[jira] [Commented] (NIFI-5508) Support disabling wantClientAuth when running behind a reverse proxy.

Tue, 14 Aug 2018 11:38:43 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-5508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16580242#comment-16580242
 ] 

Curtis W Ruck commented on NIFI-5508:
-------------------------------------

Andy,

Joseph Witt, in the PR comments said that disabling "wantClientAuth" would 
break S2S authentication, which to me would infer S2S is not supported behind a 
reverse proxy where the Reverse Proxy -> NiFi communication happens via HTTPS 
(not HTTP) and the Reverse Proxy has it's own client certificate to 
authenticate to application servers behind it.

Given that when using NiFi on HTTPS, wantClientAuth is always enabled, and the 
reverse proxy provides it's client certificate, NiFi's external authentication 
provide support completely fails because it recognizes the X509 authentication 
from the Reverse proxy.

I'm trying to find a way to disable wantClientAuth behind the reverse proxy, 
without breaking anything else, so that I can get OIDC authentication working 
properly.

> Support disabling wantClientAuth when running behind a reverse proxy.
> ---------------------------------------------------------------------
>
>                 Key: NIFI-5508
>                 URL: https://issues.apache.org/jira/browse/NIFI-5508
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 1.7.0, 1.7.1
>         Environment: Reverse Proxy & trying to use other credential provider 
> when the reverse proxy provides a client certificate itself.
>            Reporter: Curtis W Ruck
>            Priority: Major
>              Labels: rever
>   Original Estimate: 1h
>  Remaining Estimate: 1h
>
> As discussed on mailing list.
> JettyServer always calls either setNeedClientAuth(true) or 
> setWantClientAuth(true).
> When used with a reverse proxy that has a client certificate, it is 
> impossible currently to use other credential providers as the X509 
> authentication takes precedence.
> Adding the ability to disable wantClientAuth via a NiFi property would enable 
> the ability to leverage existing SSO solutions behind a reverse proxy.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to