[
https://issues.apache.org/jira/browse/NIFI-12550?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17803950#comment-17803950
]
Igor Milavec commented on NIFI-12550:
-------------------------------------
Thank you for your feedback. Considering what you wrote I believe we need to
consider two distinct scenarios:
# Where someone wants to fully automate some process using NiFi API; here some
script would be scheduled and would run without user involvement in the
background
# Where someone wants to have some utility scripts to perform some function
through NiFi API; this script would be run manually by the user. While we could
use Client Credentials Grant for this scenario, this would involve management
of additional long-lived credentials for every user (distribution, protection
and rotation come into play); this is why I feel Device Autorization Grant
would be more appropriate for this scenario as the user would log on using
his/hers regular credentials.
>From the NiFi implementation side I believe these two scenarios are actually
>equivalent: at the end of both Client Credentials Grant and Device
>Authorization Grant flows the client/script is holding the OAuth2 id token.
>NiFi would just need to provide the capability to exchange this id token for a
>NiFi session token.
One possibility would be to allow the POST /access/token to alternatively
accept OAuth2 id token, perform the same validation as
/access/oidc/callback/consumer does and create the session. Of course this
functionality would need to be opt-in from the configuration.
> Support OIDC Device Authorization Grant for API
> -----------------------------------------------
>
> Key: NIFI-12550
> URL: https://issues.apache.org/jira/browse/NIFI-12550
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Security
> Affects Versions: 1.23.2
> Environment: NiFi with OIDC provider configured
> Reporter: Igor Milavec
> Priority: Major
>
> Please add support for OIDC Device Authorization Grant. This is useful for
> running scripts that access the NiFi API from the CLI. At this time the
> options are:
> # Copy __Secure-Authorization-Bearer cookie from the browser session: not
> really a good practice, work and error prone
> # Enable MTLS: painful for the users as the browser starts to frequently
> challenge for the client cert and even if it worked fine, client certificate
> management process is typically lagging behind OIDC identity management
> # Use passwords: insecure and prohibited by policy
> Having an API endpoint in the Access group that would allow the caller to
> exchange OIDC id or refresh token for a NiFi session token would be perfect
> for this use case.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
