[
https://issues.apache.org/jira/browse/NIFI-12418?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Handermann updated NIFI-12418:
------------------------------------
Status: Patch Available (was: Open)
> Identity Provider Groups Missing in Refreshed Bearer Token
> ----------------------------------------------------------
>
> Key: NIFI-12418
> URL: https://issues.apache.org/jira/browse/NIFI-12418
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework, Security
> Affects Versions: 1.24.0, 2.0.0-M1
> Reporter: David Handermann
> Assignee: David Handermann
> Priority: Minor
> Labels: backport-needed
> Time Spent: 10m
> Remaining Estimate: 0h
>
> The OIDC Bearer Token Refresh Filter is responsible for renewing application
> Bearer Tokens when NiFi is integrated with an OpenID Connect Identity
> Provider that supports the Refresh Token Grant Type.
> NiFi 1.23.0 introduced changes for handling group membership information
> supplied from an Identity Provider, passing the groups in the application
> Bearer Token instead of persisting the groups in the local database
> repository.
> As a result of these handling changes, the Identity Provider group membership
> information is not retained when the OIDC Bearer Token Refresh Filter
> generates a new token. In deployments where the configured User Group
> Provider does not provide the group information, this behavior can result in
> authorization failures after refreshing the token.
> The Bearer Token Refresh Filter should be corrected to retrieve group
> membership information from the new Identity Provider token.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
