You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@nifi.apache.org by "Kumara M S, Hemantha (Nokia - IN/Bangalore)" <he...@nokia.com> on 2019/08/21 13:49:03 UTC

NiFi user authentication via OpenId Connect: token expiry issue

Hi ,

We have configured Nifi cluster and using OpenId Connect(keycloak<https://www.keycloak.org/>)  for user authentication.
In Keycloak, here are some of configuration for token in realm settings

  *   SSO Session Idle 30 Minutes
  *   Access Token Lifespan 1 Minutes


The issue is Nifi UI is giving error after every one minute "Session Expired : Your session has expired. Please press Ok to log in again., and this one just after : Unknown user with identity 'anonymous'. Contact the system administrator". Is this due to Nifi is checking session validity using only access_token?

From Keycloak documentation https://www.keycloak.org/docs/latest/server_admin/index.html#_oidc-auth-flows access_token is short lived for security purpose. Isn't it Nifi should use refresh-token to check session validity and request new token that will renew session if required?

Regards,
Hemantha

Re: NiFi user authentication via OpenId Connect: token expiry issue

Posted by Matt Gilman <ma...@gmail.com>.

Hemantha,

NiFi performs a token request. From that response, NiFi gets the ID token
which is included from the 'openid' scope that is specified when we invoke
the authorization endpoint. NiFi also requests the 'email' scope which NiFi
will use as the user identity. We do obtain the expiration from the ID
token claimset (not the access token) which we honor in the token that NiFi
generates internally.

NiFi will only use the access token to invoke the User endpoint if the
email claim is not included in the ID token's claimset. The access token is
not saved or persisted by NiFi because we do not need to invoke any other
APIs from the identity provider.

It's likely that there are some improvements that could be made here. From
reading the spec, it appears that the intent of the refresh token is to
obtain a new access token. It's not clear whether this process should be
used to obtain a new id token. This is something that should be
investigated further. You could also check if there is another setting in
your identity provider for the ID Token Lifespan. Another option is that
NiFi could introduce a new property that allows the admin to configure how
long it wants to allow our 'sessions' to last.

Matt

On Wed, Aug 21, 2019 at 9:49 AM Kumara M S, Hemantha (Nokia - IN/Bangalore)
<he...@nokia.com> wrote:

> Hi ,
>
> We have configured Nifi cluster and using OpenId Connect(keycloak<
> https://www.keycloak.org/>)  for user authentication.
> In Keycloak, here are some of configuration for token in realm settings
>
>   *   SSO Session Idle 30 Minutes
>   *   Access Token Lifespan 1 Minutes
>
>
> The issue is Nifi UI is giving error after every one minute "Session
> Expired : Your session has expired. Please press Ok to log in again., and
> this one just after : Unknown user with identity 'anonymous'. Contact the
> system administrator". Is this due to Nifi is checking session validity
> using only access_token?
>
> From Keycloak documentation
> https://www.keycloak.org/docs/latest/server_admin/index.html#_oidc-auth-flows
> access_token is short lived for security purpose. Isn't it Nifi should use
> refresh-token to check session validity and request new token that will
> renew session if required?
>
> Regards,
> Hemantha
>
>