[ https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16110865#comment-16110865 ]
ASF GitHub Bot commented on NIFI-4210: -------------------------------------- Github user mcgilman commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130871309 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java --- @@ -125,6 +142,160 @@ public Response getLoginConfig(@Context HttpServletRequest httpServletRequest) { return generateOkResponse(entity).build(); } + @GET + @Consumes(MediaType.WILDCARD) + @Produces(MediaType.WILDCARD) + @Path("oidc/request") + @ApiOperation( + value = "Initiates a request to authenticate through the configured OpenId Connect provider." + ) + public void oidcRequest(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception { + // only consider user specific access over https + if (!httpServletRequest.isSecure()) { + forwardToMessagePage(httpServletRequest, httpServletResponse, "User authentication/authorization is only supported when running over HTTPS."); + return; + } + + // ensure oidc is enabled + if (!oidcService.isOidcEnabled()) { + forwardToMessagePage(httpServletRequest, httpServletResponse, "OpenId Connect is not configured."); + return; + } + + final String oidcRequestIdentifier = UUID.randomUUID().toString(); + + // generate a cookie to associate this login sequence + final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, oidcRequestIdentifier); + cookie.setPath("/"); + cookie.setHttpOnly(true); + cookie.setMaxAge(60); + cookie.setSecure(true); + httpServletResponse.addCookie(cookie); + + // get the state for this request + final State state = oidcService.createState(oidcRequestIdentifier); + + // build the authorization uri + final URI authorizationUri = UriBuilder.fromUri(oidcService.getAuthorizationEndpoint()) + .queryParam("client_id", oidcService.getClientId()) + .queryParam("response_type", "code") + .queryParam("scope", oidcService.getScope().toString()) + .queryParam("state", state.getValue()) + .queryParam("redirect_uri", getOidcCallback()) + .build(); + + // generate the response + httpServletResponse.sendRedirect(authorizationUri.toString()); + } + + @GET + @Consumes(MediaType.WILDCARD) + @Produces(MediaType.WILDCARD) + @Path("oidc/callback") + @ApiOperation( + value = "Redirect/callback URI for processing the result of the OpenId Connect login sequence." + ) + public void oidcCallback(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception { + // only consider user specific access over https + if (!httpServletRequest.isSecure()) { + forwardToMessagePage(httpServletRequest, httpServletResponse, "User authentication/authorization is only supported when running over HTTPS."); + return; + } + + // ensure oidc is enabled + if (!oidcService.isOidcEnabled()) { + forwardToMessagePage(httpServletRequest, httpServletResponse, "OpenId Connect is not configured."); + return; + } + + final String oidcRequestIdentifier = getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER); + if (oidcRequestIdentifier == null) { --- End diff -- `getCookieValue` returns null when no cookie is found with the specified name. I'll update the Javadoc's on that method to make it clearer. If there is a cookie with that name, we attempt to use the associated value in the login process. We have not formally defined a format for this identifier. Rather, we've left it just a `String` for now in case we choose to change it later. > Add OpenId Connect support for authenticating users > --------------------------------------------------- > > Key: NIFI-4210 > URL: https://issues.apache.org/jira/browse/NIFI-4210 > Project: Apache NiFi > Issue Type: Improvement > Components: Core Framework, Core UI > Reporter: Matt Gilman > Assignee: Matt Gilman > > Add support for authenticating users with the OpenId Connection > specification. Evaluate whether a new extension point is necessary to allow > for a given provider to supply custom code for instance to implement custom > token validation. -- This message was sent by Atlassian JIRA (v6.4.14#64029)