You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by GitBox <gi...@apache.org> on 2022/12/14 14:16:52 UTC
[GitHub] [nifi] Eetami opened a new pull request, #6782: NIFI-10456: Use Basic authentication in nifi-oauth2-provider-services
Eetami opened a new pull request, #6782:
URL: https://github.com/apache/nifi/pull/6782
Both the OAuth2TokenProviderImpl and StandardOauth2AccessTokenProvider
have been updated to send client credentials (client id and secret) as
HTTP Basic authentication, such as
```
Authorization: Basic Zm9vOmJhcgo=
```
According to RFC 6749 (The OAuth2.0 Authorization Framework)...
> The authorization server MUST support the HTTP Basic
authentication scheme for authenticating clients that were issued a
client password.
And...
> [..] the authorization server MAY support including the
client credentials in the request-body [..]
But...
> Including the client credentials in the request-body using the two
parameters is NOT RECOMMENDED and SHOULD be limited to clients unable
to directly utilize the HTTP Basic authentication scheme [..]
<!-- Licensed to the Apache Software Foundation (ASF) under one or more -->
<!-- contributor license agreements. See the NOTICE file distributed with -->
<!-- this work for additional information regarding copyright ownership. -->
<!-- The ASF licenses this file to You under the Apache License, Version 2.0 -->
<!-- (the "License"); you may not use this file except in compliance with -->
<!-- the License. You may obtain a copy of the License at -->
<!-- http://www.apache.org/licenses/LICENSE-2.0 -->
<!-- Unless required by applicable law or agreed to in writing, software -->
<!-- distributed under the License is distributed on an "AS IS" BASIS, -->
<!-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -->
<!-- See the License for the specific language governing permissions and -->
<!-- limitations under the License. -->
# Summary
[NIFI-10456](https://issues.apache.org/jira/browse/NIFI-10456)
# Tracking
Please complete the following tracking steps prior to pull request creation.
### Issue Tracking
- [x] [Apache NiFi Jira](https://issues.apache.org/jira/browse/NIFI) issue created
### Pull Request Tracking
- [x] Pull Request title starts with Apache NiFi Jira issue number, such as `NIFI-00000`
- [x] Pull Request commit message starts with Apache NiFi Jira issue number, as such `NIFI-00000`
### Pull Request Formatting
- [x] Pull Request based on current revision of the `main` branch
- [x] Pull Request refers to a feature branch with one commit containing changes
# Verification
Updated unit tests for StandardOauth2AccessTokenProvider
### Build
Some hiccups in rat check for nifi-grpc-bundle (note that it is unmodified in this change). Some protobuf dependency had an unrecognized Google license. Apart from that everything went well.
- [x] Build completed using `mvn clean install -P contrib-check`
- [ ] JDK 8
- [ ] JDK 11
- [x] JDK 17
### Licensing
No new dependencies
- [x] New dependencies are compatible with the [Apache License 2.0](https://apache.org/licenses/LICENSE-2.0) according to the [License Policy](https://www.apache.org/legal/resolved.html)
- [x] New dependencies are documented in applicable `LICENSE` and `NOTICE` files
### Documentation
No documentation changes, other than updates to javadoc for StandardOauth2AccessTokenProvider
- [x] Documentation formatting appears as expected in rendered files
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] exceptionfactory commented on a diff in pull request #6782: NIFI-10456: Add client authentication strategy option to OAuth2 provider
Posted by GitBox <gi...@apache.org>.
