[NIFI-8766] Improve JWT Authentication Handling - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.14.0, 1.13.2
Fix Version/s: 1.15.0
Component/s: Core UI, Security
Labels:
- JWT
- security

Description

NiFi access for username and password authentication currently leverages several custom classes to handle JWT generation, signing, and verification. The JWT service uses symmetric keys generated for each user with the HMAC SHA256 signing algorithm, and stores signing keys in the local node database. NiFi deletes the symmetric signing key for each user on logout.

The Spring Security OAuth2 library provides more standardized components to handle JWT verification, which will reduce the need for custom Spring Security authentication provider classes. The JWT generation process should be evaluated and refactored to support more frequent key rotation. Transitioning to asymmetric keys for JWT signing and avoiding persistence of private signing keys should also be considered.

Attachments

Issue Links

relates to

NIFI-8056 OpenID Connect Integration does not support Proxy Servers

Open

NIFI-7246 JWT Generated by a node in the cluster is not honored by other nodes in the cluster.

Resolved

links to

GitHub Pull Request #5262

Activity

People

Assignee:: David Handermann

Reporter:: David Handermann

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 07/Jul/21 13:19

Updated:: 24/Aug/21 04:16

Resolved:: 24/Aug/21 04:16

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

7.5h