Hi Folks, Trying to get Nifi working with OpenID Connect authentication using Okta as the OIDC provider. When Nifi has direct access to Okta, works fine. However i have to run with a reverse proxy, that fails well into the OIDC token fetch and redirect cycles with 401 'Unable to continue login sequence'.
>From the client browser, both cases appear same up to the code&state callback phase, kerberos jwt is tried, both fail and fallback to the NiFiAnonymousUserFilter. The success (non-proxy) case retries using StandardOidcIdentityProvider, still gets a kerb error but continues with JwtAuthenticationFilter which sees a valid JWT token and NiFiAuthenticationFilter authenticates the user, fail case never retries through the StandardOidcIdentityProvider. In callback, both cases have okta it, rt and at tokens, only diff i'm seeing is success case has an additional cookie, 'oidc-exchange-request'. That's the code path i'm not able to follow, from the kerberos jwt authn filter failure retrying through the oidc filter, and it's use of the exchange phase. Been studying Matt's pull request #2047 from Nifi-4210 along with Andy's review comments, which is really helpful. Any suggestions on how to trace the authn attempts through the filters ? Also any specific concerns using a reverse proxy like this? There are a lot of redirects, my suspicion is that i'm loosing cookies at some point through the proxy, causing Nifi to either fail okta token validation or exchange protocols. patw