exceptionfactory commented on code in PR #6782:
URL: https://github.com/apache/nifi/pull/6782#discussion_r1059226097
##########
nifi-nar-bundles/nifi-standard-services/nifi-oauth2-provider-bundle/nifi-oauth2-provider-service/src/main/java/org/apache/nifi/oauth2/StandardOauth2AccessTokenProvider.java:
##########
@@ -236,6 +252,19 @@ protected Collection<ValidationResult> customValidate(ValidationContext validati
.build());
}
+ String clientAuthenticationStrategy = validationContext.getProperty(CLIENT_AUTHENTICATION_STRATEGY).getValue();
+ try {
+ ClientAuthenticationStrategy.valueOf(clientAuthenticationStrategy);
+ } catch (IllegalArgumentException ex) {
+ validationResults.add(new ValidationResult.Builder().subject(CLIENT_AUTHENTICATION_STRATEGY.getDisplayName())
+ .valid(false)
+ .explanation(String.format("Unrecognized %s value '%s'",
+ CLIENT_AUTHENTICATION_STRATEGY.getDisplayName(),
+ clientAuthenticationStrategy)
+ )
+ .build());
+ }
Review Comment:
This custom validation is not necessary because the allowable values will prevent unsupported values from being configured.
```suggestion
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] Eetami commented on a diff in pull request #6782: NIFI-10456: Add client authentication strategy option to OAuth2 provider
Posted by GitBox <gi...@apache.org>.
Eetami commented on code in PR #6782:
URL: https://github.com/apache/nifi/pull/6782#discussion_r1052963088
##########
nifi-nar-bundles/nifi-standard-services/nifi-oauth2-provider-bundle/nifi-oauth2-provider-service/src/main/java/org/apache/nifi/oauth2/StandardOauth2AccessTokenProvider.java:
##########
@@ -69,6 +71,27 @@ public class StandardOauth2AccessTokenProvider extends AbstractControllerService
.expressionLanguageSupported(ExpressionLanguageScope.VARIABLE_REGISTRY)
.build();
+ public static AllowableValue BASIC_AUTHENTICATION = new AllowableValue(
+ "basic",
+ "Basic Authentication",
+ "Send client authentication as HTTP Basic authentication"
+ );
+
+ public static AllowableValue REQUEST_BODY = new AllowableValue(
+ "request_body",
+ "Request Body",
+ "Send client authentication in request body. Note: users should prefer Basic Authentication unless authorization server does not support it."
Review Comment:
Implemented suggested improvements.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] exceptionfactory commented on a diff in pull request #6782: NIFI-10456: Add client authentication strategy option to OAuth2 provider
Posted by GitBox <gi...@apache.org>.
exceptionfactory commented on code in PR #6782:
URL: https://github.com/apache/nifi/pull/6782#discussion_r1051431949
##########
nifi-nar-bundles/nifi-standard-services/nifi-oauth2-provider-bundle/nifi-oauth2-provider-service/src/main/java/org/apache/nifi/oauth2/StandardOauth2AccessTokenProvider.java:
##########
@@ -181,6 +205,7 @@ public class StandardOauth2AccessTokenProvider extends AbstractControllerService
private volatile String authorizationServerUrl;
private volatile OkHttpClient httpClient;
+ private volatile String clientAuthenticationStrategy;
Review Comment:
Changing the `AllowableValue` to a specific `enum` named `ClientAuthenticationStrategy` will allow this property to be more strongly typed.
##########
nifi-nar-bundles/nifi-standard-services/nifi-oauth2-provider-bundle/nifi-oauth2-provider-service/src/main/java/org/apache/nifi/oauth2/StandardOauth2AccessTokenProvider.java:
##########
@@ -69,6 +71,27 @@ public class StandardOauth2AccessTokenProvider extends AbstractControllerService
.expressionLanguageSupported(ExpressionLanguageScope.VARIABLE_REGISTRY)
.build();
+ public static AllowableValue BASIC_AUTHENTICATION = new AllowableValue(
+ "basic",
+ "Basic Authentication",
+ "Send client authentication as HTTP Basic authentication"
+ );
+
+ public static AllowableValue REQUEST_BODY = new AllowableValue(
+ "request_body",
+ "Request Body",
+ "Send client authentication in request body. Note: users should prefer Basic Authentication unless authorization server does not support it."
