[
https://issues.apache.org/jira/browse/NIFI-11409?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17709938#comment-17709938
]
macdoor615 commented on NIFI-11409:
-----------------------------------
[~exceptionfactory] With exactly the same nifi.properties , keycloak
configuration and network configuration, Both NiFi 1.20.0/1.21.0 standalone
server and NiFI cluster 1.20.0 work fine
Here is OpenId configs in nifi.properties.
{code:java}
# OpenId Connect SSO Properties #
nifi.security.user.oidc.discovery.url=https://hb3-prod-lb-000:8943/realms/zznode/.well-known/openid-configuration
nifi.security.user.oidc.connect.timeout=5 secs
nifi.security.user.oidc.read.timeout=5 secs
nifi.security.user.oidc.client.id=nifi.server
nifi.security.user.oidc.client.secret=xxxxxx
nifi.security.user.oidc.preferred.jwsalgorithm=
nifi.security.user.oidc.additional.scopes=openid,email
nifi.security.user.oidc.claim.identifying.user=
nifi.security.user.oidc.fallback.claims.identifying.user=
nifi.security.user.oidc.truststore.strategy=NIFI
{code}
Here is the JSON content of the OpenID Connect Discovery configuration.
{code:java}
{
"issuer": "https://36.133.55.100:8943/realms/zznode";,
"authorization_endpoint":
"https://36.133.55.100:8943/realms/zznode/protocol/openid-connect/auth";,
"token_endpoint":
"https://hb3-prod-lb-000:8943/realms/zznode/protocol/openid-connect/token";,
"introspection_endpoint":
"https://hb3-prod-lb-000:8943/realms/zznode/protocol/openid-connect/token/introspect";,
"userinfo_endpoint":
"https://hb3-prod-lb-000:8943/realms/zznode/protocol/openid-connect/userinfo";,
"end_session_endpoint":
"https://36.133.55.100:8943/realms/zznode/protocol/openid-connect/logout";,
"frontchannel_logout_session_supported": true,
"frontchannel_logout_supported": true,
"jwks_uri":
"https://hb3-prod-lb-000:8943/realms/zznode/protocol/openid-connect/certs";,
"check_session_iframe":
"https://36.133.55.100:8943/realms/zznode/protocol/openid-connect/login-status-iframe.html";,
"grant_types_supported": [
"authorization_code",
"implicit",
"refresh_token",
"password",
"client_credentials",
"urn:ietf:params:oauth:grant-type:device_code",
"urn:openid:params:grant-type:ciba"
],
"acr_values_supported": [
"0",
"1"
],
"response_types_supported": [
"code",
"none",
"id_token",
"token",
"id_token token",
"code id_token",
"code token",
"code id_token token"
],
"subject_types_supported": [
"public",
"pairwise"
],
"id_token_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"id_token_encryption_alg_values_supported": [
"RSA-OAEP",
"RSA-OAEP-256",
"RSA1_5"
],
"id_token_encryption_enc_values_supported": [
"A256GCM",
"A192GCM",
"A128GCM",
"A128CBC-HS256",
"A192CBC-HS384",
"A256CBC-HS512"
],
"userinfo_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512",
"none"
],
"userinfo_encryption_alg_values_supported": [
"RSA-OAEP",
"RSA-OAEP-256",
"RSA1_5"
],
"userinfo_encryption_enc_values_supported": [
"A256GCM",
"A192GCM",
"A128GCM",
"A128CBC-HS256",
"A192CBC-HS384",
"A256CBC-HS512"
],
"request_object_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512",
"none"
],
"request_object_encryption_alg_values_supported": [
"RSA-OAEP",
"RSA-OAEP-256",
"RSA1_5"
],
"request_object_encryption_enc_values_supported": [
"A256GCM",
"A192GCM",
"A128GCM",
"A128CBC-HS256",
"A192CBC-HS384",
"A256CBC-HS512"
],
"response_modes_supported": [
"query",
"fragment",
"form_post",
"query.jwt",
"fragment.jwt",
"form_post.jwt",
"jwt"
],
"registration_endpoint":
"https://hb3-prod-lb-000:8943/realms/zznode/clients-registrations/openid-connect";,
"token_endpoint_auth_methods_supported": [
"private_key_jwt",
"client_secret_basic",
"client_secret_post",
"tls_client_auth",
"client_secret_jwt"
],
"token_endpoint_auth_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"introspection_endpoint_auth_methods_supported": [
"private_key_jwt",
"client_secret_basic",
"client_secret_post",
"tls_client_auth",
"client_secret_jwt"
],
"introspection_endpoint_auth_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"authorization_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"authorization_encryption_alg_values_supported": [
"RSA-OAEP",
"RSA-OAEP-256",
"RSA1_5"
],
"authorization_encryption_enc_values_supported": [
"A256GCM",
"A192GCM",
