[jira] [Commented] (NIFI-11252) OIDC secret properties that are encrypted by default are not being decrypted in Nifi Registry

Wed, 15 Mar 2023 13:42:12 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-11252?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17700858#comment-17700858
 ] 

ASF subversion and git services commented on NIFI-11252:
--------------------------------------------------------

Commit a60ac95bbcf2a705b79c6c13e89fc9c23a3bf63e in nifi's branch 
refs/heads/support/nifi-1.x from Ryan Van Den Bos
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=a60ac95bbc ]

NIFI-11252 Added OIDC Client Secret to sensitive Registry properties

This closes #7044

Signed-off-by: David Handermann <[email protected]>


> OIDC secret properties that are encrypted by default are not being decrypted 
> in Nifi Registry
> ---------------------------------------------------------------------------------------------
>
>                 Key: NIFI-11252
>                 URL: https://issues.apache.org/jira/browse/NIFI-11252
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: NiFi Registry
>    Affects Versions: 1.20.0
>            Reporter: Ryan
>            Priority: Major
>             Fix For: 1.21.0
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> Since upgrading to 1.20.0 from 1.16.2 I have been getting the following 
> error: {{Unable to exchange authorization for ID token: An error occurred 
> while invoking the Token endpoint: Invalid client secret}} 
> In version 1.20.0 {{nifi.registry.security.user.oidc.client.secret}} has been 
> added to the default [list of 
> properties|https://github.com/apache/nifi/blob/main/nifi-toolkit/nifi-toolkit-encrypt-config/src/main/groovy/org/apache/nifi/toolkit/encryptconfig/util/NiFiRegistryPropertiesEncryptor.groovy#L44]
>  that are encrypted by the Nifi Toolkit's property encryption tool, however, 
> it has not been added to the 
> [ProtectedNiFiRegistryProperties|https://github.com/apache/nifi/blob/main/nifi-registry/nifi-registry-core/nifi-registry-properties-loader/src/main/java/org/apache/nifi/registry/properties/ProtectedNiFiRegistryProperties.java#L54]
>  file which is used to read and decrypt these properties.
> This results in the encrypted string being passed to the OIDC provider 
> resulting in the error above.
> I have gotten around this issue for the time being by setting the following 
> property.
> {code:java}
> nifi.registry.sensitive.props.additional.keys=nifi.registry.security.user.oidc.client.secret
>  {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to