+ );
Review Comment:
Although this works, recommend creating an `enum` that implements the `DescribedValue` interface. See other examples such as `ContentEncodingStrategy` and `AuthorizationScheme` in other modules. The `getValue()` method should return `name()`, and allows for better value comparison in other methods.
##########
nifi-nar-bundles/nifi-standard-services/nifi-oauth2-provider-bundle/nifi-oauth2-provider-service/src/main/java/org/apache/nifi/oauth2/StandardOauth2AccessTokenProvider.java:
##########
@@ -69,6 +71,27 @@ public class StandardOauth2AccessTokenProvider extends AbstractControllerService
.expressionLanguageSupported(ExpressionLanguageScope.VARIABLE_REGISTRY)
.build();
+ public static AllowableValue BASIC_AUTHENTICATION = new AllowableValue(
+ "basic",
+ "Basic Authentication",
+ "Send client authentication as HTTP Basic authentication"
+ );
+
+ public static AllowableValue REQUEST_BODY = new AllowableValue(
+ "request_body",
+ "Request Body",
+ "Send client authentication in request body. Note: users should prefer Basic Authentication unless authorization server does not support it."
+ );
+
+ public static final PropertyDescriptor CLIENT_AUTHENTICATION_STRATEGY = new PropertyDescriptor.Builder()
+ .name("client-authentication-strategy")
+ .displayName("Client Authentication Strategy")
+ .description("Authentication strategy to use for client authentication.")
Review Comment:
I agree with the suggested improvement, it is clearer/
##########
nifi-nar-bundles/nifi-standard-services/nifi-oauth2-provider-bundle/nifi-oauth2-provider-service/src/main/java/org/apache/nifi/oauth2/StandardOauth2AccessTokenProvider.java:
##########
@@ -69,6 +71,27 @@ public class StandardOauth2AccessTokenProvider extends AbstractControllerService
.expressionLanguageSupported(ExpressionLanguageScope.VARIABLE_REGISTRY)
.build();
+ public static AllowableValue BASIC_AUTHENTICATION = new AllowableValue(
+ "basic",
+ "Basic Authentication",
+ "Send client authentication as HTTP Basic authentication"
Review Comment:
```suggestion
"Send client authentication using HTTP Basic authentication"
```
##########
nifi-nar-bundles/nifi-standard-services/nifi-oauth2-provider-bundle/nifi-oauth2-provider-service/src/main/java/org/apache/nifi/oauth2/StandardOauth2AccessTokenProvider.java:
##########
@@ -298,11 +324,15 @@ private void acquireAccessDetails() {
}
RequestBody acquireTokenRequestBody = acquireTokenBuilder.build();
-
- Request acquireTokenRequest = new Request.Builder()
+ Request.Builder acquireTokenRequestBuilder = new Request.Builder()
.url(authorizationServerUrl)
- .post(acquireTokenRequestBody)
- .build();
+ .post(acquireTokenRequestBody);
+
+ if (clientAuthenticationStrategy.equals(BASIC_AUTHENTICATION.getValue()) && clientId != null) {
+ acquireTokenRequestBuilder.addHeader("Authorization", Credentials.basic(clientId, clientSecret));
Review Comment:
Recommend defining `private static final String AUTHORIZATION_HEADER = "Authorization"` and reusing that value here and in the `refreshAccessDetails()` method.
##########
nifi-nar-bundles/nifi-standard-services/nifi-oauth2-provider-bundle/nifi-oauth2-provider-service/src/main/java/org/apache/nifi/oauth2/StandardOauth2AccessTokenProvider.java:
##########
@@ -69,6 +71,27 @@ public class StandardOauth2AccessTokenProvider extends AbstractControllerService
.expressionLanguageSupported(ExpressionLanguageScope.VARIABLE_REGISTRY)
.build();
+ public static AllowableValue BASIC_AUTHENTICATION = new AllowableValue(
+ "basic",
+ "Basic Authentication",
+ "Send client authentication as HTTP Basic authentication"
+ );
+
+ public static AllowableValue REQUEST_BODY = new AllowableValue(
+ "request_body",
+ "Request Body",
+ "Send client authentication in request body. Note: users should prefer Basic Authentication unless authorization server does not support it."
