You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "macdoor615 (Jira)" <ji...@apache.org> on 2022/08/09 09:26:00 UTC

[jira] [Created] (NIFI-10332) Add ID_TOKEN_LOGOUT support for general OpenID connect server, like Keycloak

macdoor615 created NIFI-10332:
---------------------------------

             Summary: Add ID_TOKEN_LOGOUT support for general OpenID connect server, like Keycloak
                 Key: NIFI-10332
                 URL: https://issues.apache.org/jira/browse/NIFI-10332
             Project: Apache NiFi
          Issue Type: Improvement
          Components: Core UI
    Affects Versions: 1.17.0
         Environment: NiFi 1.17.0, Keycloak 18.0.1
            Reporter: macdoor615
             Fix For: 1.18.0
         Attachments: image-2022-08-09-16-56-25-791.png

I deploy a NiFi 1.170 and authenticate with OpenID connect. Authentication server is Keycloak 18.0.1.

I can log in and I can use UI properly.

But when I logout. I get an error, can not redirect to NiFi UI or keycloak login UI

!image-2022-08-09-16-56-25-791.png|width=782,height=347!

[https://36.133.55.100:8943/realms/zznode/protocol/openid-connect/logout?post_logout_redirect_uri=https%3A%2F%2F36.138.166.203%3A18089%2Fhb3-dmz-repos-000-nifi%2Fnifi-api%2F..%2Fnifi%2Flogout-complete]

I made some investigation into source code. I found NiFi only support ID_TOKEN_LOGOUT for okta service. Keycloak and other Authentication server can not be supported.

Keycloak say it is compliance OpenID connect spec.

I modified a few lines of source code. Let it support ID_TOKEN_LOGOUT for keycloak. Now I can log out NiFi and redirect to keycloak login UI, and than login NiFi again.

I suggest making nifi to support ID_TOKEN_LOGOUT in later version for general OpenID connect server.

I modified the file, [https://github.com/apache/nifi/blob/main/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/OIDCAccessResource.java]

start from line 403
{code:java}
    private String determineLogoutMethod(String oidcDiscoveryUrl) {
        Matcher accessTokenMatcher = REVOKE_ACCESS_TOKEN_LOGOUT_FORMAT.matcher(oidcDiscoveryUrl);
        Matcher idTokenMatcher = ID_TOKEN_LOGOUT_FORMAT.matcher(oidcDiscoveryUrl);
 
        if (accessTokenMatcher.find()) {
            return REVOKE_ACCESS_TOKEN_LOGOUT;
        } else {
            return ID_TOKEN_LOGOUT;
        }
    }
 
{code}
 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)