[jira] [Updated] (NIFI-14806) General Cookie Timeout causes OIDC Authentication to fail when user login takes longer than 60 seconds (e.g. when asked for 2FA)

Thu, 31 Jul 2025 09:12:05 -0700 


     [ 
https://issues.apache.org/jira/browse/NIFI-14806?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Pierre Villard updated NIFI-14806:
----------------------------------
    Fix Version/s: 2.6.0
       Resolution: Fixed
           Status: Resolved  (was: Patch Available)

> General Cookie Timeout causes OIDC Authentication to fail when user login 
> takes longer than 60 seconds (e.g. when asked for 2FA)
> --------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: NIFI-14806
>                 URL: https://issues.apache.org/jira/browse/NIFI-14806
>             Project: Apache NiFi
>          Issue Type: Bug
>    Affects Versions: 2.5.0
>            Reporter: Christof Dilcher
>            Assignee: David Handermann
>            Priority: Minor
>             Fix For: 2.6.0
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> When authenticating with NiFi using OIDC a timeout of the login session 
> occurs at 60 seconds causing the user to see an error in the browser 
> "Unauthorized error="authorization_request_not_found"".
> This can occur when e.g. the user is asked to present a 2nd factor which 
> takes some time to create.
> The root cause seems to be a cookie set at 
> [https://github.com/apache/nifi/blob/main/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/client/web/StandardAuthorizationRequestRepository.java#L96]
>   expiring after 60 seconds before the login flow is finished.
> {code:java}
> applicationCookieService.addCookie(resourceUri, response, 
> ApplicationCookieName.OIDC_REQUEST_IDENTIFIER, identifier); {code}
> This cookie timeout seems to be hardcoded at 
> [https://github.com/apache/nifi/blob/main/nifi-framework-bundle/nifi-framework/nifi[…]/nifi/web/security/cookie/StandardApplicationCookieService.java|https://github.com/apache/nifi/blob/main/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/cookie/StandardApplicationCookieService.java#L42]
> {code:java}
> private static final Duration MAX_AGE_STANDARD = Duration.ofSeconds(60); 
> {code}
> Our suggested fix would be to either
>  # Make the general max age for Nifi cookies configurable or
>  # Make the cookie max age overridable by overloading the addCookie method 
> and adding a timeout parameter, then providing that parameter using a 
> configurable timout in the OIDC login flow or
>  # both
>  
> If desired, we can provide one of our engineers to supply a pull request for 
> this issue.
> Thank you!
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to