[ https://issues.apache.org/jira/browse/NIFI-11781?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Handermann updated NIFI-11781: ------------------------------------ Summary: Azure AD SSO with OIDC fails in NiFi 1.21.0 and 1.22.0 (was: Azure AD SSO stopped working for NiFi v1.21 and above) > Azure AD SSO with OIDC fails in NiFi 1.21.0 and 1.22.0 > ------------------------------------------------------ > > Key: NIFI-11781 > URL: https://issues.apache.org/jira/browse/NIFI-11781 > Project: Apache NiFi > Issue Type: Bug > Affects Versions: 1.21.0, 1.22.0 > Environment: Docker container from > https://hub.docker.com/r/apache/nifi tags v1.21, v1.22 > Reporter: Evgenity > Assignee: David Handermann > Priority: Blocker > Fix For: 1.latest, 2.latest, 1.23.0 > > Time Spent: 10m > Remaining Estimate: 0h > > I have successfully applied [the instructions > |https://github.com/benkelly/NiFi-Authentication-with-Azure-Active-Directory-Setup-Guide]for > NiFi 1.19, 1.20. It works perfectly for upn claim. > After changing docker image to 1.21, 1.22 I faced an issue with accounts > which {+}do not have *emails* assigned in Azure AD{+}. > In the NiFi release notes I see 'Refactored OpenID Connect integration with > support for Refresh Tokens' - > [https://cwiki.apache.org/confluence/display/NIFI/Release+Notes#ReleaseNotes-Version1.21.0] > Isn't this a case? > With accounts that have 'email' property in Azure AD AND > nifi.security.user.oidc.claim.identifying.user=email everything works fine. > NiFi is configured as follows: > nifi.properties: > {code:java} > # OpenId Connect SSO Properties # > nifi.security.user.oidc.discovery.url=https://login.microsoftonline.com/{{tenantid}}/v2.0/.well-known/openid-configuration > nifi.security.user.oidc.connect.timeout=5 secs > nifi.security.user.oidc.read.timeout=5 secs > nifi.security.user.oidc.client.id=<client.id> > nifi.security.user.oidc.client.secret=<client.secret> > nifi.security.user.oidc.preferred.jwsalgorithm= > nifi.security.user.oidc.claim.identifying.user=upn > nifi.security.user.oidc.additional.scopes=profile{code} > authorizers.xml: > {code:java} > <userGroupProvider> > <identifier>aad-user-group-provider</identifier> > > <class>org.apache.nifi.authorization.azure.AzureGraphUserGroupProvider</class> > <property name="Refresh Delay">5 mins</property> > <property name="Authority > Endpoint">https://login.microsoftonline.com</property> > <property name="Directory > ID">{{.Values.auth.oidc.tenantId}}</property> > <property name="Application > ID">{{.Values.auth.oidc.clientId}}</property> > <property name="Client > Secret">{{.Values.auth.oidc.clientSecret}}</property> > <property name="Group Filter Prefix">PR</property> > <property name="Page Size">100</property> > </userGroupProvider>{code} > app logs output: > > {code:java} > <h2 style="color: rgb(0, 0, 0); font-family: Times; font-style: normal; > font-variant-ligatures: normal; font-variant-caps: normal; letter-spacing: > normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: > none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; > white-space: normal; text-decoration-thickness: initial; > text-decoration-style: initial; text-decoration-color: initial;">HTTP ERROR > 500 java.lang.IllegalArgumentException: Missing attribute 'upn' in > attributes</h2> > URI: | /nifi-api/access/oidc/callback > -- | -- > 500 > java.lang.IllegalArgumentException: Missing attribute 'upn' in attributes > jerseySpring > java.lang.IllegalArgumentException: Missing attribute 'upn' in attributes > <h3 style="color: rgb(0, 0, 0); font-family: Times; font-style: normal; > font-variant-ligatures: normal; font-variant-caps: normal; letter-spacing: > normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: > none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; > white-space: normal; text-decoration-thickness: initial; > text-decoration-style: initial; text-decoration-color: initial;">Caused > by:</h3><pre style="color: rgb(0, 0, 0); font-style: normal; > font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; > letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; > text-transform: none; widows: 2; word-spacing: 0px; > -webkit-text-stroke-width: 0px; text-decoration-thickness: initial; > text-decoration-style: initial; text-decoration-color: > initial;">java.lang.IllegalArgumentException: Missing attribute 'upn' in > attributes > at > org.springframework.security.oauth2.core.user.DefaultOAuth2User.<init>(DefaultOAuth2User.java:72) > at > org.springframework.security.oauth2.client.userinfo.DefaultOAuth2UserService.loadUser(DefaultOAuth2UserService.java:116) > at > org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService.loadUser(OidcUserService.java:109) > at > org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService.loadUser(OidcUserService.java:66) > at > org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider.authenticate(OidcAuthorizationCodeAuthenticationProvider.java:156) > at > org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182) > at > org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter.attemptAuthentication(OAuth2LoginAuthenticationFilter.java:195) > at > org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:231) > at > org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:221) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) > at > org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationFilter.doFilterInternal(BearerTokenAuthenticationFilter.java:132) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) > at > org.apache.nifi.web.security.NiFiAuthenticationFilter.authenticate(NiFiAuthenticationFilter.java:94) > at > org.apache.nifi.web.security.NiFiAuthenticationFilter.doFilter(NiFiAuthenticationFilter.java:56) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) > at > org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:118) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) > at > org.apache.nifi.web.security.logout.StandardLogoutFilter.doFilterInternal(StandardLogoutFilter.java:64) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) > at > org.apache.nifi.web.security.csrf.SkipReplicatedCsrfFilter.doFilterInternal(SkipReplicatedCsrfFilter.java:59) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) > at > org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) > at > org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:225) > at > org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:190) > at > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354) > at > org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267) > at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) > at > org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626) > at > org.apache.nifi.web.filter.ExceptionFilter.doFilter(ExceptionFilter.java:46) > at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:201) > at > org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626) > at org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:487) > at > org.apache.nifi.web.server.filter.DataTransferExcludedDoSFilter.doFilterChain(DataTransferExcludedDoSFilter.java:51) > at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:336) > at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:301) > at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) > at > org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626) > at > org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) > at > org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) > at > org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626) > at > org.apache.nifi.web.server.log.RequestAuthenticationFilter.doFilterInternal(RequestAuthenticationFilter.java:59) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) > at > org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626) > at > org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:552) > at > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) > at > org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:600) > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) > at > org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235) > at > org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624) > at > org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) > at > org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1440) > at > org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) > at > org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:505) > at > org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594) > at > org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) > at > org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1355) > at > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) > at > org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146) > at > org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:772) > at > org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:191) > at > org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:59) > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) > at org.eclipse.jetty.server.Server.handle(Server.java:516) > at > org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:487) > at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:732) > at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:479) > at > org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277) > at > org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) > at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) > at > org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:555) > at > org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:410) > at > org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:164) > at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) > at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104) > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338) > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315) > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173) > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131) > at > org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:409) > at > org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883) > at > org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034) > at java.base/java.lang.Thread.run(Unknown Source)</pre> > {code} > Attempts to use 'preferred_username' for > nifi.security.user.oidc.claim.identifying.user=preferred_username resulted in > the same. > Optional claim for ID Tokens also added in Azure AD. > So, NiFi accepts nothing but 'email' for this parameter. -- This message was sent by Atlassian Jira (v8.20.10#820010)