Hi Nathan, Indeed, that's the case On Mon, Apr 27, 2020 at 5:57 PM Nathan Gough <[email protected]> wrote:
> Hi Ami, > > Just to confirm, the OAuth Client ID redirect URL in OIDC is set to " > https://${nifi.hostname}:${nifi.port}/nifi-api/access/oidc/callback"; and > the NiFi property is set "nifi.security.user.oidc.discovery.url= > https://accounts.google.com/.well-known/openid-configuration";. > > Nathan > > On Mon, Apr 27, 2020 at 12:37 AM Ami Goldenberg <[email protected]> > wrote: > >> Hi, >> >> We are trying to deploy NiFi on kubernetes after successfully using it >> for a while. >> The issue we are having is that every time we enter our nifi URL it will >> redirect us to Google and once we sign in we just get redirected again. >> >> *The error I see on users.log is:* >> o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) >> GET https://XXX.XXX.XXXX/nifi-api/flow/current-user (source ip: >> 172.32.34.99) >> 2020-04-25T19:48:06.256605759Z 2020-04-25 19:48:05,983 ERROR [NiFi >> Web Server-16] o.a.nifi.web.security.jwt.JwtService There was an error >> validating the JWT >> 2020-04-25T19:48:06.256610178Z 2020-04-25 19:48:05,983 ERROR [NiFi Web >> Server-16] o.a.nifi.web.security.jwt.JwtService Unable to validate >> the access token. >> 2020-04-25T19:48:06.256613727Z Caused by: JWT signature does not >> match locally computed signature. JWT validity cannot be asserted and >> should not be trusted. >> 2020-04-25T19:48:06.256617124Z 2020-04-25 19:48:05,984 WARN [NiFi Web >> Server-16] o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web >> api:Unable to validate the access token. >> >> *We're trying to follow practices from blogs and pvillard's repo:* >> >> - >> >> https://github.com/pvillard31/nifi-gcp-terraform/tree/master/gcp-cluster-secured-nifi-oidc >> - >> https://bryanbende.com/development/2017/10/03/apache-nifi-openid-connect >> - >> https://medium.com/swlh/operationalising-nifi-on-kubernetes-1a8e0ae16a6c >> >> *Our set up is as such:* >> >> - OIDC provider is Google >> - TLS-toolkit running in server mode inside k8s >> - StatefulSet of 3 replicas >> - Zookeeper in K8s >> - Ingress that is set up to create a load balancer in AWS - with >> sticky sessions (based on cookie) >> - Service that is set up with sessionAffinity: ClientIP >> >> >> Any idea which direction I should be checking next?anks! >> >
