[
https://issues.apache.org/jira/browse/NIFI-11250?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17728180#comment-17728180
]
David Handermann commented on NIFI-11250:
-----------------------------------------
Thanks for the reply [~benj_928381923], and the pointer back to the Keycloak
REST API reference, that is helpful.
Keycloak is certainly widely used, and with InvokeHTTP supporting such a wide
range of use cases, it seems like making an adjustment here would be warranted.
> InvokeHTTP drops the Body when using the DELETE method
> ------------------------------------------------------
>
> Key: NIFI-11250
> URL: https://issues.apache.org/jira/browse/NIFI-11250
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Extensions
> Reporter: Benji Benning
> Assignee: David Handermann
> Priority: Major
>
> Today, InvokeHTTP drops the Body when the method used isn't PUT, POST, or
> PATCH (As stated in the documentation). RFC states that DELETE with body
> isn't generally used, but doesn't disallow it.
> In my case, i'm using InvokeHTTP to interact with Keycloak's Admin REST API.
> They use DELETE with body in quite a few cases. for example in my specific
> use case:
> [https://www.keycloak.org/docs-api/21.0.1/rest-api/#_role_mapper_resource]
> (referring to: Delete realm-level role mappings)
> Additional information:
> {noformat}
> Although request message framing is independent of the method used, content
> received in a DELETE request has no generally defined semantics, cannot alter
> the meaning or target of the request, and might lead some implementations to
> reject the request and close the connection because of its potential as a
> request smuggling attack (Section 11.2 of [HTTP/1.1]). A client SHOULD NOT
> generate content in a DELETE request unless it is made directly to an origin
> server that has previously indicated, in or out of band, that such a request
> has a purpose and will be adequately supported. An origin server SHOULD NOT
> rely on private agreements to receive content, since participants in HTTP
> communication are often unaware of intermediaries along the request
> chain.{noformat}
> [https://www.rfc-editor.org/rfc/rfc9110.html#name-delete]
>
> During discussion with Otto Fowler, he stated that this is disabled in the
> [HTTPMethod
> enum|https://github.com/apache/nifi/blob/7a47c8cfbd458ab037275762c385d50372c130a3/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/http/HttpMethod.java].
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
