[jira] [Created] (NIFI-15141) OpenID Connect groups are not forwarded when proxing request to NiFi Registry

[segad44 (Jira)]

segad44 created NIFI-15141:
------------------------------

             Summary: OpenID Connect groups are not forwarded when proxing 
request to NiFi Registry
                 Key: NIFI-15141
                 URL: https://issues.apache.org/jira/browse/NIFI-15141
             Project: Apache NiFi
          Issue Type: Bug
          Components: NiFi API, NiFi Registry
    Affects Versions: 2.5.0, 2.4.0
         Environment: docker compose, Kubernetes
            Reporter: segad44


NiFi does not send all identity information of the user when proxying requests 
to NiFi Registry.
This causes issues on NiFi Registry to verify user permissions.

As a result, if only the group of the OIDC user is declared on NiFi Registry, 
the user cannot start a flow versioning.

This issue concerns NiFi with OIDC provisioner (not tested others).
h3. To reproduce

Tried with version 2.4.0 and 2.5.0, with 2.6.0 another issue blocking me at 
step `2.`

Basic OIDC setup:
1. Configure NiFi and NiFi Registry with OIDC
2. Declare the group datascientist on both NiFi and NiFi Registry and give it 
all user permissions
    a. Nifi: view, modify, operate the main process group + view the controller
    b. Nifi Registry: can manage bucket
3. On the Idp, create the user `user-a` in the group datascientist

At this point, everything is working as expected: the user can access to NiFi 
and NiFi Registry with correct permissions.

Now, associate NiFi with NiFi Registry
4. Create a keystore with a mTLS client certificate for NiFi to authenticate 
with NiFi Registry
5. On NiFi, create a NifiRegistryFlowRegistryClient with the previous keystore
6. On NiFi Registry, create a bucket `test`
7. On NiFi Registry, create the user `CN=nifi` with the permissions "can proxy 
user requests"

The issue is that `user-a` cannot start a versioning flow from NiFi.
But he should because of its permissions from the `datascientist` group.
h3. Additional information

When NiFi tries to get buckets on NiFi Registry, the HTTP request to nifi-api 
is:

```
GET 
https://localhost:8443/nifi-api/flow/registries/00ea78fd-019a-1000-2e8c-3915df4085d6/buckets
```

The result is an empty list:

```json
"buckets": []
```

The JWT is valid and contains the datascientist group for `user-a`.

Decoded payload from JWT Cookie:
```json
{
  "sub": "use...@test.com",
  "aud": "https://e5a83c398392:8443";,
  "nbf": 1760963601,
  "iss": "https://e5a83c398392:8443";,
  "groups": [
    "datascientist"
  ],
  "preferred_username": "use...@test.com",
  "exp": 1760963661,
  "iat": 1760963601,
  "jti": "f88c463d-dce9-4048-b155-fcba3d2bf765"
}
```

h3. Workaround
We must declare users on nifi registry and associate them with the correct 
group.
Thus, the user is known on nifi registry and associated with the groups that 
have the required permissions on the buckets.




--
This message was sent by Atlassian Jira
(v8.20.10#820010)