You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by GitBox <gi...@apache.org> on 2022/08/24 14:40:15 UTC
[GitHub] [nifi] exceptionfactory opened a new pull request, #6332: NIFI-10321 Send Session Expired message for Expired JWT errors
exceptionfactory opened a new pull request, #6332:
URL: https://github.com/apache/nifi/pull/6332
# Summary
[NIFI-10321](https://issues.apache.org/jira/browse/NIFI-10321) Adjusts the response body message to send a simplified Session Expired notification when the REST API receives a request with an expired JSON Web Token. This is a common scenario when authenticating with username and password credentials or integrating with an external identity provider.
Recent changes to provide more detailed error messages for invalid JSON Web Tokens included sending the contents of the `WWW-Authenticate` header as the response body message. This message includes an error code, error description, and reference URI. When a JSON Web Token expires, the REST API returns the following message in the `WWW-Authenticate` header:
```
error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: Expired JWT", error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"
```
Although this is accurate, it is not the most intuitive message for the common occurrence of an expired session. Although the Nimbus JOSE JWT library does not throw a specialized exception for an expired JWT, it does include a [standard message](https://bitbucket.org/connect2id/nimbus-jose-jwt/src/54337ac3f00ad3fa55680a68414449fcdd266c36/src/main/java/com/nimbusds/jwt/proc/DefaultJWTClaimsVerifier.java?at=master#lines-342), which Spring Security appends to the error description.
This implementation checks for the presence of the standard `Expired JWT` message returns a simplified Session Expired message in the response body while retaining the error details in the `WWW-Authenticate` response header.
# Tracking
Please complete the following tracking steps prior to pull request creation.
### Issue Tracking
- [X] [Apache NiFi Jira](https://issues.apache.org/jira/browse/NIFI) issue created
### Pull Request Tracking
- [X] Pull Request title starts with Apache NiFi Jira issue number, such as `NIFI-00000`
- [X] Pull Request commit message starts with Apache NiFi Jira issue number, as such `NIFI-00000`
### Pull Request Formatting
- [X] Pull Request based on current revision of the `main` branch
- [X] Pull Request refers to a feature branch with one commit containing changes
# Verification
Please indicate the verification steps performed prior to pull request creation.
### Build
- [X] Build completed using `mvn clean install -P contrib-check`
- [X] JDK 8
- [ ] JDK 11
- [ ] JDK 17
### Licensing
- [ ] New dependencies are compatible with the [Apache License 2.0](https://apache.org/licenses/LICENSE-2.0) according to the [License Policy](https://www.apache.org/legal/resolved.html)
- [ ] New dependencies are documented in applicable `LICENSE` and `NOTICE` files
### Documentation
- [ ] Documentation formatting appears as expected in rendered files
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] thenatog commented on pull request #6332: NIFI-10321 Send Session Expired message for Expired JWT errors
Posted by GitBox <gi...@apache.org>.
thenatog commented on PR #6332:
URL: https://github.com/apache/nifi/pull/6332#issuecomment-1225969467
Tested this out and G Suite SAML, set to 1 minute expiry and found that the error page now shows 'Session Expired'. +1 will merge.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] exceptionfactory commented on pull request #6332: NIFI-10321 Send Session Expired message for Expired JWT errors
Posted by GitBox <gi...@apache.org>.
exceptionfactory commented on PR #6332:
URL: https://github.com/apache/nifi/pull/6332#issuecomment-1225971220
> Tested this out and G Suite SAML, set to 1 minute expiry and found that the error page now shows 'Session Expired'. +1 will merge.
Thanks @thenatog!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] thenatog closed pull request #6332: NIFI-10321 Send Session Expired message for Expired JWT errors
Posted by GitBox <gi...@apache.org>.
thenatog closed pull request #6332: NIFI-10321 Send Session Expired message for Expired JWT errors
URL: https://github.com/apache/nifi/pull/6332
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] thenatog commented on pull request #6332: NIFI-10321 Send Session Expired message for Expired JWT errors
Posted by GitBox <gi...@apache.org>.
thenatog commented on PR #6332:
URL: https://github.com/apache/nifi/pull/6332#issuecomment-1225904530
Will review
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org