You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "David Handermann (Jira)" <ji...@apache.org> on 2022/08/09 13:58:00 UTC

[jira] [Commented] (NIFI-10332) Add ID_TOKEN_LOGOUT support for general OpenID connect server, e.g. Keycloak

    [ https://issues.apache.org/jira/browse/NIFI-10332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17577427#comment-17577427 ] 

David Handermann commented on NIFI-10332:
-----------------------------------------

Thanks for reporting this issue [~macdoor615], I noticed the same issue while testing OpenID Connect integration with Keycloak 18. This looks like a helpful improvement, I will take a closer look at the OpenID Connect specification. Adhering to the specification should be supported.

> Add ID_TOKEN_LOGOUT support for general OpenID connect server, e.g. Keycloak
> ----------------------------------------------------------------------------
>
>                 Key: NIFI-10332
>                 URL: https://issues.apache.org/jira/browse/NIFI-10332
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core UI
>    Affects Versions: 1.17.0
>         Environment: NiFi 1.17.0, Keycloak 18.0.1
>            Reporter: macdoor615
>            Priority: Major
>             Fix For: 1.18.0
>
>         Attachments: image-2022-08-09-16-56-25-791.png
>
>
> I deploy a NiFi 1.170 and authenticate with OpenID connect. Authentication server is Keycloak 18.0.1.
> I can log in and I can use UI properly.
> But when I logout. I get an error, can not redirect to NiFi UI or keycloak login UI
> !image-2022-08-09-16-56-25-791.png|width=782,height=347!
> [https://36.133.55.100:8943/realms/zznode/protocol/openid-connect/logout?post_logout_redirect_uri=https%3A%2F%2F36.138.166.203%3A18089%2Fhb3-dmz-repos-000-nifi%2Fnifi-api%2F..%2Fnifi%2Flogout-complete]
> I made some investigation into source code. I found NiFi only support ID_TOKEN_LOGOUT for okta service. Keycloak and other Authentication server can not be supported.
> Keycloak say it is compliance OpenID connect spec.
> I modified a few lines of source code. Let it support ID_TOKEN_LOGOUT for keycloak. Now I can log out NiFi and redirect to keycloak login UI, and than login NiFi again.
> I suggest making nifi to support ID_TOKEN_LOGOUT in later version for general OpenID connect server.
> I modified the file, [https://github.com/apache/nifi/blob/main/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/OIDCAccessResource.java]
> start from line 403
> {code:java}
>     private String determineLogoutMethod(String oidcDiscoveryUrl) {
>         Matcher accessTokenMatcher = REVOKE_ACCESS_TOKEN_LOGOUT_FORMAT.matcher(oidcDiscoveryUrl);
>         Matcher idTokenMatcher = ID_TOKEN_LOGOUT_FORMAT.matcher(oidcDiscoveryUrl);
>  
>         if (accessTokenMatcher.find()) {
>             return REVOKE_ACCESS_TOKEN_LOGOUT;
>         } else {
>             return ID_TOKEN_LOGOUT;
>         }
>     }
>  
> {code}
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)