[
https://issues.apache.org/jira/browse/NIFI-12418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17790251#comment-17790251
]
David Handermann commented on NIFI-12418:
-----------------------------------------
Reference dev mailing list thread:
https://lists.apache.org/thread/54tpom04nv526ql8zv91n7ll1wc24sdh
> Identity Provider Groups Missing in Refreshed Bearer Token
> ----------------------------------------------------------
>
> Key: NIFI-12418
> URL: https://issues.apache.org/jira/browse/NIFI-12418
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework, Security
> Affects Versions: 2.0.0-M1, 1.24.0
> Reporter: David Handermann
> Assignee: David Handermann
> Priority: Minor
>
> The OIDC Bearer Token Refresh Filter is responsible for renewing application
> Bearer Tokens when NiFi is integrated with an OpenID Connect Identity
> Provider that supports the Refresh Token Grant Type.
> NiFi 1.23.0 introduced changes for handling group membership information
> supplied from an Identity Provider, passing the groups in the application
> Bearer Token instead of persisting the groups in the local database
> repository.
> As a result of these handling changes, the Identity Provider group membership
> information is not retained when the OIDC Bearer Token Refresh Filter
> generates a new token. In deployments where the configured User Group
> Provider does not provide the group information, this behavior can result in
> authorization failures after refreshing the token.
> The Bearer Token Refresh Filter should be corrected to retrieve group
> membership information from the new Identity Provider token.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
