Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-10322

invalid_token error after OpenID connect session timeout

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 1.17.0
    • 1.18.0
    • Core UI
    • None

    Description

      I follow https://bryanbende.com/development/2017/10/03/apache-nifi-openid-connect to config NIFI 1.16.3 and it is work properly. If the session times out, login again and it will work again

      I configured 1.17.0 in the same way. I can login and operate nifi UI. But when session times out. I got the following error.

       

      Unauthorized error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: Expired JWT", error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"

       

      I try to login again and get a new error, and I cannot enter the NIFI interface.

       

      Unauthorized error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: Signed JWT rejected: Another algorithm expected, or no matching key(s) found", error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"

       

      I did some research, and found

      After the session times out, 

      NIFI 1.16.3 leaves 3 cookies in browser:

      • nifi-logout-request-identifier
      • nifi-oidc-request-identifier
      • __Secure-Request-Token

      NIFI 1.17.0 leaves 2 cookies:

      • __Secure-Authorization-Bearer
      • __Secure-Request-Token

       __Secure-Authorization-Bearer cookie contains a expired JWT:

      eyJraWQiOiJhMDlhZDhlMy0xZDkzLTQyZTEtYjg0Ni0xMWU0ODRkODYwYWYiLCJhbGciOiJQUzUxMiJ9.eyJzdWIiOiJhZG1pbi5uaWZpQGd1bWhiMy5jb20iLCJhdWQiOiJodHRwcyUzQSUyRiUyRjM2LjEzMy41NS4xMDAlM0E4OTQzJTJGcmVhbG1zJTJGenpub2RlIiwibmJmIjoxNjU5NjExOTc0LCJpc3MiOiJodHRwcyUzQSUyRiUyRjM2LjEzMy41NS4xMDAlM0E4OTQzJTJGcmVhbG1zJTJGenpub2RlIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ubmlmaUBndW1oYjMuY29tIiwiZXhwIjoxNjU5NjEyMjc0LCJpYXQiOjE2NTk2MTE5NzQsImp0aSI6IjFiZTg5MjU4LTliZmYtNDhmOS04OGNmLWU0NDIzMDZjYzg4ZCJ9.Y9yE0hNH_q-W94_cFWOWGc7TPMP2xB9coaSRPT9twYqSyjTtudOiiXGxHEDUWsOvUFf7lT7wNH4RZ_LhOM-5WfTZ3o-DCVFnl0JjeZ-L9d-z3rO4dEspRxXpr46AewEGy_lpstSUFyihr4i8b2VI7IT0aFOCGAIXRWl7gfH75e5La_0tbsu9lgSRdyYBBv8rSjojJC5bBSqxj-BkrfjdMhyMuF9OdMCJNmyh18BrXbavwftNerytkd_Qf9eNLmzsZ3SOdKWpftKt4kClD_KeL0nOglhM-ENyb4QLwxr7l5lhUgQ-2am3x5okbRyYip_WV4YQ6DfmUnLL1FYFATWXa5CUimSRbSZzkqU2JEYerpvKsTf-prdsSNryPbrQdf5HqpwhlGbFrgm4jwtncZHTLEL4ZMciVe0H-zIcQ9vyDqamMpf6fyNWmQN8DdDP9A0Zpo7SL7yhOUjNGsjk1gV4OAHWgp4XQzj4KwoGf7ICjeOrzinECHFZw9Ccyi8KMooRx4u3oAuKPEx3mrZFNFDaiAzWX0kZ31c24-15cno2bLBMGOIx7ipjb6Pv7V6O9S2aA2vC3eVLnfAgHAox3I8_IzWLUKddHCqd6cfA1XW8ckSgg2QddKvgYHiCZpwVV4AMDpK4bI1J0ZbxbgOOke9IMMudNhZUFQdWJIXh-gx1bII

       I manually delete __Secure-Authorization-Bearer cookie, and I can login NIFI 1.17.0 again.

      Attachments

        1. nifi-1.17.0-logs.zip
          13 kB
          macdoor615
        2. nifi-1.16.3-logs.zip
          12 kB
          macdoor615
        3. nginx-access.log.zip
          13 kB
          macdoor615
        4. image-2022-08-08-23-59-12-471.png
          1.40 MB
          macdoor615
        5. image-2022-08-08-23-35-02-773.png
          1.01 MB
          macdoor615
        6. image-2022-08-08-23-33-30-220.png
          866 kB
          macdoor615
        7. image-2022-08-07-16-11-38-180.png
          1.22 MB
          macdoor615
        8. image-2022-08-07-16-00-11-443.png
          1.24 MB
          macdoor615
        9. image-2022-08-07-15-53-47-220.png
          1.39 MB
          macdoor615
        10. image-2022-08-07-15-47-57-158.png
          1.26 MB
          macdoor615
        11. image-2022-08-07-15-43-14-922.png
          1.25 MB
          macdoor615
        12. image-2022-08-07-15-37-29-739.png
          1.44 MB
          macdoor615
        13. image-2022-08-07-15-27-18-902.png
          1.17 MB
          macdoor615
        14. image-2022-08-07-15-22-36-213.png
          1.44 MB
          macdoor615
        15. image-2022-08-07-14-28-09-058.png
          1.07 MB
          macdoor615
        16. image-2022-08-05-22-48-52-057.png
          121 kB
          macdoor615
        17. image-2022-08-05-22-48-17-835.png
          44 kB
          macdoor615

        Issue Links

          is related to

          Improvement - An improvement or enhancement to an existing feature or task. NIFI-10259 Improve Error Handling for Invalid JWT Bearer Tokens

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved
          links to

          Web Link GitHub Pull Request #6278

          Activity

            People

              exceptionfactory David Handermann
              macdoor615 macdoor615
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 40m
                  40m