[
https://issues.apache.org/jira/browse/NIFI-6152?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16802860#comment-16802860
]
Kevin Doran commented on NIFI-6152:
-----------------------------------
Hi [~nikgonzalez],
Thanks for documenting your proposal. Similar requests have come up in previous
discussions.
The challenge is that OIDC authentication still sends an access token in
messages to the server that should be protected in transport to prevent leaking
it to unauthorized parties that can see/intercept the traffic and the access
tokens. TLS encrypts the HTTP messages in transit, while also verifying the
identity of the NiFi host to which the OIDC access token is being sent.
I'm aware other applications do not have this restriction, and allow for SSL
termination at the edge, and unencrypted HTTP between services behind the
public firewall. NiFi, however, is a system that is used to connect data in
many parts of users infrastructure. It has data and credentials that must be
closely protected in almost all deployments. We try to make it hard for someone
to configure insecurely, even accidentally.
While it does take additional initial setup, it is possible to setup NiFi with
OIDC authentication, SSL, and behind a reverse proxy. That should work for most
use cases. We are always working to improve NiFi usability. Do you have a use
case that you can explain to use that makes this restriction unsurmountable for
setting up and deploying NiFi?
One use case I'm aware of where it might make sense allow alternative
configuration is folks using a tool like Istio to secure transport between
services in which each service only binds to _localhost_ using HTTP/TCP without
ssl/tls and an Istio agent running locally handles securing remote I/O and
forwarding communication to the local service using port forwarding. But that
does not sound like your use case as you are proposing still allowing NiFi to
bind to network interfaces other than localhost, correct?
> Allow OIDC authentication for nifi running behind a proxy server with SSL
> config
> --------------------------------------------------------------------------------
>
> Key: NIFI-6152
> URL: https://issues.apache.org/jira/browse/NIFI-6152
> Project: Apache NiFi
> Issue Type: Improvement
> Reporter: nik gonzalez
> Priority: Major
>
> org.apache.nifi.web.api.AccessResource.java first checks whether
> request.isSecure() before it proceeds with oidc authentication. This is a
> proposal to remove this restriction to allow oidc authentication when running
> nifi behind a reverse proxy (e.g., haproxy, nginx) configured with SSL.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
