You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "David Handermann (Jira)" <ji...@apache.org> on 2023/11/27 20:18:00 UTC
[jira] [Commented] (NIFI-12418) Identity Provider Groups Missing in Refreshed Bearer Token
[ https://issues.apache.org/jira/browse/NIFI-12418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17790251#comment-17790251 ]
David Handermann commented on NIFI-12418:
-----------------------------------------
Reference dev mailing list thread: https://lists.apache.org/thread/54tpom04nv526ql8zv91n7ll1wc24sdh
> Identity Provider Groups Missing in Refreshed Bearer Token
> ----------------------------------------------------------
>
> Key: NIFI-12418
> URL: https://issues.apache.org/jira/browse/NIFI-12418
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework, Security
> Affects Versions: 2.0.0-M1, 1.24.0
> Reporter: David Handermann
> Assignee: David Handermann
> Priority: Minor
>
> The OIDC Bearer Token Refresh Filter is responsible for renewing application Bearer Tokens when NiFi is integrated with an OpenID Connect Identity Provider that supports the Refresh Token Grant Type.
> NiFi 1.23.0 introduced changes for handling group membership information supplied from an Identity Provider, passing the groups in the application Bearer Token instead of persisting the groups in the local database repository.
> As a result of these handling changes, the Identity Provider group membership information is not retained when the OIDC Bearer Token Refresh Filter generates a new token. In deployments where the configured User Group Provider does not provide the group information, this behavior can result in authorization failures after refreshing the token.
> The Bearer Token Refresh Filter should be corrected to retrieve group membership information from the new Identity Provider token.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)