Hi Ami, Just to confirm, the OAuth Client ID redirect URL in OIDC is set to " https://${nifi.hostname}:${nifi.port}/nifi-api/access/oidc/callback" and the NiFi property is set "nifi.security.user.oidc.discovery.url= https://accounts.google.com/.well-known/openid-configuration".
Nathan On Mon, Apr 27, 2020 at 12:37 AM Ami Goldenberg <ami.g...@gmail.com> wrote: > Hi, > > We are trying to deploy NiFi on kubernetes after successfully using it > for a while. > The issue we are having is that every time we enter our nifi URL it will > redirect us to Google and once we sign in we just get redirected again. > > *The error I see on users.log is:* > o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) > GET https://XXX.XXX.XXXX/nifi-api/flow/current-user (source ip: > 172.32.34.99) > 2020-04-25T19:48:06.256605759Z 2020-04-25 19:48:05,983 ERROR [NiFi > Web Server-16] o.a.nifi.web.security.jwt.JwtService There was an error > validating the JWT > 2020-04-25T19:48:06.256610178Z 2020-04-25 19:48:05,983 ERROR [NiFi Web > Server-16] o.a.nifi.web.security.jwt.JwtService Unable to validate > the access token. > 2020-04-25T19:48:06.256613727Z Caused by: JWT signature does not > match locally computed signature. JWT validity cannot be asserted and > should not be trusted. > 2020-04-25T19:48:06.256617124Z 2020-04-25 19:48:05,984 WARN [NiFi Web > Server-16] o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web > api:Unable to validate the access token. > > *We're trying to follow practices from blogs and pvillard's repo:* > > - > > https://github.com/pvillard31/nifi-gcp-terraform/tree/master/gcp-cluster-secured-nifi-oidc > - > https://bryanbende.com/development/2017/10/03/apache-nifi-openid-connect > - > https://medium.com/swlh/operationalising-nifi-on-kubernetes-1a8e0ae16a6c > > *Our set up is as such:* > > - OIDC provider is Google > - TLS-toolkit running in server mode inside k8s > - StatefulSet of 3 replicas > - Zookeeper in K8s > - Ingress that is set up to create a load balancer in AWS - with > sticky sessions (based on cookie) > - Service that is set up with sessionAffinity: ClientIP > > > Any idea which direction I should be checking next?anks! >