[ 
https://issues.apache.org/jira/browse/NIFI-12418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17790251#comment-17790251
 ] 

David Handermann commented on NIFI-12418:
-----------------------------------------

Reference dev mailing list thread: 
https://lists.apache.org/thread/54tpom04nv526ql8zv91n7ll1wc24sdh

> Identity Provider Groups Missing in Refreshed Bearer Token
> ----------------------------------------------------------
>
>                 Key: NIFI-12418
>                 URL: https://issues.apache.org/jira/browse/NIFI-12418
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Core Framework, Security
>    Affects Versions: 2.0.0-M1, 1.24.0
>            Reporter: David Handermann
>            Assignee: David Handermann
>            Priority: Minor
>
> The OIDC Bearer Token Refresh Filter is responsible for renewing application 
> Bearer Tokens when NiFi is integrated with an OpenID Connect Identity 
> Provider that supports the Refresh Token Grant Type.
> NiFi 1.23.0 introduced changes for handling group membership information 
> supplied from an Identity Provider, passing the groups in the application 
> Bearer Token instead of persisting the groups in the local database 
> repository.
> As a result of these handling changes, the Identity Provider group membership 
> information is not retained when the OIDC Bearer Token Refresh Filter 
> generates a new token. In deployments where the configured User Group 
> Provider does not provide the group information, this behavior can result in 
> authorization failures after refreshing the token.
> The Bearer Token Refresh Filter should be corrected to retrieve group 
> membership information from the new Identity Provider token.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to