"A128GCM",
"A128CBC-HS256",
"A192CBC-HS384",
"A256CBC-HS512"
],
"claims_supported": [
"aud",
"sub",
"iss",
"auth_time",
"name",
"given_name",
"family_name",
"preferred_username",
"email",
"acr"
],
"claim_types_supported": [
"normal"
],
"claims_parameter_supported": true,
"scopes_supported": [
"openid",
"profile",
"email",
"microprofile-jwt",
"phone",
"offline_access",
"roles",
"address",
"web-origins",
"acr"
],
"request_parameter_supported": true,
"request_uri_parameter_supported": true,
"require_request_uri_registration": true,
"code_challenge_methods_supported": [
"plain",
"S256"
],
"tls_client_certificate_bound_access_tokens": true,
"revocation_endpoint":
"https://36.133.55.100:8943/realms/zznode/protocol/openid-connect/revoke";,
"revocation_endpoint_auth_methods_supported": [
"private_key_jwt",
"client_secret_basic",
"client_secret_post",
"tls_client_auth",
"client_secret_jwt"
],
"revocation_endpoint_auth_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"backchannel_logout_supported": true,
"backchannel_logout_session_supported": true,
"device_authorization_endpoint":
"https://36.133.55.100:8943/realms/zznode/protocol/openid-connect/auth/device";,
"backchannel_token_delivery_modes_supported": [
"poll",
"ping"
],
"backchannel_authentication_endpoint":
"https://hb3-prod-lb-000:8943/realms/zznode/protocol/openid-connect/ext/ciba/auth";,
"backchannel_authentication_request_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"ES256",
"RS256",
"ES512",
"PS256",
"PS512",
"RS512"
],
"require_pushed_authorization_requests": false,
"pushed_authorization_request_endpoint":
"https://hb3-prod-lb-000:8943/realms/zznode/protocol/openid-connect/ext/par/request";,
"mtls_endpoint_aliases": {
"token_endpoint":
"https://hb3-prod-lb-000:8943/realms/zznode/protocol/openid-connect/token";,
"revocation_endpoint":
"https://36.133.55.100:8943/realms/zznode/protocol/openid-connect/revoke";,
"introspection_endpoint":
"https://hb3-prod-lb-000:8943/realms/zznode/protocol/openid-connect/token/introspect";,
"device_authorization_endpoint":
"https://36.133.55.100:8943/realms/zznode/protocol/openid-connect/auth/device";,
"registration_endpoint":
"https://hb3-prod-lb-000:8943/realms/zznode/clients-registrations/openid-connect";,
"userinfo_endpoint":
"https://hb3-prod-lb-000:8943/realms/zznode/protocol/openid-connect/userinfo";,
"pushed_authorization_request_endpoint":
"https://hb3-prod-lb-000:8943/realms/zznode/protocol/openid-connect/ext/par/request";,
"backchannel_authentication_endpoint":
"https://hb3-prod-lb-000:8943/realms/zznode/protocol/openid-connect/ext/ciba/auth";
}
}
{code}
I can access revocation_endpoint
"https://36.133.55.100:8943/realms/zznode/protocol/openid-connect/revoke"; from
browser.
!截屏2023-04-09 13.17.25.png|width=767,height=364!
> nifi cluster cannot logout with oidc authentication
> ---------------------------------------------------
>
> Key: NIFI-11409
> URL: https://issues.apache.org/jira/browse/NIFI-11409
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework
> Affects Versions: 1.21.0
> Environment: NiFi 1.21.0 cluster with 4 nodes
> openjdk version "11.0.18" 2023-01-17 LTS
> OpenJDK Runtime Environment (Red_Hat-11.0.18.0.10-1.el7_9) (build
> 11.0.18+10-LTS)
> OpenJDK 64-Bit Server VM (Red_Hat-11.0.18.0.10-1.el7_9) (build
> 11.0.18+10-LTS, mixed mode, sharing)
> Linux hb3-ifz-bridge-004 3.10.0-1160.76.1.el7.x86_64 #1 SMP Wed Aug 10
> 16:21:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
> Keycloak 20.0.2
> Reporter: macdoor615
> Priority: Major
> Attachments: 截屏2023-04-08 12.40.30.png, 截屏2023-04-09 13.17.25.png
>
>
> My NiFi 1.21.0 cluster has 4 nodes and using oidc authentication.
> I can log in properly, but when I click logout on webui, I got HTTP ERROR 503.
> !截屏2023-04-08 12.40.30.png|width=479,height=179!
> I also find 503 in nifi-request.log
>
> {code:java}
> 10.12.69.33 - - [08/Apr/2023:04:24:13 +0000] "GET
> /nifi-api/access/oidc/logout HTTP/1.1" 503 425
> "https://36.138.166.203:18088/nifi/"; "Mozilla/5.0 (Macintosh; Intel Mac OS X
> 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5
> Safari/605.1.15"{code}
>
> and WARNs in nifi-user.log, 36.133.55.100 is load balance's external IP. It
> can not be accessed in intra net.
