[
https://issues.apache.org/jira/browse/NIFI-14806?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Christof Dilcher updated NIFI-14806:
------------------------------------
Description:
When authenticating with NiFi using OIDC a timeout of the login session occurs
at 60 seconds causing the user to see an error in the browser "Unauthorized
error="authorization_request_not_found"".
This can occur when e.g. the user is asked to presend a 2nd factor which takes
some time to create.
The root cause seems to be a cookie set at
[https://github.com/apache/nifi/blob/main/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/client/web/StandardAuthorizationRequestRepository.java#L96]
expiring after 60 seconds before the login flow is finished.
{code:java}
applicationCookieService.addCookie(resourceUri, response,
ApplicationCookieName.OIDC_REQUEST_IDENTIFIER, identifier); {code}
This cookie timeout seems to be hardcoded at
[https://github.com/apache/nifi/blob/main/nifi-framework-bundle/nifi-framework/nifi[…]/nifi/web/security/cookie/StandardApplicationCookieService.java|https://github.com/apache/nifi/blob/main/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/cookie/StandardApplicationCookieService.java#L42]
{code:java}
private static final Duration MAX_AGE_STANDARD = Duration.ofSeconds(60); {code}
Our suggested fix would be to either
# Make the general max age for Nifi cookies configurable or
# Make the cookie max age overridable by overloading the addCookie method and
adding a timeout parameter, then providing that parameter using a configurable
timout in the OIDC login flow or
# both
If needed, we can provide one of our engineers to supply a pull request for
this issue.
Thank you!
was:
When authenticating with NiFi using OIDC a timeout of the login session occurs
at 60 seconds causing the user to see an error in the browser "Unauthorized
error="authorization_request_not_found"".
This can occur when e.g. the user is asked to presend a 2nd factor which takes
some time to create.
The root cause seems to be a cookie set at
[https://github.com/apache/nifi/blob/main/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/client/web/StandardAuthorizationRequestRepository.java#L96]
expiring after 60 seconds before the login flow is finished.
{code:java}
applicationCookieService.addCookie(resourceUri, response,
ApplicationCookieName.OIDC_REQUEST_IDENTIFIER, identifier); {code}
This cookie timeout seems to be hardcoded at
[https://github.com/apache/nifi/blob/main/nifi-framework-bundle/nifi-framework/nifi[…]/nifi/web/security/cookie/StandardApplicationCookieService.java|https://github.com/apache/nifi/blob/main/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/cookie/StandardApplicationCookieService.java#L42]
{code:java}
private static final Duration MAX_AGE_STANDARD = Duration.ofSeconds(60); {code}
Our suggested fix would be to either # Make the general max age for Nifi
cookies configurable or
# Make the cookie max age overridable by overloading the addCookie method and
adding a timeout parameter, then providing that parameter using a configurable
timout in the OIDC login flow or
# both
If needed, we can provide one of our engineers to supply a pull request for
this issue.
Thank you!
> General Cookie Timeout causes OIDC Authentication to fail when user login
> takes longer than 60 seconds (e.g when asked for 2FA)
> -------------------------------------------------------------------------------------------------------------------------------
>
> Key: NIFI-14806
> URL: https://issues.apache.org/jira/browse/NIFI-14806
> Project: Apache NiFi
> Issue Type: Bug
> Affects Versions: 2.5.0
> Reporter: Christof Dilcher
> Priority: Major
>
> When authenticating with NiFi using OIDC a timeout of the login session
> occurs at 60 seconds causing the user to see an error in the browser
> "Unauthorized error="authorization_request_not_found"".
> This can occur when e.g. the user is asked to presend a 2nd factor which
> takes some time to create.
> The root cause seems to be a cookie set at
> [https://github.com/apache/nifi/blob/main/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/client/web/StandardAuthorizationRequestRepository.java#L96]
> expiring after 60 seconds before the login flow is finished.
> {code:java}
> applicationCookieService.addCookie(resourceUri, response,
> ApplicationCookieName.OIDC_REQUEST_IDENTIFIER, identifier); {code}
> This cookie timeout seems to be hardcoded at
> [https://github.com/apache/nifi/blob/main/nifi-framework-bundle/nifi-framework/nifi[…]/nifi/web/security/cookie/StandardApplicationCookieService.java|https://github.com/apache/nifi/blob/main/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/cookie/StandardApplicationCookieService.java#L42]
> {code:java}
> private static final Duration MAX_AGE_STANDARD = Duration.ofSeconds(60);
> {code}
> Our suggested fix would be to either
> # Make the general max age for Nifi cookies configurable or
> # Make the cookie max age overridable by overloading the addCookie method
> and adding a timeout parameter, then providing that parameter using a
> configurable timout in the OIDC login flow or
> # both
>
> If needed, we can provide one of our engineers to supply a pull request for
> this issue.
> Thank you!
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
