Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-10177

Nifi Registry logout via OIDC

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 1.16.3
    • None
    • NiFi Registry
    • None

    Description

      I am trying to login and logout via OIDC.

      Login via OIDC is well. but logout via OIDC is not working.

       

      When I logout, NiFi Registry shows "Please contact your System Administrator." error message.

       

      nifi-registry-app.log (debug level)

      022-06-29 13:32:35,691 DEBUG [NiFi Registry Web Server-15] o.a.nifi.registry.db.DatabaseKeyService Deleting key with identity='myungwon'.
      2022-06-29 13:32:35,697 INFO [NiFi Registry Web Server-15] o.a.n.r.w.s.a.jwt.JwtService Deleted token from database.
      2022-06-29 13:32:35,797 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using X509IdentityProvider
      2022-06-29 13:32:35,797 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.x.X509CertificateExtractor No client certificate found in request.
      2022-06-29 13:32:35,797 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using JwtIdentityProvider
      2022-06-29 13:32:35,797 DEBUG [NiFi Registry Web Server-21] o.a.n.r.s.a.BearerAuthIdentityProvider HTTP Bearer Auth credentials not present. Not attempting to extract credentials for authentication.
      2022-06-29 13:32:35,797 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.AnonymousIdentityFilter Set SecurityContextHolder to anonymous SecurityContext
      2022-06-29 13:32:35,797 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.ResourceAuthorizationFilter Request filter authorization check is not required for this HTTP Method on this resource. Allowing request to proceed. An additional authorization check might be performed downstream of this filter.
      2022-06-29 13:32:35,799 INFO [NiFi Registry Web Server-21] o.a.n.r.w.m.IllegalStateExceptionMapper java.lang.IllegalStateException: Kerberos service ticket login not supported by this NiFi Registry. Returning Conflict response.
      2022-06-29 13:32:35,799 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.m.IllegalStateExceptionMapper
      java.lang.IllegalStateException: Kerberos service ticket login not supported by this NiFi Registry
              at org.apache.nifi.registry.web.api.AccessResource.createAccessTokenUsingKerberosTicket(AccessResource.java:348)
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.lang.reflect.Method.invoke(Method.java:498)
              at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52)
              at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:124)
              at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:167)
              at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:176)
              at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:79)
              at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:475)
              at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:397)
              at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:81)
              at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:255)
              at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248)
              at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244)
              at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
              at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
      
      
      2022-06-29 13:32:35,865 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using X509IdentityProvider
      2022-06-29 13:32:35,865 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.x.X509CertificateExtractor No client certificate found in request.
      2022-06-29 13:32:35,865 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using JwtIdentityProvider
      2022-06-29 13:32:35,865 DEBUG [NiFi Registry Web Server-21] o.a.n.r.s.a.BearerAuthIdentityProvider HTTP Bearer Auth credentials not present. Not attempting to extract credentials for authentication.
      2022-06-29 13:32:35,865 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.AnonymousIdentityFilter Set SecurityContextHolder to anonymous SecurityContext
      2022-06-29 13:32:35,866 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.ResourceAuthorizationFilter Request filter authorization check is not required for this HTTP Method on this resource. Allowing request to proceed. An additional authorization check might be performed downstream of this filter.
      2022-06-29 13:32:35,869 INFO [NiFi Registry Web Server-21] o.a.n.r.w.m.IllegalArgumentExceptionMapper java.lang.IllegalArgumentException: The login request identifier was not found in the request. Unable to continue.. Returning Bad Request response.
      2022-06-29 13:32:35,870 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.m.IllegalArgumentExceptionMapper
      java.lang.IllegalArgumentException: The login request identifier was not found in the request. Unable to continue.
              at org.apache.nifi.registry.web.api.AccessResource.oidcExchange(AccessResource.java:674)
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.lang.reflect.Method.invoke(Method.java:498)
              at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52)
              at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:124)
              at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:167)
              at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:176)
              at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:79)
              at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:475)
              at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:397)
              at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:81)
              at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:255)
              at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248)
              at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244)
              at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
              at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
              at org.glassfish.jersey.internal.Errors.process(Errors.java:244)
              at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265)
              at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:234)
              at org.glassfish.jersey

       

      When I checked keyclock, Login event is good.

      Keyclock Client is configured.

       

      NiFi Registry is configured with OIDC authentification.

      nifi-registry.properties
      #OIDC #
      nifi.registry.security.user.oidc.discovery.url=http://wonpc01:31234/auth/realms/won/.well-known/openid-configuration
      nifi.registry.security.user.oidc.connect.timeout=5 secs
      nifi.registry.security.user.oidc.read.timeout=5 secs
      nifi.registry.security.user.oidc.client.id=registry
      nifi.registry.security.user.oidc.client.secret=VDumhSZFbtIKAJ0wYoF81GrIqCtdlhk0
      nifi.registry.security.user.oidc.preferred.jwsalgorithm=
      nifi.registry.security.user.oidc.claim.identifying.user=preferred_username

       

      NiFi and other services logout does not have this bug when i using this keyclock.

      Thank you.

      Attachments

        1. image-2022-06-29-12-41-52-164.png
          34 kB
          kim myungwon
        2. image-2022-06-29-12-42-48-430.png
          25 kB
          kim myungwon
        3. image-2022-06-29-12-43-25-441.png
          41 kB
          kim myungwon
        4. image-2022-06-29-12-43-48-726.png
          39 kB
          kim myungwon

        Activity

          People

            Unassigned Unassigned
            won kim myungwon
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: