[
https://issues.apache.org/jira/browse/NIFI-4890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17034564#comment-17034564
]
Matt Gilman commented on NIFI-4890:
-----------------------------------
[~deboys] Which token are you referring to that NiFi is not honoring the
expiration of? As part of the authentication, NiFi validates the ID token and
extracts the expiration from its claim set. If the user identity is not part of
the claim set it will use the access token to query the UserInfo endpoint.
However, following that it does not use the access token from the identity
provider at all. NiFi does not need to invoke endpoints on the identity
provider following this authentication.
Reading through the spec it states that the Refresh request may not include a
new ID token [1]. Can you point to an example or something from the
specification of how folks expect this to work?
Thanks!
[1] https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens
> OIDC Token Refresh is not done correctly
> ----------------------------------------
>
> Key: NIFI-4890
> URL: https://issues.apache.org/jira/browse/NIFI-4890
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core UI
> Affects Versions: 1.5.0
> Environment: Environment:
> Browser: Chrome / Firefox
> Configuration of NiFi:
> - SSL certificate for the server (no client auth)
> - OIDC configuration including end_session_endpoint (see the link
> https://auth.s.orchestracities.com/auth/realms/default/.well-known/openid-configuration)
>
> Reporter: Federico Michele Facca
> Priority: Major
>
> It looks like the NIFI UI is not refreshing the OIDC token in background, and
> because of that, when the token expires, tells you that your session is
> expired. and you need to refresh the page, to get a new token.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
