Thanks very much Erik, appreciate the feedback. patw
On Thu, Aug 22, 2019 at 1:07 PM Erik Anderson <[email protected]> wrote: > IMO, > > Try and get the authentication working with a commandline utility like > curl. > > When you get that working then try putting it into NIFI. > > At large corp's we generally use SAML. We have talked about adding > SAML/Single-Signon to NiFi but, well, LDAP works just fine. NIFI+LDAP > works like a charm. The return of developing a NiFi fork with SAML/OpenID > connect support is way...way to costly. > > > However i have to run with a reverse proxy, that fails well into the > OIDC token fetch and redirect cycles with 401 'Unable to continue login > sequence'. > > You are using a reverse proxy. Terminate the authentication at the reverse > proxy, let the reverse proxy do the work for you. I google search and see > people already have NGINX+OpenID modules. Reverse proxies support many > authentication mechanisms so you dont need to build security and > authentication into every product. Thats their purpose. > > Here is something we did a few years ago that uses NGINX+shibboleth for > the authentication and sets the trusted HTTP headers(user names and id's) > that you check in the reverse proxied services. Same process for > NGINX+OpenID. > > https://github.com/CartoDB/omnibus-nginx/ > > DISCLAIMER: I am not sure if NiFi supports using HTTP headers for > authentication but thats an easier problem to solve than building SAML * > OpenID connect support into NiFi core. > > Erik Anderson > Bloomberg > > On Thu, Aug 22, 2019, at 12:15 PM, Pat White wrote: > > Hi Folks, > Trying to get Nifi working with OpenID Connect authentication using Okta > as the OIDC provider. When Nifi has direct access to Okta, works fine. > However i have to run with a reverse proxy, that fails well into the OIDC > token fetch and redirect cycles with 401 'Unable to continue login > sequence'. > > From the client browser, both cases appear same up to the code&state > callback phase, kerberos jwt is tried, both fail and fallback to the > NiFiAnonymousUserFilter. The success (non-proxy) case retries using > StandardOidcIdentityProvider, still gets a kerb error but continues with > JwtAuthenticationFilter which sees a valid JWT token and > NiFiAuthenticationFilter authenticates the user, fail case never retries > through the StandardOidcIdentityProvider. > > In callback, both cases have okta it, rt and at tokens, only diff i'm > seeing is success case has an additional cookie, 'oidc-exchange-request'. > That's the code path i'm not able to follow, from the kerberos jwt authn > filter failure retrying through the oidc filter, and it's use of the > exchange phase. Been studying Matt's pull request #2047 from Nifi-4210 > along with Andy's review comments, which is really helpful. > > Any suggestions on how to trace the authn attempts through the filters ? > > Also any specific concerns using a reverse proxy like this? There are a > lot of redirects, my suspicion is that i'm loosing cookies at some point > through the proxy, causing Nifi to either fail okta token validation or > exchange protocols. > > patw > > >
