Details
Description
I deploy a NiFi 1.170 and authenticate with OpenID connect. Authentication server is Keycloak 18.0.1.
I can log in and I can use UI properly.
But when I logout. I get an error, can not redirect to NiFi UI or keycloak login UI
I made some investigation into source code. I found NiFi only support ID_TOKEN_LOGOUT for okta service. Keycloak and other Authentication server can not be supported.
Keycloak say it is compliance OpenID connect spec.
I modified a few lines of source code. Let it support ID_TOKEN_LOGOUT for keycloak. Now I can log out NiFi and redirect to keycloak login UI, and than login NiFi again.
I suggest making nifi to support ID_TOKEN_LOGOUT in later version for general OpenID connect server.
I modified the file, https://github.com/apache/nifi/blob/main/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/OIDCAccessResource.java
start from line 403
private String determineLogoutMethod(String oidcDiscoveryUrl) { Matcher accessTokenMatcher = REVOKE_ACCESS_TOKEN_LOGOUT_FORMAT.matcher(oidcDiscoveryUrl); Matcher idTokenMatcher = ID_TOKEN_LOGOUT_FORMAT.matcher(oidcDiscoveryUrl); if (accessTokenMatcher.find()) { return REVOKE_ACCESS_TOKEN_LOGOUT; } else { return ID_TOKEN_LOGOUT; } }
Attachments
Attachments
Issue Links
- fixes
-
NIFI-10827 OIDC Logout Doesn't Work
-
- Resolved
-
- links to
