[NIFI-12418] Identity Provider Groups Missing in Refreshed Bearer Token - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: 2.0.0-M1, 1.24.0
Fix Version/s: 1.25.0, 2.0.0-M2
Component/s: Core Framework, Security
Labels:
- backport-needed

Description

The OIDC Bearer Token Refresh Filter is responsible for renewing application Bearer Tokens when NiFi is integrated with an OpenID Connect Identity Provider that supports the Refresh Token Grant Type.

NiFi 1.23.0 introduced changes for handling group membership information supplied from an Identity Provider, passing the groups in the application Bearer Token instead of persisting the groups in the local database repository.

As a result of these handling changes, the Identity Provider group membership information is not retained when the OIDC Bearer Token Refresh Filter generates a new token. In deployments where the configured User Group Provider does not provide the group information, this behavior can result in authorization failures after refreshing the token.

The Bearer Token Refresh Filter should be corrected to retrieve group membership information from the new Identity Provider token.

Attachments

Issue Links

is caused by

NIFI-11735 Refactor Identity Provider Group Transfer to Bearer Token

Resolved

links to

GitHub Pull Request #8126

Activity

People

Assignee:: David Handermann

Reporter:: David Handermann

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 27/Nov/23 20:13

Updated:: 18/Dec/23 17:15

Resolved:: 18/Dec/23 17:15

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

0.5h