Hi Alan, Thanks for the reply. NiFi does not use system proxy properties for making the HTTP request to retrieve the OIDC information. If the curl command is using a system proxy, that would explain why it works with curl, but throws in the error on NiFi startup.
Jira issue NIFI-8056 [1] is an open request for proxy-mediated access to the OIDC configuration. It is not currently assigned, but if this is also the case for you, please comment on the issue for additional tracking. Regards, David Handermann [1] https://issues.apache.org/jira/browse/NIFI-8056 On Fri, Dec 6, 2024 at 5:07 PM LAFLEUR, ALAN <al1...@att.com> wrote: > > Thanks for the replies. Sadly, a curl is working fine to the discovery URL > from command line. > I thought it may be possible java/nifi is not able to access the necessary > https proxy settings I have set in /etc/environment so I set the > bootstrap.conf as below but it did not help. > ... > java.arg.18=-Dhttp.proxyHost=proxy.host.svc.local > java.arg.19=-Dhttp.proxyPort=3128 > java.arg.20=-Dhttps.proxyHost=proxy.host.svc.local > java.arg.21=-Dhttps.proxyPort=3128 > > ________________________________ > From: David Handermann <exceptionfact...@apache.org> > Sent: Friday, December 6, 2024 1:52 PM > To: users@nifi.apache.org <users@nifi.apache.org> > Subject: Re: Configuring NiFi for OIDC > > This Message Is From an External Sender > This message came from outside AT&T. Click for additional detail. > > > Hi Alan, > > Thanks for attaching the nifi-app.log, it contains the full stack > trace including the details of the error as follows: > > Caused by: org.springframework.web.client.ResourceAccessException: I/O > error on GET request for > "https://oidc.stage.elogin.att.com/mga/sps/oauth/oauth20/metadata/ATTOIDC/.well-known/openid-configuration": > Connection reset by peer; nested exception is > java.net.SocketException: Connection reset by peer > at > org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:791) > at > org.springframework.web.client.RestTemplate.execute(RestTemplate.java:717) > at > org.springframework.web.client.RestTemplate.getForObject(RestTemplate.java:340) > at > org.apache.nifi.web.security.oidc.registration.StandardClientRegistrationProvider.getProviderMetadata(StandardClientRegistrationProvider.java:113) > > The "SocketException: Connection reset by peer" indicates some kind of > networking problem between NiFi and the OpenID Connect provider. If > you are able to run curl to that URL from the NiFi instance itself, > that might be informative, but it appears that something is blocking > connectivity between NiFi and that system. > > Regards, > David Handermann > > On Fri, Dec 6, 2024 at 1:54 PM LAFLEUR, ALAN <al1...@att.com> wrote: > > > > Thanks David. I'm attempting to add the app logs as an attachment. > > Assuming it works, is that the stacktrace you mentioned? > > > > > > > > ________________________________ > > From: David Handermann <exceptionfact...@apache.org> > > Sent: Friday, December 6, 2024 9:01 AM > > To: users@nifi.apache.org <users@nifi.apache.org> > > Subject: Re: Configuring NiFi for OIDC > > > > This Message Is From an External Sender > > This message came from outside AT&T. Click for additional detail. > > > > > > Hi Alan, > > > > There should be a stack trace following the metadata URL retrieval > > error. That should provide additional details related to error. > > > > Regards, > > David Handermann > > > > On Fri, Dec 6, 2024 at 10:16 AM LAFLEUR, ALAN <al1...@att.com> wrote: > > > > > > Hi All, > > > I'm fairly new to NiFi and have my Ubuntu instance running fine with > > > single identity config. However, I am now trying to configure NiFi for > > > OIDC but when I start the nifi process it dies with the error below. A > > > curl shows that at least basic connectivity is working to the IDP. Any > > > ideas what could be causing this? I can provide my nifi.properties > > > and/or authorizers.xml if needed. > > > 2024-11-20 00:22:09,786 ERROR [main] o.s.web.context.ContextLoader > > > Context initialization failed > > > org.springframework.beans.factory.UnsatisfiedDependencyException: Error > > > creating bean with name > > > 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration': > > > Unsatisfied dependency > > > expressed through method 'setFilterChains' parameter 0; nested exception > > > is org.springframework.beans.factory.UnsatisfiedDependencyException: > > > Error creating bean with name 'securityFilterChain' defined in org.a > > > pache.nifi.web.security.configuration.WebSecurityConfiguration: > > > Unsatisfied dependency expressed through method 'securityFilterChain' > > > parameter 7; nested exception is > > > org.springframework.beans.factory.BeanCreati > > > onException: Error creating bean with name > > > 'oAuth2LoginAuthenticationFilter' defined in > > > org.apache.nifi.web.security.configuration.OidcSecurityConfiguration: > > > Bean instantiation via factory method failed; nested > > > exception is org.springframework.beans.BeanInstantiationException: Failed > > > to instantiate > > > [org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter]: > > > Factory method 'oAuth2LoginAuthenticatio > > > nFilter' threw exception; nested exception is > > > org.springframework.beans.factory.BeanCreationException: Error creating > > > bean with name 'clientRegistrationRepository' defined in > > > org.apache.nifi.web.security.configu > > > ration.OidcSecurityConfiguration: Bean instantiation via factory method > > > failed; nested exception is > > > org.springframework.beans.BeanInstantiationException: Failed to > > > instantiate [org.springframework.security.oauth > > > 2.client.registration.ClientRegistrationRepository]: Factory method > > > 'clientRegistrationRepository' threw exception; nested exception is > > > org.apache.nifi.web.security.oidc.OidcConfigurationException: OpenID > > > Connec > > > t Metadata URL > > > [https://oidc.stage.elogin.att.com/mga/sps/oauth/oauth20/metadata/ATTOIDC/.well-known/openid-configur...] > > > retrieval failed > > > Thanks for any assistance you can provide, > > > Alan LaFleur > > >
