[jira] [Commented] (NIFI-12550) Support OIDC Device Authorization Grant for API

Sat, 03 Feb 2024 09:01:23 -0800 


    [ 
https://issues.apache.org/jira/browse/NIFI-12550?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17813964#comment-17813964
 ] 

David Handermann commented on NIFI-12550:
-----------------------------------------

Thanks for the reply [~imilavec], it was helpful to outline the two scenarios 
as you described.

I agree that from an implementation standpoint, it should be possible to 
support both use cases with a single set of changes.

I have started evaluating changes for NIFI-5302, allowing NiFi to accept Access 
Tokens signed by a configured and trusted Identity Provider. ID Tokens are not 
intended for authentication purposes, but allowing NiFi to accept and verify 
Access Tokens directly  would support both Client Credentials and Device Grant 
Types, subject to Identity Provider configuration. This approach would allow 
NiFi to function similarly to standard OIDC integration scenarios, while 
continuing to support Application Bearer Tokens that NiFi itself uses for other 
types of authentication strategies.

I will follow up in the future when I have a potential solution ready.

> Support OIDC Device Authorization Grant for API
> -----------------------------------------------
>
>                 Key: NIFI-12550
>                 URL: https://issues.apache.org/jira/browse/NIFI-12550
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Security
>    Affects Versions: 1.23.2
>         Environment: NiFi with OIDC provider configured
>            Reporter: Igor Milavec
>            Priority: Major
>
> Please add support for OIDC Device Authorization Grant. This is useful for 
> running scripts that access the NiFi API from the CLI. At this time the 
> options are:
>  # Copy __Secure-Authorization-Bearer cookie from the browser session: not 
> really a good practice, work and error prone
>  # Enable MTLS: painful for the users as the browser starts to frequently 
> challenge for the client cert and even if it worked fine, client certificate 
> management process is typically lagging behind OIDC identity management
>  # Use passwords: insecure and prohibited by policy
> Having an API endpoint in the Access group that would allow the caller to 
> exchange OIDC id or refresh token for a NiFi session token would be perfect 
> for this use case.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to