IMO, Try and get the authentication working with a commandline utility like curl.
When you get that working then try putting it into NIFI. At large corp's we generally use SAML. We have talked about adding SAML/Single-Signon to NiFi but, well, LDAP works just fine. NIFI+LDAP works like a charm. The return of developing a NiFi fork with SAML/OpenID connect support is way...way to costly. > However i have to run with a reverse proxy, that fails well into the OIDC > token fetch and redirect cycles with 401 'Unable to continue login sequence'. You are using a reverse proxy. Terminate the authentication at the reverse proxy, let the reverse proxy do the work for you. I google search and see people already have NGINX+OpenID modules. Reverse proxies support many authentication mechanisms so you dont need to build security and authentication into every product. Thats their purpose. Here is something we did a few years ago that uses NGINX+shibboleth for the authentication and sets the trusted HTTP headers(user names and id's) that you check in the reverse proxied services. Same process for NGINX+OpenID. https://github.com/CartoDB/omnibus-nginx/ DISCLAIMER: I am not sure if NiFi supports using HTTP headers for authentication but thats an easier problem to solve than building SAML * OpenID connect support into NiFi core. Erik Anderson Bloomberg On Thu, Aug 22, 2019, at 12:15 PM, Pat White wrote: > Hi Folks, > Trying to get Nifi working with OpenID Connect authentication using Okta as > the OIDC provider. When Nifi has direct access to Okta, works fine. However i > have to run with a reverse proxy, that fails well into the OIDC token fetch > and redirect cycles with 401 'Unable to continue login sequence'. > > From the client browser, both cases appear same up to the code&state callback > phase, kerberos jwt is tried, both fail and fallback to the > NiFiAnonymousUserFilter. The success (non-proxy) case retries using > StandardOidcIdentityProvider, still gets a kerb error but continues with > JwtAuthenticationFilter which sees a valid JWT token and > NiFiAuthenticationFilter authenticates the user, fail case never retries > through the StandardOidcIdentityProvider. > > In callback, both cases have okta it, rt and at tokens, only diff i'm seeing > is success case has an additional cookie, 'oidc-exchange-request'. That's the > code path i'm not able to follow, from the kerberos jwt authn filter failure > retrying through the oidc filter, and it's use of the exchange phase. Been > studying Matt's pull request #2047 from Nifi-4210 along with Andy's review > comments, which is really helpful. > > Any suggestions on how to trace the authn attempts through the filters ? > > Also any specific concerns using a reverse proxy like this? There are a lot > of redirects, my suspicion is that i'm loosing cookies at some point through > the proxy, causing Nifi to either fail okta token validation or exchange > protocols. > > patw
