You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Ryan (Jira)" <ji...@apache.org> on 2023/03/06 12:07:00 UTC
[jira] [Created] (NIFI-11252) OIDC secret properties that are encrypted by default are not being decrypted in Nifi Registry
Ryan created NIFI-11252:
---------------------------
Summary: OIDC secret properties that are encrypted by default are not being decrypted in Nifi Registry
Key: NIFI-11252
URL: https://issues.apache.org/jira/browse/NIFI-11252
Project: Apache NiFi
Issue Type: Bug
Components: NiFi Registry
Affects Versions: 1.20.0
Reporter: Ryan
Since upgrading to 1.20.0 from 1.16.2 I have been getting the following error: {{Unable to exchange authorization for ID token: An error occurred while invoking the Token endpoint: Invalid client secret}}
In version 1.20.0 {{nifi.registry.security.user.oidc.client.secret}} has been added to the default [list of properties|https://github.com/apache/nifi/blob/main/nifi-toolkit/nifi-toolkit-encrypt-config/src/main/groovy/org/apache/nifi/toolkit/encryptconfig/util/NiFiRegistryPropertiesEncryptor.groovy#L44] that are encrypted by the Nifi Toolkit's property encryption tool, however, it has not been added to the [ProtectedNiFiRegistryProperties|https://github.com/apache/nifi/blob/main/nifi-registry/nifi-registry-core/nifi-registry-properties-loader/src/main/java/org/apache/nifi/registry/properties/ProtectedNiFiRegistryProperties.java#L54] file which is used to read and decrypt these properties.
This results in the encrypted string being passed to the OIDC provider resulting in the error above.
I have gotten around this issue for the time being by setting the following property.
{code:java}
nifi.registry.sensitive.props.additional.keys=nifi.registry.security.user.oidc.client.secret {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)