[ https://issues.apache.org/jira/browse/NIFI-12418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17798290#comment-17798290 ]
ASF subversion and git services commented on NIFI-12418: -------------------------------------------------------- Commit db919bc49401262edfad3c5beb00b169433954ce in nifi's branch refs/heads/support/nifi-1.x from David Handermann [ https://gitbox.apache.org/repos/asf?p=nifi.git;h=db919bc494 ] NIFI-12418 Corrected Provider Groups Missing in Refreshed Tokens (#8126) - Updated OidcBearerTokenRefreshFilter to maintain current Identity Provider Groups when generating refreshed application Bearer Tokens - Refactored LoginAuthenticationToken to remove unnecessary optional constructors and use java.time.Instant for expiration - Added Issuer Provider with implementation for Bearer Token Issuer based on host and port properties > Identity Provider Groups Missing in Refreshed Bearer Token > ---------------------------------------------------------- > > Key: NIFI-12418 > URL: https://issues.apache.org/jira/browse/NIFI-12418 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework, Security > Affects Versions: 2.0.0-M1, 1.24.0 > Reporter: David Handermann > Assignee: David Handermann > Priority: Minor > Labels: backport-needed > Time Spent: 0.5h > Remaining Estimate: 0h > > The OIDC Bearer Token Refresh Filter is responsible for renewing application > Bearer Tokens when NiFi is integrated with an OpenID Connect Identity > Provider that supports the Refresh Token Grant Type. > NiFi 1.23.0 introduced changes for handling group membership information > supplied from an Identity Provider, passing the groups in the application > Bearer Token instead of persisting the groups in the local database > repository. > As a result of these handling changes, the Identity Provider group membership > information is not retained when the OIDC Bearer Token Refresh Filter > generates a new token. In deployments where the configured User Group > Provider does not provide the group information, this behavior can result in > authorization failures after refreshing the token. > The Bearer Token Refresh Filter should be corrected to retrieve group > membership information from the new Identity Provider token. -- This message was sent by Atlassian Jira (v8.20.10#820010)