The current oidc client authentication methods (client_secret_post, client_secret_basic) require client credentials (client_secret) to be stored as plain text on the client's filesystem, which could also be inadvertently checked into source control system.
Due to these and other security considerations, we should be able to use assertions as client credentials for authenticating against the token endpoint.
While using assertions an oidc client will include client_assertion and client_assertion_type parameters instead of passing the client_secret for authentication.
Details on the OAuth 2.0 specifications for client authentication using jwt and assertions can be found under
- RFC 7523, Section 2.2 (Using JWTs for Client Authentication)
- RFC 7521 (Using Assertions for Client Authentication).
Summary of the changes needed for assertion based client authentication.
- Generate a pair of private and public key which can be made available to Nifi via a keystore on the filesystem.
- Make the public key or cert available to the Authorization Server. Alternatively to allow key rotations, we could configure a JWKS URL within Nifi to allow the authorization server download the public key using the keyId (kid).
- While building the token request against the token endpoint, need StandardOidcIdentityProvider to provide a way to build a private_key_jwt based client authentication in addition to the existing client_secret_basic, client_secret_post.
- Encode and sign the JWT token with the private key, conforming to RFC 7523, section 2.2 and pass the signed token within the client_assertion request parameter along with the client_assertion_type.
- The Authorization Server will use the client's public key or cert to verify the signature of the JWT and issues the token
Nifi Token Exchange Process
When authentication within Nifi is enabled via OpenId Connect, a user is re-directed to the configured authorization endpoint (authorization server) via Nifi's oidc/request endpoint. The user upon successfully authenticating with the authorization server is directed back to Nifi's (oidc/callback endpoint) with a temporary authorization code. This authorization code is then exchanged for an ID Token by the OidcService via the Oidc Identity Provider (StandardOidcIdentityProvider - exchangeAuthorizationCode(authorizationGrant)). The identity provider requests this exchange by authenticating itself against the token endpoint of the authorization server and presenting the authorization grant. The authorization server authenticates the client, validates the authorization grant and upon successful validation it issues an access token to Nifi.
Currently, the exchangeAuthorizationCode(...) on StandardOidcIdentityProvider provides two methods of Client Authentication (client_secret_basic, client_secret_post) which are both based on the Authorization Server issuing a set of client credentials (client_secret) which are presented to the authorization server as client credentials during token exchange.