You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Nathan Gough (Jira)" <ji...@apache.org> on 2022/10/26 22:31:00 UTC
[jira] [Commented] (NIFI-10332) Add ID_TOKEN_LOGOUT support for general OpenID connect server, e.g. Keycloak
[ https://issues.apache.org/jira/browse/NIFI-10332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17624778#comment-17624778 ]
Nathan Gough commented on NIFI-10332:
-------------------------------------
Looking at this, it seems that a total refactor of the OIDC code would be a great step forward for both the login and logout code and make things simpler. I believe we are planning to migrate to using Spring to handle OIDC Auth eventually.
Having said that, to fix this right now we could potentially check that the discovery document contains either a revocation_endpoint and/or an end_session_endpoint, and make decisions based on that. Currently the OIDC code is checking for the Google domain to determine whether we need to make an outgoing request for an access token and then use that access token to revoke access. It looks like technically we should retrieve an id_token and access_token all up front (Google provides both), instead of requesting it only on logout, however in the case of Google the access token only has a 1 hour lifetime. The combinations of tokens that can be retrieved are also varied: [https://darutk.medium.com/diagrams-of-all-the-openid-connect-flows-6968e3990660].
Is there a well defined way to determine logout method that I am missing? I'm not sure what auth flow Google is using that requires an access token to be used to revoke access instead of using the ID token.
> Add ID_TOKEN_LOGOUT support for general OpenID connect server, e.g. Keycloak
> ----------------------------------------------------------------------------
>
> Key: NIFI-10332
> URL: https://issues.apache.org/jira/browse/NIFI-10332
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core UI
> Affects Versions: 1.17.0
> Environment: NiFi 1.17.0, Keycloak 18.0.1
> Reporter: macdoor615
> Assignee: Nathan Gough
> Priority: Major
> Attachments: image-2022-08-09-16-56-25-791.png
>
>
> I deploy a NiFi 1.170 and authenticate with OpenID connect. Authentication server is Keycloak 18.0.1.
> I can log in and I can use UI properly.
> But when I logout. I get an error, can not redirect to NiFi UI or keycloak login UI
> !image-2022-08-09-16-56-25-791.png|width=782,height=347!
> [https://36.133.55.100:8943/realms/zznode/protocol/openid-connect/logout?post_logout_redirect_uri=https%3A%2F%2F36.138.166.203%3A18089%2Fhb3-dmz-repos-000-nifi%2Fnifi-api%2F..%2Fnifi%2Flogout-complete]
> I made some investigation into source code. I found NiFi only support ID_TOKEN_LOGOUT for okta service. Keycloak and other Authentication server can not be supported.
> Keycloak say it is compliance OpenID connect spec.
> I modified a few lines of source code. Let it support ID_TOKEN_LOGOUT for keycloak. Now I can log out NiFi and redirect to keycloak login UI, and than login NiFi again.
> I suggest making nifi to support ID_TOKEN_LOGOUT in later version for general OpenID connect server.
> I modified the file, [https://github.com/apache/nifi/blob/main/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/OIDCAccessResource.java]
> start from line 403
> {code:java}
> private String determineLogoutMethod(String oidcDiscoveryUrl) {
> Matcher accessTokenMatcher = REVOKE_ACCESS_TOKEN_LOGOUT_FORMAT.matcher(oidcDiscoveryUrl);
> Matcher idTokenMatcher = ID_TOKEN_LOGOUT_FORMAT.matcher(oidcDiscoveryUrl);
>
> if (accessTokenMatcher.find()) {
> return REVOKE_ACCESS_TOKEN_LOGOUT;
> } else {
> return ID_TOKEN_LOGOUT;
> }
> }
>
> {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)