[
https://issues.apache.org/jira/browse/NIFI-15262?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18040789#comment-18040789
]
Peter Turcsanyi commented on NIFI-15262:
----------------------------------------
[~P-Pigott] "Client secret" was defined as mandatory because NiFi was expected
to operate as a confidential client. In the NiFi components, we aim to support
and also ensure higher level of security, in this case: confidential clients
over public clients.
If I understand correctly, you have the following config on Keycloak side:
* Authentication flow = Direct access grants (Resource Owner Password
Credentials Grant in OAuth2 terms)
* Client authentication = Off (Public Client)
As it can be worked around using a dummy client secret on NiFi side, I'm
inclined to remove the mandatory requirement for the "Client secret", with the
note that the recommended approach is still to use confidential clients.
> StandardOauth2AccessTokenProvider requires any value to be entered for the
> client secret when the user password grant type option is selected
> ---------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: NIFI-15262
> URL: https://issues.apache.org/jira/browse/NIFI-15262
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Configuration
> Affects Versions: 2.6.0
> Environment: Using the Docker image from DockerHub and authenticating
> against Keycloak v22.0.5
> Reporter: Jeremy
> Priority: Minor
>
> 1. When configuring the authorization details for the
> StandardOauth2AccessTokenProvider you are required to enter any value (a zero
> for example) in the "Client secret" setting when the "Grant Type" chosen is
> "User Password" but that is not be required.
> This setting for the client secret is actually ignored during the
> authentication because only the client id, user, and password are necessary
> when the grant type is "User Password". The setup can be rather confusing
> when you are required to put something in this field due the UI enforcing it.
> For example, I initially thought that I had to use a real secret from
> Keycloak to make this work by changing the Keycloak client config so that I
> would have a secret handy for this configuration but it is in fact not
> required at all and any value entered would have worked to complete the
> service configuration.
> Other settings for the "Grant Type" work but this probably can be double
> check for the mapping of valid settings being enforced based on this selected
> setting.
> 2. Also, please fix the 's' in secret to be uppercase 'Client secret' to
> 'Client Secret' to match the other settings.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
