David Handermann created NIFI-12418:
---------------------------------------
Summary: Identity Provider Groups Missing in Refreshed Bearer Token
Key: NIFI-12418
URL: https://issues.apache.org/jira/browse/NIFI-12418
Project: Apache NiFi
Issue Type: Bug
Components: Core Framework, Security
Affects Versions: 1.24.0, 2.0.0-M1
Reporter: David Handermann
Assignee: David Handermann
The OIDC Bearer Token Refresh Filter is responsible for renewing application
Bearer Tokens when NiFi is integrated with an OpenID Connect Identity Provider
that supports the Refresh Token Grant Type.
NiFi 1.23.0 introduced changes for handling group membership information
supplied from an Identity Provider, passing the groups in the application
Bearer Token instead of persisting the groups in the local database repository.
As a result of these handling changes, the Identity Provider group membership
information is not retained when the OIDC Bearer Token Refresh Filter generates
a new token. In deployments where the configured User Group Provider does not
provide the group information, this behavior can result in authorization
failures after refreshing the token.
The Bearer Token Refresh Filter should be corrected to retrieve group
membership information from the new Identity Provider token.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
