[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16109924#comment-16109924
 ] 

ASF GitHub Bot commented on NIFI-4210:
--------------------------------------

Github user alopresto commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/2047#discussion_r130747016
  
    --- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
    @@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
             return generateOkResponse(entity).build();
         }
     
    +    @GET
    +    @Consumes(MediaType.WILDCARD)
    +    @Produces(MediaType.WILDCARD)
    +    @Path("oidc/request")
    +    @ApiOperation(
    +            value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
    +    )
    +    public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
    +        // only consider user specific access over https
    +        if (!httpServletRequest.isSecure()) {
    +            forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
    +            return;
    +        }
    +
    +        // ensure oidc is enabled
    +        if (!oidcService.isOidcEnabled()) {
    +            forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
    +            return;
    +        }
    +
    +        final String oidcRequestIdentifier = UUID.randomUUID().toString();
    +
    +        // generate a cookie to associate this login sequence
    +        final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
    +        cookie.setPath("/");
    +        cookie.setHttpOnly(true);
    +        cookie.setMaxAge(60);
    +        cookie.setSecure(true);
    +        httpServletResponse.addCookie(cookie);
    +
    +        // get the state for this request
    +        final State state = oidcService.createState(oidcRequestIdentifier);
    +
    +        // build the authorization uri
    +        final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
    --- End diff --
    
    My initial understanding is that all of these parameters are required for 
the call to work -- can we validate that the values are present and valid 
before attempting the request?


> Add OpenId Connect support for authenticating users
> ---------------------------------------------------
>
>                 Key: NIFI-4210
>                 URL: https://issues.apache.org/jira/browse/NIFI-4210
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework, Core UI
>            Reporter: Matt Gilman
>            Assignee: Matt Gilman
>
> Add support for authenticating users with the OpenId Connection 
> specification. Evaluate whether a new extension point is necessary to allow 
> for a given provider to supply custom code for instance to implement custom 
> token validation.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)