>
> {code:java}
> 2023-04-08 12:24:43,511 WARN [NiFi Web Server-59]
> o.a.n.w.s.o.r.StandardTokenRevocationResponseClient Token Revocation Request
> processing failed
> org.springframework.web.client.ResourceAccessException: I/O error on POST
> request for
> "https://36.133.55.100:8943/realms/zznode/protocol/openid-connect/revoke":
> connect timed out; nested exception is java.net.SocketTimeoutException:
> connect timed out
> at
> org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:791)
> at
> org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:666)
> at
> org.apache.nifi.web.security.oidc.revocation.StandardTokenRevocationResponseClient.getResponseEntity(StandardTokenRevocationResponseClient.java:81)
> at
> org.apache.nifi.web.security.oidc.revocation.StandardTokenRevocationResponseClient.getRevocationResponse(StandardTokenRevocationResponseClient.java:70)
> at
> org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.processRefreshTokenRevocation(OidcLogoutSuccessHandler.java:181)
> at
> org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.processLogoutRequest(OidcLogoutSuccessHandler.java:159)
> at
> org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.onLogoutSuccess(OidcLogoutSuccessHandler.java:127)
> at
> org.apache.nifi.web.security.logout.StandardLogoutFilter.doFilterInternal(StandardLogoutFilter.java:62)
> at
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
> at
> org.apache.nifi.web.security.csrf.SkipReplicatedCsrfFilter.doFilterInternal(SkipReplicatedCsrfFilter.java:59)
> at
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
> at
> org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62)
> at
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
> at
> org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:225)
> at
> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:190)
> at
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354)
> at
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267)
> at
> org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
> at
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
> at
> org.apache.nifi.web.filter.ExceptionFilter.doFilter(ExceptionFilter.java:46)
> at
> org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:201)
> at
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
> at
> org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:487)
> at
> org.apache.nifi.web.server.filter.DataTransferExcludedDoSFilter.doFilterChain(DataTransferExcludedDoSFilter.java:51)
> at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:336)
> at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:301)
> at
> org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
> at
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
> at
> org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90)
> at
> org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75)
> at
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
> at
> org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
> at
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
> at
> org.apache.nifi.web.server.log.RequestAuthenticationFilter.doFilterInternal(RequestAuthenticationFilter.java:59)
> at
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
> at
> org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
> at
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
> at
> org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:552)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
> at
> org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:600)
> at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
> at
> org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
> at
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1440)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
> at
> org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:505)
> at
> org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
> at
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1355)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
> at
> org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)
> at
> org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:772)
> at
> org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:191)
> at
> org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:59)
> at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> at org.eclipse.jetty.server.Server.handle(Server.java:516)
> at
> org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:487)
> at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:732)
> at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:479)
> at
> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277)
> at
> org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
> at
> org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:555)
> at
> org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:410)
> at
> org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:164)
> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
> at
> org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338)
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315)
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173)
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131)
> at
> org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:409)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)
> at java.base/java.lang.Thread.run(Thread.java:829)
> Caused by: java.net.SocketTimeoutException: connect timed out
> at java.base/java.net.PlainSocketImpl.socketConnect(Native Method)
> at
> java.base/java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:412)
> at
> java.base/java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:255)
> at
> java.base/java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:237)
> at
> java.base/java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
> at java.base/java.net.Socket.connect(Socket.java:609)
> at okhttp3.internal.platform.Platform.connectSocket(Platform.kt:128)
> at
> okhttp3.internal.connection.RealConnection.connectSocket(RealConnection.kt:295)
> at
> okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:207)
> at
> okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.kt:226)
> at
> okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:106)
> at
> okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.kt:74)
> at okhttp3.internal.connection.RealCall.initExchange$okhttp(RealCall.kt:255)
> at
> okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:32)
> at
> okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
> at
> okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:95)
> at
> okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
> at
> okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83)
> at
> okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
> at
> okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:76)
> at
> okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
> at
> okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:201)
> at okhttp3.internal.connection.RealCall.execute(RealCall.kt:154)
> at
> org.springframework.http.client.OkHttp3ClientHttpRequest.executeInternal(OkHttp3ClientHttpRequest.java:73)
> at
> org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48)
> at
> org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:66)
> at
> org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:782)
> ... 78 common frames omitted 2023-04-08 12:24:43,512 INFO [NiFi Web
> Server-59] o.a.n.w.s.o.l.OidcLogoutSuccessHandler Identity
> [[email protected]] OIDC Refresh Token Revocation completed [HTTP 500]
> {code}
> I can logout properly on my standalone NiFi with the same oidc service and
> the same network config
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
