I have a very similar configuration and similar problem. After authenticating with the OIDC server (Keycloak), I often get multiple failures in verifying the JWT from the nifi servers and have to reload the browser multiple times until it eventually hits the right one.
On Mon, Apr 27, 2020 at 2:25 PM Andy LoPresto <alopre...@apache.org> wrote: > Can you verify the initial redirect to OIDC and the callback are going to > the same node in NiFi? I see your LB configs are set to sticky sessions, > but it may be that if the callback is originating from the OIDC IDP server > rather than the actual client IP, the session affinity is not being > applied. Regardless, the error appears to indicate that the JWT provided in > the request to NiFi isn’t able to be validated, which indicates that the > key used to sign it isn’t present on that node, which is likely due to the > request being sent to a node other than the one that signed it. > > Quick and easy way to validate this would be to change the stateful set # > to 1 node and attempt the same sequence of operations. > > > Andy LoPresto > alopre...@apache.org > *alopresto.apa...@gmail.com <alopresto.apa...@gmail.com>* > He/Him > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > > On Apr 27, 2020, at 8:12 AM, Ami Goldenberg <ami.g...@gmail.com> wrote: > > Hi Nathan, > Indeed, that's the case > > On Mon, Apr 27, 2020 at 5:57 PM Nathan Gough <thena...@gmail.com> wrote: > >> Hi Ami, >> >> Just to confirm, the OAuth Client ID redirect URL in OIDC is set to " >> https://${nifi.hostname}:${nifi.port}/nifi-api/access/oidc/callback"; and >> the NiFi property is set "nifi.security.user.oidc.discovery.url= >> https://accounts.google.com/.well-known/openid-configuration";. >> >> Nathan >> >> On Mon, Apr 27, 2020 at 12:37 AM Ami Goldenberg <ami.g...@gmail.com> >> wrote: >> >>> Hi, >>> >>> We are trying to deploy NiFi on kubernetes after successfully using it >>> for a while. >>> The issue we are having is that every time we enter our nifi URL it will >>> redirect us to Google and once we sign in we just get redirected again. >>> >>> *The error I see on users.log is:* >>> o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) >>> GET https://XXX.XXX.XXXX/nifi-api/flow/current-user >>> <https://xxx.xxx.xxxx/nifi-api/flow/current-user> (source ip: >>> 172.32.34.99) >>> 2020-04-25T19:48:06.256605759Z 2020-04-25 19:48:05,983 ERROR [NiFi >>> Web Server-16] o.a.nifi.web.security.jwt.JwtService There was an error >>> validating the JWT >>> 2020-04-25T19:48:06.256610178Z 2020-04-25 19:48:05,983 ERROR [NiFi Web >>> Server-16] o.a.nifi.web.security.jwt.JwtService Unable to validate >>> the access token. >>> 2020-04-25T19:48:06.256613727Z Caused by: JWT signature does not >>> match locally computed signature. JWT validity cannot be asserted and >>> should not be trusted. >>> 2020-04-25T19:48:06.256617124Z 2020-04-25 19:48:05,984 WARN [NiFi Web >>> Server-16] o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web >>> api:Unable to validate the access token. >>> >>> *We're trying to follow practices from blogs and pvillard's repo:* >>> >>> - >>> >>> https://github.com/pvillard31/nifi-gcp-terraform/tree/master/gcp-cluster-secured-nifi-oidc >>> - >>> https://bryanbende.com/development/2017/10/03/apache-nifi-openid-connect >>> - >>> https://medium.com/swlh/operationalising-nifi-on-kubernetes-1a8e0ae16a6c >>> >>> *Our set up is as such:* >>> >>> - OIDC provider is Google >>> - TLS-toolkit running in server mode inside k8s >>> - StatefulSet of 3 replicas >>> - Zookeeper in K8s >>> - Ingress that is set up to create a load balancer in AWS - with >>> sticky sessions (based on cookie) >>> - Service that is set up with sessionAffinity: ClientIP >>> >>> >>> Any idea which direction I should be checking next?anks! >>> >> >
