Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
1.16.3
-
None
Description
I am trying to login and logout via OIDC.
Login via OIDC is well. but logout via OIDC is not working.
When I logout, NiFi Registry shows "Please contact your System Administrator." error message.
nifi-registry-app.log (debug level)
022-06-29 13:32:35,691 DEBUG [NiFi Registry Web Server-15] o.a.nifi.registry.db.DatabaseKeyService Deleting key with identity='myungwon'. 2022-06-29 13:32:35,697 INFO [NiFi Registry Web Server-15] o.a.n.r.w.s.a.jwt.JwtService Deleted token from database. 2022-06-29 13:32:35,797 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using X509IdentityProvider 2022-06-29 13:32:35,797 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.x.X509CertificateExtractor No client certificate found in request. 2022-06-29 13:32:35,797 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using JwtIdentityProvider 2022-06-29 13:32:35,797 DEBUG [NiFi Registry Web Server-21] o.a.n.r.s.a.BearerAuthIdentityProvider HTTP Bearer Auth credentials not present. Not attempting to extract credentials for authentication. 2022-06-29 13:32:35,797 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.AnonymousIdentityFilter Set SecurityContextHolder to anonymous SecurityContext 2022-06-29 13:32:35,797 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.ResourceAuthorizationFilter Request filter authorization check is not required for this HTTP Method on this resource. Allowing request to proceed. An additional authorization check might be performed downstream of this filter. 2022-06-29 13:32:35,799 INFO [NiFi Registry Web Server-21] o.a.n.r.w.m.IllegalStateExceptionMapper java.lang.IllegalStateException: Kerberos service ticket login not supported by this NiFi Registry. Returning Conflict response. 2022-06-29 13:32:35,799 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.m.IllegalStateExceptionMapper java.lang.IllegalStateException: Kerberos service ticket login not supported by this NiFi Registry at org.apache.nifi.registry.web.api.AccessResource.createAccessTokenUsingKerberosTicket(AccessResource.java:348) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:124) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:167) at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:176) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:79) at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:475) at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:397) at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:81) at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:255) at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248) at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244) at org.glassfish.jersey.internal.Errors.process(Errors.java:292) at org.glassfish.jersey.internal.Errors.process(Errors.java:274) 2022-06-29 13:32:35,865 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using X509IdentityProvider 2022-06-29 13:32:35,865 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.x.X509CertificateExtractor No client certificate found in request. 2022-06-29 13:32:35,865 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using JwtIdentityProvider 2022-06-29 13:32:35,865 DEBUG [NiFi Registry Web Server-21] o.a.n.r.s.a.BearerAuthIdentityProvider HTTP Bearer Auth credentials not present. Not attempting to extract credentials for authentication. 2022-06-29 13:32:35,865 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.AnonymousIdentityFilter Set SecurityContextHolder to anonymous SecurityContext 2022-06-29 13:32:35,866 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.s.a.ResourceAuthorizationFilter Request filter authorization check is not required for this HTTP Method on this resource. Allowing request to proceed. An additional authorization check might be performed downstream of this filter. 2022-06-29 13:32:35,869 INFO [NiFi Registry Web Server-21] o.a.n.r.w.m.IllegalArgumentExceptionMapper java.lang.IllegalArgumentException: The login request identifier was not found in the request. Unable to continue.. Returning Bad Request response. 2022-06-29 13:32:35,870 DEBUG [NiFi Registry Web Server-21] o.a.n.r.w.m.IllegalArgumentExceptionMapper java.lang.IllegalArgumentException: The login request identifier was not found in the request. Unable to continue. at org.apache.nifi.registry.web.api.AccessResource.oidcExchange(AccessResource.java:674) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:124) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:167) at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:176) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:79) at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:475) at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:397) at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:81) at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:255) at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248) at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244) at org.glassfish.jersey.internal.Errors.process(Errors.java:292) at org.glassfish.jersey.internal.Errors.process(Errors.java:274) at org.glassfish.jersey.internal.Errors.process(Errors.java:244) at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265) at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:234) at org.glassfish.jersey
When I checked keyclock, Login event is good.
Keyclock Client is configured.
NiFi Registry is configured with OIDC authentification.
nifi-registry.properties
#OIDC #
nifi.registry.security.user.oidc.discovery.url=http://wonpc01:31234/auth/realms/won/.well-known/openid-configuration
nifi.registry.security.user.oidc.connect.timeout=5 secs
nifi.registry.security.user.oidc.read.timeout=5 secs
nifi.registry.security.user.oidc.client.id=registry
nifi.registry.security.user.oidc.client.secret=VDumhSZFbtIKAJ0wYoF81GrIqCtdlhk0
nifi.registry.security.user.oidc.preferred.jwsalgorithm=
nifi.registry.security.user.oidc.claim.identifying.user=preferred_username
NiFi and other services logout does not have this bug when i using this keyclock.
Thank you.
