[ https://issues.apache.org/jira/browse/NIFI-12418?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Handermann updated NIFI-12418: ------------------------------------ Status: Patch Available (was: Open) > Identity Provider Groups Missing in Refreshed Bearer Token > ---------------------------------------------------------- > > Key: NIFI-12418 > URL: https://issues.apache.org/jira/browse/NIFI-12418 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework, Security > Affects Versions: 1.24.0, 2.0.0-M1 > Reporter: David Handermann > Assignee: David Handermann > Priority: Minor > Labels: backport-needed > Time Spent: 10m > Remaining Estimate: 0h > > The OIDC Bearer Token Refresh Filter is responsible for renewing application > Bearer Tokens when NiFi is integrated with an OpenID Connect Identity > Provider that supports the Refresh Token Grant Type. > NiFi 1.23.0 introduced changes for handling group membership information > supplied from an Identity Provider, passing the groups in the application > Bearer Token instead of persisting the groups in the local database > repository. > As a result of these handling changes, the Identity Provider group membership > information is not retained when the OIDC Bearer Token Refresh Filter > generates a new token. In deployments where the configured User Group > Provider does not provide the group information, this behavior can result in > authorization failures after refreshing the token. > The Bearer Token Refresh Filter should be corrected to retrieve group > membership information from the new Identity Provider token. -- This message was sent by Atlassian Jira (v8.20.10#820010)