You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "David Handermann (Jira)" <ji...@apache.org> on 2022/12/30 04:14:00 UTC

[jira] [Commented] (NIFI-11014) JWT token is rejected by NiFi when calling APIs

    [ https://issues.apache.org/jira/browse/NIFI-11014?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17653016#comment-17653016 ] 

David Handermann commented on NIFI-11014:
-----------------------------------------

Based on the issue description, it does not sound like the approach described will work. The NiFi OpenID Connect implementation uses the Authorization Code Grant Type, and after a successful authentication, NiFi generates an internal JSON Web Token, which it will accept until the configured expiration.

The NiFi internal JSON Web Token is the only acceptable JWT that can be provided in the HTTP Authorization header with the Bearer scheme. If an external Spring Boot application is obtaining a JWT from Keycloak, NiFi will not accept this token in the Authorization header, and will respond with the error mentioned.

It sounds like this could be a potential improvement request, allowing NiFi to support additional OAuth2 grant types. If there are additional implementation details regarding this use case, it would be helpful to provide that background.

> JWT token is rejected by NiFi when calling APIs
> -----------------------------------------------
>
>                 Key: NIFI-11014
>                 URL: https://issues.apache.org/jira/browse/NIFI-11014
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: NiFi Stateless
>    Affects Versions: 1.15.3
>         Environment: NiFi with Keycloak as OIDC provider.
>            Reporter: Irudya Raj
>            Priority: Major
>
> I have created oauth token using spring boot and transferred this token to authorization header bearer. NiFi is configured with PS512 JWS algorithm via nifi.security.user.oidc.preferred.jwsalgorithm property. But the API request fails with message "nifi unable to validate the id token: signed jwt rejected: another algorithm expected, or no matching key(s) found" 
> I am able to use NiFi web. Keycloak is configure to use PS512 algo for ID token and access tokens.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)