Review Comment:
Recommend referencing RFC 6749 Section 2.3.1:
```suggestion
"Send client authentication in request body. RFC 6749 Section 2.3.1 recommends Basic Authentication instead of request body."
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] MikeThomsen commented on pull request #6782: NIFI-10456: Add client authentication strategy option to OAuth2 provider
Posted by GitBox <gi...@apache.org>.
MikeThomsen commented on PR #6782:
URL: https://github.com/apache/nifi/pull/6782#issuecomment-1356225680
Ok, I see the force push @exceptionfactory. Was confused this morning because it looked very different from what I first saw.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] Eetami commented on a diff in pull request #6782: NIFI-10456: Add client authentication strategy option to OAuth2 provider
Posted by GitBox <gi...@apache.org>.
Eetami commented on code in PR #6782:
URL: https://github.com/apache/nifi/pull/6782#discussion_r1053077940
##########
nifi-nar-bundles/nifi-standard-services/nifi-oauth2-provider-bundle/nifi-oauth2-provider-service/src/main/java/org/apache/nifi/oauth2/StandardOauth2AccessTokenProvider.java:
##########
@@ -181,6 +205,7 @@ public class StandardOauth2AccessTokenProvider extends AbstractControllerService
private volatile String authorizationServerUrl;
private volatile OkHttpClient httpClient;
+ private volatile String clientAuthenticationStrategy;
Review Comment:
Done
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] Eetami commented on a diff in pull request #6782: NIFI-10456: Add client authentication strategy option to OAuth2 provider
Posted by GitBox <gi...@apache.org>.
Eetami commented on code in PR #6782:
URL: https://github.com/apache/nifi/pull/6782#discussion_r1052962915
##########
nifi-nar-bundles/nifi-standard-services/nifi-oauth2-provider-bundle/nifi-oauth2-provider-service/src/main/java/org/apache/nifi/oauth2/StandardOauth2AccessTokenProvider.java:
##########
@@ -69,6 +71,27 @@ public class StandardOauth2AccessTokenProvider extends AbstractControllerService
.expressionLanguageSupported(ExpressionLanguageScope.VARIABLE_REGISTRY)
.build();
+ public static AllowableValue BASIC_AUTHENTICATION = new AllowableValue(
+ "basic",
+ "Basic Authentication",
+ "Send client authentication as HTTP Basic authentication"
+ );
+
+ public static AllowableValue REQUEST_BODY = new AllowableValue(
+ "request_body",
+ "Request Body",
+ "Send client authentication in request body. Note: users should prefer Basic Authentication unless authorization server does not support it."
+ );
+
+ public static final PropertyDescriptor CLIENT_AUTHENTICATION_STRATEGY = new PropertyDescriptor.Builder()
+ .name("client-authentication-strategy")
+ .displayName("Client Authentication Strategy")
+ .description("Authentication strategy to use for client authentication.")
Review Comment:
Updated with suggested wording.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] Eetami commented on pull request #6782: NIFI-10456: Add client authentication strategy option to OAuth2 provider
Posted by GitBox <gi...@apache.org>.
Eetami commented on PR #6782:
URL: https://github.com/apache/nifi/pull/6782#issuecomment-1354361433
I added the `Client Authentication Strategy` property to the provider, so users can now opt-in to use Basic authentication.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] Eetami commented on pull request #6782: NIFI-10456: Use Basic authentication in nifi-oauth2-provider-services
Posted by GitBox <gi...@apache.org>.
Eetami commented on PR #6782:
URL: https://github.com/apache/nifi/pull/6782#issuecomment-1352667572
> Thanks for the contribution @Eetami!
>
> Supporting Basic Authentication makes sense given the RFC documentation. However, the change needs to be implemented in a way that maintains compatibility with the current implementation.
