You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "Ryan (Jira)" <ji...@apache.org> on 2023/03/06 12:07:00 UTC

[jira] [Created] (NIFI-11252) OIDC secret properties that are encrypted by default are not being decrypted in Nifi Registry

Ryan created NIFI-11252:
---------------------------

             Summary: OIDC secret properties that are encrypted by default are not being decrypted in Nifi Registry
                 Key: NIFI-11252
                 URL: https://issues.apache.org/jira/browse/NIFI-11252
             Project: Apache NiFi
          Issue Type: Bug
          Components: NiFi Registry
    Affects Versions: 1.20.0
            Reporter: Ryan


Since upgrading to 1.20.0 from 1.16.2 I have been getting the following error: {{Unable to exchange authorization for ID token: An error occurred while invoking the Token endpoint: Invalid client secret}} 

In version 1.20.0 {{nifi.registry.security.user.oidc.client.secret}} has been added to the default [list of properties|https://github.com/apache/nifi/blob/main/nifi-toolkit/nifi-toolkit-encrypt-config/src/main/groovy/org/apache/nifi/toolkit/encryptconfig/util/NiFiRegistryPropertiesEncryptor.groovy#L44] that are encrypted by the Nifi Toolkit's property encryption tool, however, it has not been added to the [ProtectedNiFiRegistryProperties|https://github.com/apache/nifi/blob/main/nifi-registry/nifi-registry-core/nifi-registry-properties-loader/src/main/java/org/apache/nifi/registry/properties/ProtectedNiFiRegistryProperties.java#L54] file which is used to read and decrypt these properties.

This results in the encrypted string being passed to the OIDC provider resulting in the error above.

I have gotten around this issue for the time being by setting the following property.
{code:java}
nifi.registry.sensitive.props.additional.keys=nifi.registry.security.user.oidc.client.secret {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)