Hi Dave, I understand the type of auto-user registration for authenticated users that you're describing, which a lot of OIDC-based web apps support.
Unfortunately, NiFi cannot support that at this time. It would be a cool feature. It's not impossible that NiFi could support it one day. We would have to enhance the NiFi Identity Provider, User Group Provider, and Authorizer implementations for OIDC to work together to support this. Currently, the closest you can get in NiFi is to use something like the LdapUserGroupProvider to point at the same user directory as Keycloak, then the users will be automatically synced from the same directory, including their group membership for setting nifi-specific access at the group level. But the OIDC identity would just be used for authentication, not group mapping or access policy loading (that would still come from the NiFi User Group Provider and Access Policy Provider). Hope this helps. Kevin On Jan 12, 2023 at 19:04:49, David Dean via users <[email protected]> wrote: > Hi - > > Is it possible for NiFi to automatically grant user access to NiFi based > on an OIDC authenticated users group membership matching a group in NiFi? > > I'm using the latest 1.19.1 with OIDC enabled and integrated with Keycloak. > > In Keycloak I have created a test user and assigned them to group "Test > Group". > > In NiFi I have created a group called "Test Group" and granted it some > policies. > > I have enabled the "nifi.security.user.oidc.claim.groups" config option > to obtain the OIDC groups from Keycloak. > > If I pre-create a user account in NiFi and add them to "Test Group" then > they can successfully login via OIDC and get the required policies. > > But what I want is to not have to pre-create the users. > > Instead I would like NiFi to evaluate an authenticated users OIDC group > membership, and if a group name in OIDC matches one in NiFi then it should > allow them access to NiFi using the policies assigned to the matching group > in NiFi. > > Is this possible? > > Appreciate your help! > > Dave > > > >
