[jira] [Commented] (NIFI-12550) Support OIDC Device Authorization Grant for API

Sat, 06 Jan 2024 09:29:04 -0800 


    [ 
https://issues.apache.org/jira/browse/NIFI-12550?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17803843#comment-17803843
 ] 

David Handermann commented on NIFI-12550:
-----------------------------------------

Thanks for highlighting this issue and providing some reasons why it would be 
helpful to implement alternative flows [~imilavec].

I have been evaluating options in light of NIFI-5302, since the Client 
Credentials flow seems to be somewhat more commonly supported among OpenID 
Connect providers.

Based on the use cases you described, it seems like the Client Credentials 
flow, using a Client ID and Client Secret, would support programmatic access. 
With that background, is there a particular reason you are suggesting the 
Device Authorization Flow? It could also be supported in theory, if NiFi were 
to support token verification directly using information from an external 
identity provider, but just looking for some additional details on the proposed 
use case.

> Support OIDC Device Authorization Grant for API
> -----------------------------------------------
>
>                 Key: NIFI-12550
>                 URL: https://issues.apache.org/jira/browse/NIFI-12550
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Security
>    Affects Versions: 1.23.2
>         Environment: NiFi with OIDC provider configured
>            Reporter: Igor Milavec
>            Priority: Major
>
> Please add support for OIDC Device Authorization Grant. This is useful for 
> running scripts that access the NiFi API from the CLI. At this time the 
> options are:
>  # Copy __Secure-Authorization-Bearer cookie from the browser session: not 
> really a good practice, work and error prone
>  # Enable MTLS: painful for the users as the browser starts to frequently 
> challenge for the client cert and even if it worked fine, client certificate 
> management process is typically lagging behind OIDC identity management
>  # Use passwords: insecure and prohibited by policy
> Having an API endpoint in the Access group that would allow the caller to 
> exchange OIDC id or refresh token for a NiFi session token would be perfect 
> for this use case.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to