Details
Description
Please add support for OIDC Device Authorization Grant. This is useful for running scripts that access the NiFi API from the CLI. At this time the options are:
- Copy __Secure-Authorization-Bearer cookie from the browser session: not really a good practice, work and error prone
- Enable MTLS: painful for the users as the browser starts to frequently challenge for the client cert and even if it worked fine, client certificate management process is typically lagging behind OIDC identity management
- Use passwords: insecure and prohibited by policy
Having an API endpoint in the Access group that would allow the caller to exchange OIDC id or refresh token for a NiFi session token would be perfect for this use case.
Attachments
Issue Links
- relates to
-
NIFI-11014 JWT token is rejected by NiFi when calling APIs
- Resolved
-
NIFI-12317 REST API Rejects Keycloak OIDC Access Tokens with HTTP 401
- Resolved
- supercedes
-
NIFI-5302 Add Support for Client Credentials Flow with OIDC Access Tokens
- Resolved