You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "David Handermann (Jira)" <ji...@apache.org> on 2022/08/06 15:54:00 UTC

[jira] [Commented] (NIFI-10322) invalid_token error after OpenID connect session timeout

    [ https://issues.apache.org/jira/browse/NIFI-10322?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17576256#comment-17576256 ] 

David Handermann commented on NIFI-10322:
-----------------------------------------

Thanks for reporting this issue [~macdoor615], the comparison of behavior between versions is very helpful.

Based on the behavior observed, it sounds like NiFi it not removing the {{__Secure-Authorization-Bearer}} Cookie after it expires. This should be happening in the HTTP response that returns the unauthorized error shown in the screenshot attached. Can you use browser web developer tools to see whether NiFi is returning a Set-Cookie header containing the {{Secure-Authorization-Bearer}} Cookie with an expiration? In particular, it would be helpful to check the additional cookie attributes, such as the domain.

Based on the URL in the screenshot attached, it looks like NiFi is running behind a proxy server. Have you configured all of the {{nifi.web.proxy}} properties in {{nifi.properties}}? In particular, the {{nifi.web.proxy.host}} should match the hostname provided in the browser URL.

> invalid_token error after OpenID connect session timeout
> --------------------------------------------------------
>
>                 Key: NIFI-10322
>                 URL: https://issues.apache.org/jira/browse/NIFI-10322
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Core UI
>    Affects Versions: 1.17.0
>            Reporter: macdoor615
>            Priority: Major
>             Fix For: 1.18.0
>
>         Attachments: image-2022-08-05-22-48-17-835.png, image-2022-08-05-22-48-52-057.png
>
>
> I follow [https://bryanbende.com/development/2017/10/03/apache-nifi-openid-connect] to config NIFI 1.16.3 and it is work properly. If the session times out, login again and it will work again
> I configured 1.17.0 in the same way. I can login and operate nifi UI. But when session times out. I got the following error.
>  
> {code:java}
> Unauthorized error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: Expired JWT", error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"{code}
>  
> !image-2022-08-05-22-48-17-835.png|width=758,height=108!
> I try to login again and get a new error, and I cannot enter the NIFI interface.
>  
> {code:java}
> Unauthorized error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: Signed JWT rejected: Another algorithm expected, or no matching key(s) found", error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"{code}
>  
> !image-2022-08-05-22-48-52-057.png|width=594,height=143!
> I did some research, and found
> After the session times out, 
> NIFI 1.16.3 leaves 3 cookies in browser:
>  * nifi-logout-request-identifier
>  * nifi-oidc-request-identifier
>  * __Secure-Request-Token
> NIFI 1.17.0 leaves 2 cookies:
>  * *__Secure-Authorization-Bearer*
>  * __Secure-Request-Token
>  __Secure-Authorization-Bearer cookie contains a expired JWT:
> {code:java}
> eyJraWQiOiJhMDlhZDhlMy0xZDkzLTQyZTEtYjg0Ni0xMWU0ODRkODYwYWYiLCJhbGciOiJQUzUxMiJ9.eyJzdWIiOiJhZG1pbi5uaWZpQGd1bWhiMy5jb20iLCJhdWQiOiJodHRwcyUzQSUyRiUyRjM2LjEzMy41NS4xMDAlM0E4OTQzJTJGcmVhbG1zJTJGenpub2RlIiwibmJmIjoxNjU5NjExOTc0LCJpc3MiOiJodHRwcyUzQSUyRiUyRjM2LjEzMy41NS4xMDAlM0E4OTQzJTJGcmVhbG1zJTJGenpub2RlIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ubmlmaUBndW1oYjMuY29tIiwiZXhwIjoxNjU5NjEyMjc0LCJpYXQiOjE2NTk2MTE5NzQsImp0aSI6IjFiZTg5MjU4LTliZmYtNDhmOS04OGNmLWU0NDIzMDZjYzg4ZCJ9.Y9yE0hNH_q-W94_cFWOWGc7TPMP2xB9coaSRPT9twYqSyjTtudOiiXGxHEDUWsOvUFf7lT7wNH4RZ_LhOM-5WfTZ3o-DCVFnl0JjeZ-L9d-z3rO4dEspRxXpr46AewEGy_lpstSUFyihr4i8b2VI7IT0aFOCGAIXRWl7gfH75e5La_0tbsu9lgSRdyYBBv8rSjojJC5bBSqxj-BkrfjdMhyMuF9OdMCJNmyh18BrXbavwftNerytkd_Qf9eNLmzsZ3SOdKWpftKt4kClD_KeL0nOglhM-ENyb4QLwxr7l5lhUgQ-2am3x5okbRyYip_WV4YQ6DfmUnLL1FYFATWXa5CUimSRbSZzkqU2JEYerpvKsTf-prdsSNryPbrQdf5HqpwhlGbFrgm4jwtncZHTLEL4ZMciVe0H-zIcQ9vyDqamMpf6fyNWmQN8DdDP9A0Zpo7SL7yhOUjNGsjk1gV4OAHWgp4XQzj4KwoGf7ICjeOrzinECHFZw9Ccyi8KMooRx4u3oAuKPEx3mrZFNFDaiAzWX0kZ31c24-15cno2bLBMGOIx7ipjb6Pv7V6O9S2aA2vC3eVLnfAgHAox3I8_IzWLUKddHCqd6cfA1XW8ckSgg2QddKvgYHiCZpwVV4AMDpK4bI1J0ZbxbgOOke9IMMudNhZUFQdWJIXh-gx1bII{code}
>  I manually delete __Secure-Authorization-Bearer cookie, and I can login NIFI 1.17.0 again.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)