You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@nifi.apache.org by "Kumara M S, Hemantha (Nokia - IN/Bangalore)" <he...@nokia.com> on 2020/02/11 13:55:22 UTC
REST API for secured NiFi with OpenID connect for authentication
Hi All,
We have nifi 1.9.2 & configured with oidc for authentication and trying to access the REST API via curl but not able to find documentation for the same.
I tried with below commands, but it is failing with an error "Username/Password login not supported by this NiFi."
curl 'https://192.168.112.49:9443/nifi-api/access/token' -H 'Accept-Encoding: gzip, deflate, br' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'Accept: */*' --data 'username=nifi&password=Nifi123!' --compressed -k
Can someone pls help ? pointing to doc or any other pointers?
I have gone through an old issue http://apache-nifi.1125220.n5.nabble.com/Nifi-REST-API-access-to-OpenID-connect-secured-instance-td20644.html but no proper answer.
Thanks & Regards,
Hemantha
RE: REST API for secured NiFi with OpenID connect for authentication
Posted by "Kumara M S, Hemantha (Nokia - IN/Bangalore)" <he...@nokia.com>.
Thanks Bryan.
I tried to get access token from keycloak and used same token while accessing nifi-api url. I got different error when I tried callback “The login request identifier was not found in the request. Unable to continue”
Command to get access token from keycloak
TOKEN=curl -f https://<Keycloak_host>:8443/auth/realms/ccsp-apcore/protocol/openid-connect/token --insecure -H Content-Type: application/x-www-form-urlencoded -d username=<user> -d password=<Password> -d grant_type=password -d client_id=nifi -d client_secret=<secret>
Initiated request
# curl -k -i -X GET -H "Authorization: Bearer $TOKEN" https://192.168.112.49:9443/nifi-api/access/oidc/request
HTTP/1.1 302 Found
Date: Tue, 11 Feb 2020 15:04:02 GMT
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31540000
Set-Cookie: oidc-request-identifier=af8a2da4-c6ea-4c6e-9003-1ad96f861162;Path=/;Expires=Tue, 11-Feb-2020 15:05:02 GMT;Max-Age=60;Secure;HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: https://<ip>/auth/realms/ccsp-apcore/protocol/openid-connect/auth?client_id=nifi&response_type=code&scope=openid+email&state=bfaffl09j0m5l3vb373q1vqhmp&redirect_uri=https%3A%2F%2F192.168.112.49%3A9443%2Fnifi-api%2Faccess%2Foidc%2Fcallback
Content-Length: 0
Server: Jetty(9.4.11.v20180605)
Here it the command I tried for callback
# curl -k -i -X GET -H "Authorization: Bearer $TOKEN" https://192.168.112.49:9443/nifi-api/access/oidc/callback
HTTP/1.1 200 OK
Date: Tue, 11 Feb 2020 15:09:33 GMT
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31540000
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding, User-Agent
Content-Length: 1974
Server: Jetty(9.4.11.v20180605)
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Unable to continue login sequence</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link rel="shortcut icon" href="/images/nifi16.ico"/>
<link rel="stylesheet" href="/nifi/assets/reset.css/reset.css" type="text/css" />
<link rel="stylesheet" href="/nifi/css/common-ui.css" type="text/css" />
<link rel="stylesheet" href="/nifi/fonts/flowfont/flowfont.css" type="text/css" />
<link rel="stylesheet" href="/nifi/assets/font-awesome/css/font-awesome.min.css" type="text/css" />
<link rel="stylesheet" href="/nifi/css/message-pane.css" type="text/css" />
<link rel="stylesheet" href="/nifi/css/message-page.css" type="text/css" />
<script type="text/javascript" src="/nifi/assets/jquery/dist/jquery.min.js"></script>
<script type="text/javascript">
$(document).ready(function () {
$('#user-home').on('mouseenter', function () {
$(this).addClass('link-over');
}).on('mouseleave', function () {
$(this).removeClass('link-over');
}).on('click', function () {
window.location = '/nifi';
});
});
</script>
</head>
<body class="message-pane">
<div class="message-pane-message-box">
<div class="message-pane-title">Unable to continue login sequence</div>
<div id="user-links-container" style="margin-left: 20px; float: left;">
<ul class="links">
<li>
<span id="user-home" class="link">home</span>
</li>
</ul>
</div>
<div class="message-pane-content">The login request identifier was not found in the request. Unable to continue.</div>
</div>
</body>
</html>
Regards,
Hemantha
-----Original Message-----
From: Bryan Bende <bb...@gmail.com>
Sent: Tuesday, February 11, 2020 7:39 PM
To: users@nifi.apache.org
Subject: Re: REST API for secured NiFi with OpenID connect for authentication
Hello,
The end-point access/token is for any login identity providers defined in login-identity-providers.xml.
