Benoit Orihuela created NIFI-11880:
--------------------------------------
Summary: OIDC - Consents given by users are removed when logging
out
Key: NIFI-11880
URL: https://issues.apache.org/jira/browse/NIFI-11880
Project: Apache NiFi
Issue Type: Improvement
Components: Core Framework
Affects Versions: 1.22.0
Reporter: Benoit Orihuela
Hello,
I'm using NiFi 1.22.0 with OIDC enabled (backed by Keycloak as the IAM
solution).
I noticed that when an user logs out, there are explicit calls to revoke the
access token and the refresh token (if any) associated to the user. However,
when revoking an access token, Keycloak also removes the underlying
authorization grant and thus the user has to accept them again each time he
logs in.
I had a look at the OAuth 2.0 Token Revocation specification (and more
specifically [https://datatracker.ietf.org/doc/html/rfc7009#section-2.1),] and
it seems it is a compliant (but optional) behavior with respect to Keycloak:
"Depending on the authorization server's revocation policy, the revocation of a
particular token may cause the revocation of related tokens and the underlying
authorization grant"
So, I was wondering how it could be improved in NiFi. Could these calls to the
revocation endpoints be optional? Is there a better solution? (I may contribute
to this if needed)
Regards,
Benoit.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
