You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2022/12/01 18:18:00 UTC
[jira] [Commented] (NIFI-10177) Nifi Registry logout via OIDC
[ https://issues.apache.org/jira/browse/NIFI-10177?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17642095#comment-17642095 ]
ASF subversion and git services commented on NIFI-10177:
--------------------------------------------------------
Commit fba7b4dd265f5ad4d2d4b63b8e4358f5dceef5e9 in nifi's branch refs/heads/support/nifi-1.19 from Emilio Setiadarma
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=fba7b4dd26 ]
NIFI-10177: Implemented ID token logout and revoke access token logout for NiFi Registry when using OIDC/OAuth 2.0 providers
NIFI-10177: Addressed latest PR reviews. Reworded comments in the logout endpoint, use nifi registry properties to configure HTTP client timeouts for OIDC logout request, used NiFiUserUtils.getNiFiUserIdentity to retrieve identity used to delete the key
Signed-off-by: Nathan Gough <th...@gmail.com>
This closes #6637.
> Nifi Registry logout via OIDC
> -----------------------------
>
> Key: NIFI-10177
> URL: https://issues.apache.org/jira/browse/NIFI-10177
> Project: Apache NiFi
> Issue Type: Bug
> Components: NiFi Registry
> Affects Versions: 1.16.3
> Reporter: kim myungwon
> Assignee: Emilio Setiadarma
> Priority: Major
> Fix For: 1.20.0, 1.19.1
>
> Attachments: image-2022-06-29-12-41-52-164.png, image-2022-06-29-12-42-48-430.png, image-2022-06-29-12-43-25-441.png, image-2022-06-29-12-43-48-726.png
>
> Time Spent: 2h 40m
> Remaining Estimate: 0h
>
> I am trying to login and logout via {*}OIDC{*}.
> Login via OIDC is well. but *{color:#de350b}logout via OIDC is not working.{color}*
>
> {color:#172b4d}When I logout, NiFi Registry shows "Please contact your System Administrator." error message.{color}
> !image-2022-06-29-12-41-52-164.png|width=1134,height=213!
>
> nifi-registry-app.log (debug level)
> {code:java}
> 022-06-29 13:32:35,691 DEBUG [NiFi Registry Web Server-15] o.a.nifi.registry.db.DatabaseKeyService Deleting key with identity='myungwon'.
> 2022-06-29 13:32:35,697 INFO [NiFi Registry Web Server-15] o.a.n.r.w.s.a.jwt.JwtService Deleted token from database.
> 2022-06-29 13:32:35,797 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using X509IdentityProvider
> 2022-06-29 13:32:35,797 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.x.X509CertificateExtractor No client certificate found in request.
> 2022-06-29 13:32:35,797 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using JwtIdentityProvider
> 2022-06-29 13:32:35,797 DEBUG [NiFi Registry Web Server-21] o.a.n.r.s.a.BearerAuthIdentityProvider HTTP Bearer Auth credentials not present. Not attempting to extract credentials for authentication.
> 2022-06-29 13:32:35,797 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.AnonymousIdentityFilter Set SecurityContextHolder to anonymous SecurityContext
> 2022-06-29 13:32:35,797 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.ResourceAuthorizationFilter Request filter authorization check is not required for this HTTP Method on this resource. Allowing request to proceed. An additional authorization check might be performed downstream of this filter.
> 2022-06-29 13:32:35,799 INFO [NiFi Registry Web Server-21] o.a.n.r.w.m.IllegalStateExceptionMapper java.lang.IllegalStateException: Kerberos service ticket login not supported by this NiFi Registry. Returning Conflict response.
> 2022-06-29 13:32:35,799 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.m.IllegalStateExceptionMapper
> java.lang.IllegalStateException: Kerberos service ticket login not supported by this NiFi Registry
> at org.apache.nifi.registry.web.api.AccessResource.createAccessTokenUsingKerberosTicket(AccessResource.java:348)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52)
> at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:124)
> at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:167)
> at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:176)
> at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:79)
> at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:475)
> at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:397)
> at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:81)
> at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:255)
> at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248)
> at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
> 2022-06-29 13:32:35,865 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using X509IdentityProvider
> 2022-06-29 13:32:35,865 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.x.X509CertificateExtractor No client certificate found in request.
> 2022-06-29 13:32:35,865 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using JwtIdentityProvider
> 2022-06-29 13:32:35,865 DEBUG [NiFi Registry Web Server-21] o.a.n.r.s.a.BearerAuthIdentityProvider HTTP Bearer Auth credentials not present. Not attempting to extract credentials for authentication.
> 2022-06-29 13:32:35,865 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.AnonymousIdentityFilter Set SecurityContextHolder to anonymous SecurityContext
> 2022-06-29 13:32:35,866 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.ResourceAuthorizationFilter Request filter authorization check is not required for this HTTP Method on this resource. Allowing request to proceed. An additional authorization check might be performed downstream of this filter.
> 2022-06-29 13:32:35,869 INFO [NiFi Registry Web Server-21] o.a.n.r.w.m.IllegalArgumentExceptionMapper java.lang.IllegalArgumentException: The login request identifier was not found in the request. Unable to continue.. Returning Bad Request response.
> 2022-06-29 13:32:35,870 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.m.IllegalArgumentExceptionMapper
> java.lang.IllegalArgumentException: The login request identifier was not found in the request. Unable to continue.
> at org.apache.nifi.registry.web.api.AccessResource.oidcExchange(AccessResource.java:674)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52)
> at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:124)
> at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:167)
> at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:176)
> at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:79)
> at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:475)
> at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:397)
> at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:81)
> at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:255)
> at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248)
> at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:244)
> at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265)
> at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:234)
> at org.glassfish.jersey{code}
>
> When I checked keyclock, Login event is good.
> !image-2022-06-29-12-42-48-430.png|width=448,height=302!
> Keyclock Client is configured.
> !image-2022-06-29-12-43-25-441.png!
> !image-2022-06-29-12-43-48-726.png!
>
> NiFi Registry is configured with OIDC authentification.
> *nifi-registry.properties*
> #OIDC #
> nifi.registry.security.user.oidc.discovery.url=[http://wonpc01:31234/auth/realms/won/.well-known/openid-configuration]
> nifi.registry.security.user.oidc.connect.timeout=5 secs
> nifi.registry.security.user.oidc.read.timeout=5 secs
> nifi.registry.security.user.oidc.client.id=registry
> nifi.registry.security.user.oidc.client.secret=VDumhSZFbtIKAJ0wYoF81GrIqCtdlhk0
> nifi.registry.security.user.oidc.preferred.jwsalgorithm=
> nifi.registry.security.user.oidc.claim.identifying.user=preferred_username
>
> NiFi and other services logout does not have this bug when i using this keyclock.
> Thank you.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)