You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "macdoor615 (Jira)" <ji...@apache.org> on 2022/08/09 09:28:00 UTC
[jira] [Updated] (NIFI-10332) Add ID_TOKEN_LOGOUT support for general OpenID connect server, e.g. Keycloak
[ https://issues.apache.org/jira/browse/NIFI-10332?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
macdoor615 updated NIFI-10332:
------------------------------
Summary: Add ID_TOKEN_LOGOUT support for general OpenID connect server, e.g. Keycloak (was: Add ID_TOKEN_LOGOUT support for general OpenID connect server, like Keycloak)
> Add ID_TOKEN_LOGOUT support for general OpenID connect server, e.g. Keycloak
> ----------------------------------------------------------------------------
>
> Key: NIFI-10332
> URL: https://issues.apache.org/jira/browse/NIFI-10332
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core UI
> Affects Versions: 1.17.0
> Environment: NiFi 1.17.0, Keycloak 18.0.1
> Reporter: macdoor615
> Priority: Major
> Fix For: 1.18.0
>
> Attachments: image-2022-08-09-16-56-25-791.png
>
>
> I deploy a NiFi 1.170 and authenticate with OpenID connect. Authentication server is Keycloak 18.0.1.
> I can log in and I can use UI properly.
> But when I logout. I get an error, can not redirect to NiFi UI or keycloak login UI
> !image-2022-08-09-16-56-25-791.png|width=782,height=347!
> [https://36.133.55.100:8943/realms/zznode/protocol/openid-connect/logout?post_logout_redirect_uri=https%3A%2F%2F36.138.166.203%3A18089%2Fhb3-dmz-repos-000-nifi%2Fnifi-api%2F..%2Fnifi%2Flogout-complete]
> I made some investigation into source code. I found NiFi only support ID_TOKEN_LOGOUT for okta service. Keycloak and other Authentication server can not be supported.
> Keycloak say it is compliance OpenID connect spec.
> I modified a few lines of source code. Let it support ID_TOKEN_LOGOUT for keycloak. Now I can log out NiFi and redirect to keycloak login UI, and than login NiFi again.
> I suggest making nifi to support ID_TOKEN_LOGOUT in later version for general OpenID connect server.
> I modified the file, [https://github.com/apache/nifi/blob/main/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/OIDCAccessResource.java]
> start from line 403
> {code:java}
> private String determineLogoutMethod(String oidcDiscoveryUrl) {
> Matcher accessTokenMatcher = REVOKE_ACCESS_TOKEN_LOGOUT_FORMAT.matcher(oidcDiscoveryUrl);
> Matcher idTokenMatcher = ID_TOKEN_LOGOUT_FORMAT.matcher(oidcDiscoveryUrl);
>
> if (accessTokenMatcher.find()) {
> return REVOKE_ACCESS_TOKEN_LOGOUT;
> } else {
> return ID_TOKEN_LOGOUT;
> }
> }
>
> {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)