[
https://issues.apache.org/jira/browse/NIFI-4890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17678828#comment-17678828
]
David Handermann commented on NIFI-4890:
----------------------------------------
Thanks for the detailed comment and analysis [~ruckc], that is a very good
summary of the issues involved.
I agree that the current authentication and authorization architecture does not
fit well with externalized providers, such as OIDC and SAML. I have reworked
the internal JWT processing, and more recently refactored the SAML integration.
Having refactored the JWT processing, I could see potential extension points to
make the NiFi UI work as public OAuth2 client, as opposed to the current
approach where the web application is a confidential OAuth2 client. As you
noted, this would require both UI and server-side changes.
The current focus for NiFi 2.0 is technical debt reduction, so redesigning the
authentication and authorization process is not part of the current plan for
2.0. With the wide variety of authentication and authorization strategies
available in NiFi, the ideal solution would provide a migration path that
continues to support all of the current integration options.
With that background, something along the lines of option 2 seems like the best
approach for now. This would should eliminate some aspects of the existing
custom code, while retaining the general approach of exchanging and OIDC Access
Token for a NiFi JWT, and using the OIDC Refresh Token to obtain a new OIDC
Access Token as needed. With this change in place, moving in the direction of
option 3 seems like a good subsequent step.
> OIDC Token Refresh is not done correctly
> ----------------------------------------
>
> Key: NIFI-4890
> URL: https://issues.apache.org/jira/browse/NIFI-4890
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core UI
> Affects Versions: 1.5.0
> Environment: Environment:
> Browser: Chrome / Firefox
> Configuration of NiFi:
> - SSL certificate for the server (no client auth)
> - OIDC configuration including end_session_endpoint (see the link
> https://auth.s.orchestracities.com/auth/realms/default/.well-known/openid-configuration)
>
> Reporter: Federico Michele Facca
> Assignee: David Handermann
> Priority: Major
> Attachments: image-2022-10-20-12-23-38-675.png
>
>
> It looks like the NIFI UI is not refreshing the OIDC token in background, and
> because of that, when the token expires, tells you that your session is
> expired. and you need to refresh the page, to get a new token.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
