly without well thought through logic.
3) harder but closer to OIDC spec solution: modify the API authorization checks
to support "tokens" such as an Authorization header checking for Bearer/JWT
content and validating against the OIDC's signature. modify the UI to act as
an OIDC public client to provide the JWT on each request.
4) best solution: refactor NiFi's authentication and authorization process to
support authentication and authorization plugins at a higher level than the
current APIs, with injections into the UI to handle initial logins and
injecting headers per fetch.
Given how nifi's entire authorization logic is designed around being able to
query users from something like LDAP... everything that isn't LDAP based is
hampered by the nifi-specific higher level APIs.
> OIDC Token Refresh is not done correctly
> ----------------------------------------
>
> Key: NIFI-4890
> URL: https://issues.apache.org/jira/browse/NIFI-4890
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core UI
> Affects Versions: 1.5.0
> Environment: Environment:
> Browser: Chrome / Firefox
> Configuration of NiFi:
> - SSL certificate for the server (no client auth)
> - OIDC configuration including end_session_endpoint (see the link
> https://auth.s.orchestracities.com/auth/realms/default/.well-known/openid-configuration)
>
> Reporter: Federico Michele Facca
> Assignee: David Handermann
> Priority: Major
> Attachments: image-2022-10-20-12-23-38-675.png
>
>
> It looks like the NIFI UI is not refreshing the OIDC token in background, and
> because of that, when the token expires, tells you that your session is
> expired. and you need to refresh the page, to get a new token.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
