Dweep, Sorry you're having trouble with this. Can you please confirm the URL you direct your browser to initially and compare that to the address you are returned to following successful authentication? Would also be interested in seeing if the value in the redirect_uri query parameter when logging in with your identity provider.
On Wed, Sep 25, 2019 at 5:26 AM Dweep Sharma <dweep.sha...@redbus.com> wrote: > Hi All, > > I am receiving this error on my nifi cluster setup > > Error -ERROR [NiFi Web Server-16] o.a.nifi.web.security.jwt.JwtService > There was an error validating the JWT > io.jsonwebtoken.JwtException: Unable to validate the access token. > WARN [NiFi Web Server-16] o.a.n.w.s.NiFiAuthenticationFilter Rejecting > access to web api: Untrusted proxy CN=dp1.domain.com, OU=NIFI > > I think the request for access token is being served by secondary node > instead of primary and due to this, there is a mismatch in authorizing the > user to primary (1st node) > > I am using OpenID Connect for auth following the steps mentioned here ref: > https://bryanbende.com/development/2017/10/03/apache-nifi-openid-connect > My cluster setup is 2nodes with open id connect hosted on AWS > > I have added open id SSO config in both the nodes. > > The problem is if i run it in cluster mode I am getting this error, > whereas if run as individual node, it is working perfectly fine. > > NOTE: I am not using any load balancer in this case but I can see > nifi-user logs in both the nodes even if I am trying to connect to one node. > > Logs from > 2019-09-25 08:24:55,244 INFO [NiFi Web Server-20] > o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET > https://<domain.com>:8443/nifi-api/flow/current-user (source ip: > 10.5.1.182) > 2019-09-25 08:24:55,260 INFO [NiFi Web Server-20] > o.a.n.w.s.NiFiAuthenticationFilter Authentication success for > du...@domain.com > 2019-09-25 08:24:55,372 INFO [NiFi Web Server-16] > o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (< > du...@domain.com><CN=<domain.com>, OU=NIFI>) GET > https://domain.com:8443/nifi-api/flow/current-user (source ip: > xx.xx.xx.xx) > 2019-09-25 08:24:55,375 WARN [NiFi Web Server-16] > o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Untrusted > proxy CN=<domain.com>, OU=NIFI > > ======================== > 2019-09-25 08:37:32,111 INFO [NiFi Web Server-16] > o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET > https://dp1.domain.com:8443/nifi-api/flow/current-user > <https://www.google.com/url?q=https://dp1.domain.com:8443/nifi-api/flow/current-user&sa=D&source=hangouts&ust=1569488934456000&usg=AFQjCNELOMD_CU-LT6xzclHycXDp1YQVuA> > (source ip: 10.5.1.182) > 2019-09-25 08:37:32,135 ERROR [NiFi Web Server-16] > o.a.nifi.web.security.jwt.JwtService There was an error validating the JWT > io.jsonwebtoken.JwtException: *Unable to validate the access token.* > at > org.apache.nifi.web.security.jwt.JwtService.parseTokenFromBase64EncodedString(JwtService.java:106) > at > org.apache.nifi.web.security.jwt.JwtService.getAuthenticationFromToken(JwtService.java:60) > at > org.apache.nifi.web.security.jwt.JwtAuthenticationProvider.authenticate(JwtAuthenticationProvider.java:48) > at > org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174) > at > org.apache.nifi.web.security.NiFiAuthenticationFilter.authenticate(NiFiAuthenticationFilter.java:78) > at > org.apache.nifi.web.security.NiFiAuthenticationFilter.doFilter(NiFiAuthenticationFilter.java:58) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.apache.nifi.web.security.NiFiAuthenticationFilter.authenticate(NiFiAuthenticationFilter.java:99) > at > org.apache.nifi.web.security.NiFiAuthenticationFilter.doFilter(NiFiAuthenticationFilter.java:58) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:96) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214) > at > org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) > at > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347) > > Please suggest how to enable stickiness in this case. There was a similar > issue mentioned here - > https://community.cloudera.com/t5/Support-Questions/NIFI-Unable-to-validate-the-access-token-Accessing-GUI/m-p/214525 > <https://www.google.com/url?q=https://community.cloudera.com/t5/Support-Questions/NIFI-Unable-to-validate-the-access-token-Accessing-GUI/m-p/214525&sa=D&source=hangouts&ust=1569489517159000&usg=AFQjCNHIEKBDI39TUyo-G4M8I1elqbZq7w> > The difference is, I am not using an external load balancer > > Attaching the configuration here > > > > > *::DISCLAIMER::----------------------------------------------------------------------------------------------------------------------------------------------------The > contents of this e-mail and any attachments are confidential and intended > for the named recipient(s) only.E-mail transmission is not guaranteed to be > secure or error-free as information could be intercepted, corrupted,lost, > destroyed, arrive late or incomplete, or may contain viruses in > transmission. The e mail and its contents(with or without referred errors) > shall therefore not attach any liability on the originator or redBus.com. > Views or opinions, if any, presented in this email are solely those of the > author and may not necessarily reflect the views or opinions of redBus.com. > Any form of reproduction, dissemination, copying, disclosure, > modification,distribution and / or publication of this message without the > prior written consent of authorized representative of redbus. > <http://redbus.in/>com is strictly prohibited. If you have received this > email in error please delete it and notify the sender immediately.Before > opening any email and/or attachments, please check them for viruses and > other defects.*
