[jira] [Created] (NIFI-14806) General Cookie Timeout causes OIDC Authentication to fail when user login takes longer than 60 seconds (e.g when asked for 2FA)

Thu, 31 Jul 2025 04:37:05 -0700 

Christof Dilcher created NIFI-14806:
---------------------------------------

             Summary: General Cookie Timeout causes OIDC Authentication to fail 
when user login takes longer than 60 seconds (e.g when asked for 2FA)
                 Key: NIFI-14806
                 URL: https://issues.apache.org/jira/browse/NIFI-14806
             Project: Apache NiFi
          Issue Type: Bug
    Affects Versions: 2.5.0
            Reporter: Christof Dilcher


When authenticating with NiFi using OIDC a timeout of the login session occurs 
at 60 seconds causing the user to see an error in the browser "Unauthorized 
error="authorization_request_not_found"".
This can occur when e.g. the user is asked to presend a 2nd factor which takes 
some time to create.
The root cause seems to be a cookie set at 
[https://github.com/apache/nifi/blob/main/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/client/web/StandardAuthorizationRequestRepository.java#L96]
  expiring after 60 seconds before the login flow is finished.
{code:java}
applicationCookieService.addCookie(resourceUri, response, 
ApplicationCookieName.OIDC_REQUEST_IDENTIFIER, identifier); {code}
This cookie timeout seems to be hardcoded at 
[https://github.com/apache/nifi/blob/main/nifi-framework-bundle/nifi-framework/nifi[…]/nifi/web/security/cookie/StandardApplicationCookieService.java|https://github.com/apache/nifi/blob/main/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/cookie/StandardApplicationCookieService.java#L42]
{code:java}
private static final Duration MAX_AGE_STANDARD = Duration.ofSeconds(60); {code}
 
Our suggested fix would be to either # Make the general max age for Nifi 
cookies configurable or
 # Make the cookie max age overridable by overloading the addCookie method and 
adding a timeout parameter, then providing that parameter using a configurable 
timout in the OIDC login flow or
 # both

 
If needed, we can provide one of our engineers to supply a pull request for 
this issue.

Thank you!
 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to