>
> Introducing a new configuration property named something like `Authentication Strategy`, with initial options including `Request Parameters` and `Basic Authentication` would provide a way to introduce support without breaking existing implementations.
>
> One other note, `OAuth2TokenProviderImpl` is deprecated, so it does not need to be changed.
Hey, thanks for your feedback! Indeed the implementation is not _technically_ backwards compatible, BUT assuming that all auth servers support Basic authentication (as mandated by the RFC), then this should not be a breaking change. Of course if you worry that there might be some auth servers that do not support Basic authentication or they only support some other form of client authentication, then we should probably implement that using the aforementioned `Authentication Strategy` option. Though I feel like this implementation is most aligned with the RFC and should, by all accounts, be the default strategy.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] MikeThomsen commented on a diff in pull request #6782: NIFI-10456: Add client authentication strategy option to OAuth2 provider
Posted by GitBox <gi...@apache.org>.
MikeThomsen commented on code in PR #6782:
URL: https://github.com/apache/nifi/pull/6782#discussion_r1051411431
##########
nifi-nar-bundles/nifi-standard-services/nifi-oauth2-provider-bundle/nifi-oauth2-provider-service/src/main/java/org/apache/nifi/oauth2/StandardOauth2AccessTokenProvider.java:
##########
@@ -69,6 +71,27 @@ public class StandardOauth2AccessTokenProvider extends AbstractControllerService
.expressionLanguageSupported(ExpressionLanguageScope.VARIABLE_REGISTRY)
.build();
+ public static AllowableValue BASIC_AUTHENTICATION = new AllowableValue(
+ "basic",
+ "Basic Authentication",
+ "Send client authentication as HTTP Basic authentication"
+ );
+
+ public static AllowableValue REQUEST_BODY = new AllowableValue(
+ "request_body",
+ "Request Body",
+ "Send client authentication in request body. Note: users should prefer Basic Authentication unless authorization server does not support it."
+ );
+
+ public static final PropertyDescriptor CLIENT_AUTHENTICATION_STRATEGY = new PropertyDescriptor.Builder()
+ .name("client-authentication-strategy")
+ .displayName("Client Authentication Strategy")
+ .description("Authentication strategy to use for client authentication.")
Review Comment:
A little awkward in the wording. Should be something like `Strategy for authenticating the client against the OAuth2 token provider service`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] MikeThomsen commented on pull request #6782: NIFI-10456: Use Basic authentication in nifi-oauth2-provider-services
Posted by GitBox <gi...@apache.org>.
MikeThomsen commented on PR #6782:
URL: https://github.com/apache/nifi/pull/6782#issuecomment-1351701971
@exceptionfactory I'm -1 on proceeding on this because of the separations of concerns implicit in this.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] MikeThomsen commented on pull request #6782: NIFI-10456: Add client authentication strategy option to OAuth2 provider
Posted by GitBox <gi...@apache.org>.
MikeThomsen commented on PR #6782:
URL: https://github.com/apache/nifi/pull/6782#issuecomment-1356225450
@exceptionfactory took a deeper look at the change, and it's backward compatible so I'm not -1 anymore.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] exceptionfactory closed pull request #6782: NIFI-10456: Add client authentication strategy option to OAuth2 provider
Posted by GitBox <gi...@apache.org>.
exceptionfactory closed pull request #6782: NIFI-10456: Add client authentication strategy option to OAuth2 provider
URL: https://github.com/apache/nifi/pull/6782
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] exceptionfactory commented on pull request #6782: NIFI-10456: Use Basic authentication in nifi-oauth2-provider-services
Posted by GitBox <gi...@apache.org>.
exceptionfactory commented on PR #6782:
URL: https://github.com/apache/nifi/pull/6782#issuecomment-1352040750
Thanks for the feedback @MikeThomsen. Can you clarify your concerns? Based on the RFC and initial implementation, it seems like the general approach of passing the Client ID and Client Secret as Basic Auth credentials makes sense. Do you think this should be a different service implementation?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org