exceptionfactory commented on PR #8532: URL: https://github.com/apache/nifi/pull/8532#issuecomment-2007489198
> Thanks @exceptionfactory that makes sense! Can you share some details on how this can be leveraged as-is? Trying to understand how this can be tested and how this improvement would be used with NiFi deployments. Sure, good question. The exact details vary between Identity Providers, but the basic process for exercising this new capability is as follows: 1. Configure an Application Client on the Identity Provider, enabled for the Client Credentials Grant Type 2. Get the Client ID and Client Secret values associated with the Application Client from the Identity Provider 3. Make an HTTP request to the Identity Provider requesting an Access Token using the Client ID and Client Secret values 4. Make an HTTP request to the NiFi REST API using the `access_token` value returned and passing it to NiFi using the `Authorization` header with the `Bearer` scheme The first two steps are specific to the Identity Provider configured. Step 3 is from the OAuth 2 specification for Client Credentials as described in [RFC 6749 Section 4.4.2](https://www.rfc-editor.org/rfc/rfc6749#section-4.4.2). Step 4 uses existing NiFi REST API handling with the HTTP `Authorization` header. Here are some concrete examples for several Identity Providers on how to configure a Client Credentials Grant Flow: - [Okta Client Credentials Flow](https://developer.okta.com/docs/guides/implement-grant-type/clientcreds/main/#client-credentials-flow) - [AWS Cognito Token Endpoint for Client Credentials](https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html#post-token-positive-exchanging-client-credentials-for-an-access-token) Step 3 could be part of future enhancements to the NiFi CLI. For example, with an OpenID Connect Discovery URL, a Client ID, and a Client Secret, the NiFi CLI could make a request for an Access Token and then make a request to the NiFi REST API with the customized Authorization header. As a way to test this using NiFi itself, the [StandardOauth2AccessTokenProvider](https://nifi.apache.org/documentation/nifi-2.0.0-M2/components/org.apache.nifi/nifi-oauth2-provider-nar/2.0.0-M2/org.apache.nifi.oauth2.StandardOauth2AccessTokenProvider/index.html) could be configured with the `Client Credentials` Grant Type, and InvokeHTTP could be used to invoke NiFi REST API methods. This would be worth a blog post at some point, but hopefully this provides sufficient background. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
