You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "Ryan (Jira)" <ji...@apache.org> on 2023/03/15 13:05:00 UTC

[jira] [Updated] (NIFI-11252) OIDC secret properties that are encrypted by default are not being decrypted in Nifi Registry

     [ https://issues.apache.org/jira/browse/NIFI-11252?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ryan updated NIFI-11252:
------------------------
    Fix Version/s: 1.21.0
           Status: Patch Available  (was: Open)

> OIDC secret properties that are encrypted by default are not being decrypted in Nifi Registry
> ---------------------------------------------------------------------------------------------
>
>                 Key: NIFI-11252
>                 URL: https://issues.apache.org/jira/browse/NIFI-11252
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: NiFi Registry
>    Affects Versions: 1.20.0
>            Reporter: Ryan
>            Priority: Major
>             Fix For: 1.21.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Since upgrading to 1.20.0 from 1.16.2 I have been getting the following error: {{Unable to exchange authorization for ID token: An error occurred while invoking the Token endpoint: Invalid client secret}} 
> In version 1.20.0 {{nifi.registry.security.user.oidc.client.secret}} has been added to the default [list of properties|https://github.com/apache/nifi/blob/main/nifi-toolkit/nifi-toolkit-encrypt-config/src/main/groovy/org/apache/nifi/toolkit/encryptconfig/util/NiFiRegistryPropertiesEncryptor.groovy#L44] that are encrypted by the Nifi Toolkit's property encryption tool, however, it has not been added to the [ProtectedNiFiRegistryProperties|https://github.com/apache/nifi/blob/main/nifi-registry/nifi-registry-core/nifi-registry-properties-loader/src/main/java/org/apache/nifi/registry/properties/ProtectedNiFiRegistryProperties.java#L54] file which is used to read and decrypt these properties.
> This results in the encrypted string being passed to the OIDC provider resulting in the error above.
> I have gotten around this issue for the time being by setting the following property.
> {code:java}
> nifi.registry.sensitive.props.additional.keys=nifi.registry.security.user.oidc.client.secret {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)