[
https://issues.apache.org/jira/browse/NIFI-10322?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17577256#comment-17577256
]
macdoor615 commented on NIFI-10322:
-----------------------------------
[~exceptionfactory] Thank you!
I have tried both option.
* rebuild NiFi 1.17.0 from source with [GitHub Pull Request
#6278|https://github.com/apache/nifi/pull/6278]
* add proxy_cookie_path directive in nginx conf
Both options can be successful.
> invalid_token error after OpenID connect session timeout
> --------------------------------------------------------
>
> Key: NIFI-10322
> URL: https://issues.apache.org/jira/browse/NIFI-10322
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core UI
> Affects Versions: 1.17.0
> Reporter: macdoor615
> Assignee: David Handermann
> Priority: Major
> Fix For: 1.18.0
>
> Attachments: image-2022-08-05-22-48-17-835.png,
> image-2022-08-05-22-48-52-057.png, image-2022-08-07-14-28-09-058.png,
> image-2022-08-07-15-22-36-213.png, image-2022-08-07-15-27-18-902.png,
> image-2022-08-07-15-37-29-739.png, image-2022-08-07-15-43-14-922.png,
> image-2022-08-07-15-47-57-158.png, image-2022-08-07-15-53-47-220.png,
> image-2022-08-07-16-00-11-443.png, image-2022-08-07-16-11-38-180.png,
> image-2022-08-08-23-33-30-220.png, image-2022-08-08-23-35-02-773.png,
> image-2022-08-08-23-59-12-471.png, nginx-access.log.zip,
> nifi-1.16.3-logs.zip, nifi-1.17.0-logs.zip
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> I follow
> [https://bryanbende.com/development/2017/10/03/apache-nifi-openid-connect] to
> config NIFI 1.16.3 and it is work properly. If the session times out, login
> again and it will work again
> I configured 1.17.0 in the same way. I can login and operate nifi UI. But
> when session times out. I got the following error.
>
> {code:java}
> Unauthorized error="invalid_token", error_description="An error occurred
> while attempting to decode the Jwt: Expired JWT",
> error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"{code}
>
> !image-2022-08-05-22-48-17-835.png|width=758,height=108!
> I try to login again and get a new error, and I cannot enter the NIFI
> interface.
>
> {code:java}
> Unauthorized error="invalid_token", error_description="An error occurred
> while attempting to decode the Jwt: Signed JWT rejected: Another algorithm
> expected, or no matching key(s) found",
> error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"{code}
>
> !image-2022-08-05-22-48-52-057.png|width=594,height=143!
> I did some research, and found
> After the session times out,
> NIFI 1.16.3 leaves 3 cookies in browser:
> * nifi-logout-request-identifier
> * nifi-oidc-request-identifier
> * __Secure-Request-Token
> NIFI 1.17.0 leaves 2 cookies:
> * *__Secure-Authorization-Bearer*
> * __Secure-Request-Token
> __Secure-Authorization-Bearer cookie contains a expired JWT:
> {code:java}
> eyJraWQiOiJhMDlhZDhlMy0xZDkzLTQyZTEtYjg0Ni0xMWU0ODRkODYwYWYiLCJhbGciOiJQUzUxMiJ9.eyJzdWIiOiJhZG1pbi5uaWZpQGd1bWhiMy5jb20iLCJhdWQiOiJodHRwcyUzQSUyRiUyRjM2LjEzMy41NS4xMDAlM0E4OTQzJTJGcmVhbG1zJTJGenpub2RlIiwibmJmIjoxNjU5NjExOTc0LCJpc3MiOiJodHRwcyUzQSUyRiUyRjM2LjEzMy41NS4xMDAlM0E4OTQzJTJGcmVhbG1zJTJGenpub2RlIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ubmlmaUBndW1oYjMuY29tIiwiZXhwIjoxNjU5NjEyMjc0LCJpYXQiOjE2NTk2MTE5NzQsImp0aSI6IjFiZTg5MjU4LTliZmYtNDhmOS04OGNmLWU0NDIzMDZjYzg4ZCJ9.Y9yE0hNH_q-W94_cFWOWGc7TPMP2xB9coaSRPT9twYqSyjTtudOiiXGxHEDUWsOvUFf7lT7wNH4RZ_LhOM-5WfTZ3o-DCVFnl0JjeZ-L9d-z3rO4dEspRxXpr46AewEGy_lpstSUFyihr4i8b2VI7IT0aFOCGAIXRWl7gfH75e5La_0tbsu9lgSRdyYBBv8rSjojJC5bBSqxj-BkrfjdMhyMuF9OdMCJNmyh18BrXbavwftNerytkd_Qf9eNLmzsZ3SOdKWpftKt4kClD_KeL0nOglhM-ENyb4QLwxr7l5lhUgQ-2am3x5okbRyYip_WV4YQ6DfmUnLL1FYFATWXa5CUimSRbSZzkqU2JEYerpvKsTf-prdsSNryPbrQdf5HqpwhlGbFrgm4jwtncZHTLEL4ZMciVe0H-zIcQ9vyDqamMpf6fyNWmQN8DdDP9A0Zpo7SL7yhOUjNGsjk1gV4OAHWgp4XQzj4KwoGf7ICjeOrzinECHFZw9Ccyi8KMooRx4u3oAuKPEx3mrZFNFDaiAzWX0kZ31c24-15cno2bLBMGOIx7ipjb6Pv7V6O9S2aA2vC3eVLnfAgHAox3I8_IzWLUKddHCqd6cfA1XW8ckSgg2QddKvgYHiCZpwVV4AMDpK4bI1J0ZbxbgOOke9IMMudNhZUFQdWJIXh-gx1bII{code}
> I manually delete __Secure-Authorization-Bearer cookie, and I can login NIFI
> 1.17.0 again.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
