[jira] [Commented] (NIFI-12418) Identity Provider Groups Missing in Refreshed Bearer Token

Mon, 18 Dec 2023 09:14:04 -0800 


    [ 
https://issues.apache.org/jira/browse/NIFI-12418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17798290#comment-17798290
 ] 

ASF subversion and git services commented on NIFI-12418:
--------------------------------------------------------

Commit db919bc49401262edfad3c5beb00b169433954ce in nifi's branch 
refs/heads/support/nifi-1.x from David Handermann
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=db919bc494 ]

NIFI-12418 Corrected Provider Groups Missing in Refreshed Tokens (#8126)

- Updated OidcBearerTokenRefreshFilter to maintain current Identity Provider 
Groups when generating refreshed application Bearer Tokens
- Refactored LoginAuthenticationToken to remove unnecessary optional 
constructors and use java.time.Instant for expiration
- Added Issuer Provider with implementation for Bearer Token Issuer based on 
host and port properties


> Identity Provider Groups Missing in Refreshed Bearer Token
> ----------------------------------------------------------
>
>                 Key: NIFI-12418
>                 URL: https://issues.apache.org/jira/browse/NIFI-12418
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Core Framework, Security
>    Affects Versions: 2.0.0-M1, 1.24.0
>            Reporter: David Handermann
>            Assignee: David Handermann
>            Priority: Minor
>              Labels: backport-needed
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> The OIDC Bearer Token Refresh Filter is responsible for renewing application 
> Bearer Tokens when NiFi is integrated with an OpenID Connect Identity 
> Provider that supports the Refresh Token Grant Type.
> NiFi 1.23.0 introduced changes for handling group membership information 
> supplied from an Identity Provider, passing the groups in the application 
> Bearer Token instead of persisting the groups in the local database 
> repository.
> As a result of these handling changes, the Identity Provider group membership 
> information is not retained when the OIDC Bearer Token Refresh Filter 
> generates a new token. In deployments where the configured User Group 
> Provider does not provide the group information, this behavior can result in 
> authorization failures after refreshing the token.
> The Bearer Token Refresh Filter should be corrected to retrieve group 
> membership information from the new Identity Provider token.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to