Github user alopresto commented on the issue:
https://github.com/apache/nifi/pull/2177
Yeah, I don't have deep enough Knox familiarity to judge the best use case
for communicating back that the logout command has occurred. If we treated
receiving the `hadoop-jwt` token from Knox the same way we did the credential
check for LDAP or Kerberos, and issued our own JWT, deleting the local JWT
would trigger re-validating the `hadoop-jwt` cookie. If we update the local key
store to indicate that that specific JWT is no longer valid, I believe we could
trigger a redirect to the Knox service. However, my understanding is that we
cannot simply delete the `hadoop-jwt` cookie because other services rely on it
for SSO, and I do not know what the Knox API is like to trigger a logout
remotely. At this time, I do not have a good suggestion for this scenario.
---
