You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Kevin Doran (JIRA)" <ji...@apache.org> on 2019/03/27 14:30:00 UTC

[jira] [Commented] (NIFI-6152) Allow OIDC authentication for nifi running behind a proxy server with SSL config

    [ https://issues.apache.org/jira/browse/NIFI-6152?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16802860#comment-16802860 ] 

Kevin Doran commented on NIFI-6152:
-----------------------------------

Hi [~nikgonzalez],

Thanks for documenting your proposal. Similar requests have come up in previous discussions.

The challenge is that OIDC authentication still sends an access token in messages to the server that should be protected in transport to prevent leaking it to unauthorized parties that can see/intercept the traffic and the access tokens. TLS encrypts the HTTP messages in transit, while also verifying the identity of the NiFi host to which the OIDC access token is being sent.

I'm aware other applications do not have this restriction, and allow for SSL termination at the edge, and unencrypted HTTP between services behind the public firewall. NiFi, however, is a system that is used to connect data in many parts of users infrastructure. It has data and credentials that must be closely protected in almost all deployments. We try to make it hard for someone to configure insecurely, even accidentally.

While it does take additional initial setup, it is possible to setup NiFi with OIDC authentication, SSL, and behind a reverse proxy. That should work for most use cases. We are always working to improve NiFi usability. Do you have a use case that you can explain to use that makes this restriction unsurmountable for setting up and deploying NiFi?

One use case I'm aware of where it might make sense allow alternative configuration is folks using a tool like Istio to secure transport between services in which each service only binds to _localhost_ using HTTP/TCP without ssl/tls and an Istio agent running locally handles securing remote I/O and forwarding communication to the local service using port forwarding. But that does not sound like your use case as you are proposing still allowing NiFi to bind to network interfaces other than localhost, correct?

> Allow OIDC authentication for nifi running behind a proxy server with SSL config
> --------------------------------------------------------------------------------
>
>                 Key: NIFI-6152
>                 URL: https://issues.apache.org/jira/browse/NIFI-6152
>             Project: Apache NiFi
>          Issue Type: Improvement
>            Reporter: nik gonzalez
>            Priority: Major
>
> org.apache.nifi.web.api.AccessResource.java first checks whether request.isSecure() before it proceeds with oidc authentication. This is a proposal to remove this restriction to allow oidc authentication when running nifi behind a reverse proxy (e.g., haproxy, nginx) configured with SSL.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)