NiFi access for username and password authentication currently leverages several custom classes to handle JWT generation, signing, and verification. The JWT service uses symmetric keys generated for each user with the HMAC SHA256 signing algorithm, and stores signing keys in the local node database. NiFi deletes the symmetric signing key for each user on logout.
The Spring Security OAuth2 library provides more standardized components to handle JWT verification, which will reduce the need for custom Spring Security authentication provider classes. The JWT generation process should be evaluated and refactored to support more frequent key rotation. Transitioning to asymmetric keys for JWT signing and avoiding persistence of private signing keys should also be considered.