OIDC works differently because it requires a redirect to an external identity provider so the end-points are different:
access/oidc/request
access/oidc/exchange
access/oidc/callback
I'm not sure how to utilize these from curl since it requires being sent to the external identity provider's login page in your browser, and then once they have authenticated you, they redirect back to NiFi.
Thanks,
Bryan
On Tue, Feb 11, 2020 at 8:55 AM Kumara M S, Hemantha (Nokia -
IN/Bangalore) <he...@nokia.com>> wrote:
>
> Hi All,
>
>
>
> We have nifi 1.9.2 & configured with oidc for authentication and trying to access the REST API via curl but not able to find documentation for the same.
>
>
>
> I tried with below commands, but it is failing with an error “Username/Password login not supported by this NiFi.”
>
> curl 'https://192.168.112.49:9443/nifi-api/access/token' -H
> 'Accept-Encoding: gzip, deflate, br' -H 'Content-Type:
> application/x-www-form-urlencoded; charset=UTF-8' -H 'Accept: */*'
> --data 'username=nifi&password=Nifi123!' --compressed -k
>
>
>
> Can someone pls help ? pointing to doc or any other pointers?
>
> I have gone through an old issue http://apache-nifi.1125220.n5.nabble.com/Nifi-REST-API-access-to-OpenID-connect-secured-instance-td20644.html but no proper answer.
>
>
>
> Thanks & Regards,
>
> Hemantha
>
>
Re: REST API for secured NiFi with OpenID connect for authentication
Posted by Bryan Bende <bb...@gmail.com>.
Hello,
The end-point access/token is for any login identity providers defined
in login-identity-providers.xml.
OIDC works differently because it requires a redirect to an external
identity provider so the end-points are different:
access/oidc/request
access/oidc/exchange
access/oidc/callback
I'm not sure how to utilize these from curl since it requires being
sent to the external identity provider's login page in your browser,
and then once they have authenticated you, they redirect back to NiFi.
Thanks,
Bryan
On Tue, Feb 11, 2020 at 8:55 AM Kumara M S, Hemantha (Nokia -
IN/Bangalore) <he...@nokia.com> wrote:
>
> Hi All,
>
>
>
> We have nifi 1.9.2 & configured with oidc for authentication and trying to access the REST API via curl but not able to find documentation for the same.
>
>
>
> I tried with below commands, but it is failing with an error “Username/Password login not supported by this NiFi.”
>
> curl 'https://192.168.112.49:9443/nifi-api/access/token' -H 'Accept-Encoding: gzip, deflate, br' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'Accept: */*' --data 'username=nifi&password=Nifi123!' --compressed -k
>
>
>
> Can someone pls help ? pointing to doc or any other pointers?
>
> I have gone through an old issue http://apache-nifi.1125220.n5.nabble.com/Nifi-REST-API-access-to-OpenID-connect-secured-instance-td20644.html but no proper answer.
>
>
>
> Thanks & Regards,
>
> Hemantha
>
>