You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Nathan Gough (Jira)" <ji...@apache.org> on 2022/12/01 19:45:00 UTC
[jira] [Comment Edited] (NIFI-10177) Nifi Registry logout via OIDC
[ https://issues.apache.org/jira/browse/NIFI-10177?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17642137#comment-17642137 ]
Nathan Gough edited comment on NIFI-10177 at 12/1/22 7:44 PM:
--------------------------------------------------------------
PR #6637 added/corrected the logout functionality for OIDC in NiFi registry for public OIDC providers. I've created a subsequent Jira NIFI-10924 to fix the original stated issue of private providers (like Keycloak as reported above).
was (Author: thenatog):
PR #6637 added/corrected the logout functionality for OIDC in NiFi registry for public OIDC providers. I've created a subsequent PR to fix the original stated issue of private providers (like Keycloak as reported above).
> Nifi Registry logout via OIDC
> -----------------------------
>
> Key: NIFI-10177
> URL: https://issues.apache.org/jira/browse/NIFI-10177
> Project: Apache NiFi
> Issue Type: Bug
> Components: NiFi Registry
> Affects Versions: 1.16.3
> Reporter: kim myungwon
> Assignee: Emilio Setiadarma
> Priority: Major
> Fix For: 1.20.0, 1.19.1
>
> Attachments: image-2022-06-29-12-41-52-164.png, image-2022-06-29-12-42-48-430.png, image-2022-06-29-12-43-25-441.png, image-2022-06-29-12-43-48-726.png
>
> Time Spent: 2h 40m
> Remaining Estimate: 0h
>
> I am trying to login and logout via {*}OIDC{*}.
> Login via OIDC is well. but *{color:#de350b}logout via OIDC is not working.{color}*
>
> {color:#172b4d}When I logout, NiFi Registry shows "Please contact your System Administrator." error message.{color}
> !image-2022-06-29-12-41-52-164.png|width=1134,height=213!
>
> nifi-registry-app.log (debug level)
> {code:java}
> 022-06-29 13:32:35,691 DEBUG [NiFi Registry Web Server-15] o.a.nifi.registry.db.DatabaseKeyService Deleting key with identity='myungwon'.
> 2022-06-29 13:32:35,697 INFO [NiFi Registry Web Server-15] o.a.n.r.w.s.a.jwt.JwtService Deleted token from database.
> 2022-06-29 13:32:35,797 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using X509IdentityProvider
> 2022-06-29 13:32:35,797 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.x.X509CertificateExtractor No client certificate found in request.
> 2022-06-29 13:32:35,797 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using JwtIdentityProvider
> 2022-06-29 13:32:35,797 DEBUG [NiFi Registry Web Server-21] o.a.n.r.s.a.BearerAuthIdentityProvider HTTP Bearer Auth credentials not present. Not attempting to extract credentials for authentication.
> 2022-06-29 13:32:35,797 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.AnonymousIdentityFilter Set SecurityContextHolder to anonymous SecurityContext
> 2022-06-29 13:32:35,797 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.ResourceAuthorizationFilter Request filter authorization check is not required for this HTTP Method on this resource. Allowing request to proceed. An additional authorization check might be performed downstream of this filter.
> 2022-06-29 13:32:35,799 INFO [NiFi Registry Web Server-21] o.a.n.r.w.m.IllegalStateExceptionMapper java.lang.IllegalStateException: Kerberos service ticket login not supported by this NiFi Registry. Returning Conflict response.
> 2022-06-29 13:32:35,799 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.m.IllegalStateExceptionMapper
> java.lang.IllegalStateException: Kerberos service ticket login not supported by this NiFi Registry
> at org.apache.nifi.registry.web.api.AccessResource.createAccessTokenUsingKerberosTicket(AccessResource.java:348)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52)
> at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:124)
> at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:167)
> at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:176)
> at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:79)
> at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:475)
> at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:397)
> at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:81)
> at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:255)
> at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248)
> at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
> 2022-06-29 13:32:35,865 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using X509IdentityProvider
> 2022-06-29 13:32:35,865 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.x.X509CertificateExtractor No client certificate found in request.
> 2022-06-29 13:32:35,865 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using JwtIdentityProvider
> 2022-06-29 13:32:35,865 DEBUG [NiFi Registry Web Server-21] o.a.n.r.s.a.BearerAuthIdentityProvider HTTP Bearer Auth credentials not present. Not attempting to extract credentials for authentication.
> 2022-06-29 13:32:35,865 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.AnonymousIdentityFilter Set SecurityContextHolder to anonymous SecurityContext
> 2022-06-29 13:32:35,866 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.ResourceAuthorizationFilter Request filter authorization check is not required for this HTTP Method on this resource. Allowing request to proceed. An additional authorization check might be performed downstream of this filter.
> 2022-06-29 13:32:35,869 INFO [NiFi Registry Web Server-21] o.a.n.r.w.m.IllegalArgumentExceptionMapper java.lang.IllegalArgumentException: The login request identifier was not found in the request. Unable to continue.. Returning Bad Request response.
> 2022-06-29 13:32:35,870 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.m.IllegalArgumentExceptionMapper
> java.lang.IllegalArgumentException: The login request identifier was not found in the request. Unable to continue.
> at org.apache.nifi.registry.web.api.AccessResource.oidcExchange(AccessResource.java:674)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52)
> at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:124)
> at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:167)
> at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:176)
> at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:79)
> at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:475)
> at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:397)
> at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:81)
> at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:255)
> at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248)
> at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:244)
> at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265)
> at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:234)
> at org.glassfish.jersey{code}
>
> When I checked keyclock, Login event is good.
> !image-2022-06-29-12-42-48-430.png|width=448,height=302!
> Keyclock Client is configured.
> !image-2022-06-29-12-43-25-441.png!
> !image-2022-06-29-12-43-48-726.png!
>
> NiFi Registry is configured with OIDC authentification.
> *nifi-registry.properties*
> #OIDC #
> nifi.registry.security.user.oidc.discovery.url=[http://wonpc01:31234/auth/realms/won/.well-known/openid-configuration]
> nifi.registry.security.user.oidc.connect.timeout=5 secs
> nifi.registry.security.user.oidc.read.timeout=5 secs
> nifi.registry.security.user.oidc.client.id=registry
> nifi.registry.security.user.oidc.client.secret=VDumhSZFbtIKAJ0wYoF81GrIqCtdlhk0
> nifi.registry.security.user.oidc.preferred.jwsalgorithm=
> nifi.registry.security.user.oidc.claim.identifying.user=preferred_username
>
> NiFi and other services logout does not have this bug when i using this keyclock.
> Thank you.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)