[jira] [Commented] (NIFI-11409) OIDC Token Revocation Error on Logout
[ https://issues.apache.org/jira/browse/NIFI-11409?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17711965#comment-17711965 ] macdoor615 commented on NIFI-11409: --- [~exceptionfactory] Thank you for your suggestion. Translating a hostname into different IP in the internal and external network may be the only feasible solution at present > OIDC Token Revocation Error on Logout > - > > Key: NIFI-11409 > URL: https://issues.apache.org/jira/browse/NIFI-11409 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework >Affects Versions: 1.21.0 > Environment: NiFi 1.21.0 cluster with 4 nodes > openjdk version "11.0.18" 2023-01-17 LTS > OpenJDK Runtime Environment (Red_Hat-11.0.18.0.10-1.el7_9) (build > 11.0.18+10-LTS) > OpenJDK 64-Bit Server VM (Red_Hat-11.0.18.0.10-1.el7_9) (build > 11.0.18+10-LTS, mixed mode, sharing) > Linux hb3-ifz-bridge-004 3.10.0-1160.76.1.el7.x86_64 #1 SMP Wed Aug 10 > 16:21:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux > Keycloak 20.0.2 >Reporter: macdoor615 >Assignee: David Handermann >Priority: Major > Attachments: RFC6749 flow.png, macdoor network topology.png, > 截屏2023-04-08 12.40.30.png, 截屏2023-04-09 13.17.25.png, 截屏2023-04-09 > 13.33.25.png > > > My NiFi 1.21.0 cluster has 4 nodes and using oidc authentication. > I can log in properly, but when I click logout on webui, I got HTTP ERROR 503. > !截屏2023-04-08 12.40.30.png|width=479,height=179! > I also find 503 in nifi-request.log > > {code:java} > 10.12.69.33 - - [08/Apr/2023:04:24:13 +] "GET > /nifi-api/access/oidc/logout HTTP/1.1" 503 425 > "https://36.138.166.203:18088/nifi/"; "Mozilla/5.0 (Macintosh; Intel Mac OS X > 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 > Safari/605.1.15"{code} > > and WARNs in nifi-user.log, 36.133.55.100 is load balance's external IP. It > can not be accessed in intra net. > > {code:java} > 2023-04-08 12:24:43,511 WARN [NiFi Web Server-59] > o.a.n.w.s.o.r.StandardTokenRevocationResponseClient Token Revocation Request > processing failed > org.springframework.web.client.ResourceAccessException: I/O error on POST > request for > "https://36.133.55.100:8943/realms/zznode/protocol/openid-connect/revoke": > connect timed out; nested exception is java.net.SocketTimeoutException: > connect timed out > at > org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:791) > at > org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:666) > at > org.apache.nifi.web.security.oidc.revocation.StandardTokenRevocationResponseClient.getResponseEntity(StandardTokenRevocationResponseClient.java:81) > at > org.apache.nifi.web.security.oidc.revocation.StandardTokenRevocationResponseClient.getRevocationResponse(StandardTokenRevocationResponseClient.java:70) > at > org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.processRefreshTokenRevocation(OidcLogoutSuccessHandler.java:181) > at > org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.processLogoutRequest(OidcLogoutSuccessHandler.java:159) > at > org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.onLogoutSuccess(OidcLogoutSuccessHandler.java:127) > at > org.apache.nifi.web.security.logout.StandardLogoutFilter.doFilterInternal(StandardLogoutFilter.java:62) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) > at > org.apache.nifi.web.security.csrf.SkipReplicatedCsrfFilter.doFilterInternal(SkipReplicatedCsrfFilter.java:59) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) > at > org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) > at > org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:225) > at > org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:190) > at > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354) > at > org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267) >
[jira] [Commented] (NIFI-11409) OIDC Token Revocation Error on Logout
[ https://issues.apache.org/jira/browse/NIFI-11409?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17711949#comment-17711949 ] David Handermann commented on NIFI-11409: - Thanks for the diagram [~macdoor615], that is very helpful, and makes sense from the previous background shown in the OIDC Discovery configuration. In the JSON you previously shared, there was a mix of the hostname and IP address in the different endpoints. It should be possible to make something work if you have an internal DNS resolver behind the firewall, or custom /etc/hosts entries. A solution using different DNS servers would be the ideal approach. > OIDC Token Revocation Error on Logout > - > > Key: NIFI-11409 > URL: https://issues.apache.org/jira/browse/NIFI-11409 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework >Affects Versions: 1.21.0 > Environment: NiFi 1.21.0 cluster with 4 nodes > openjdk version "11.0.18" 2023-01-17 LTS > OpenJDK Runtime Environment (Red_Hat-11.0.18.0.10-1.el7_9) (build > 11.0.18+10-LTS) > OpenJDK 64-Bit Server VM (Red_Hat-11.0.18.0.10-1.el7_9) (build > 11.0.18+10-LTS, mixed mode, sharing) > Linux hb3-ifz-bridge-004 3.10.0-1160.76.1.el7.x86_64 #1 SMP Wed Aug 10 > 16:21:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux > Keycloak 20.0.2 >Reporter: macdoor615 >Assignee: David Handermann >Priority: Major > Attachments: RFC6749 flow.png, macdoor network topology.png, > 截屏2023-04-08 12.40.30.png, 截屏2023-04-09 13.17.25.png, 截屏2023-04-09 > 13.33.25.png > > > My NiFi 1.21.0 cluster has 4 nodes and using oidc authentication. > I can log in properly, but when I click logout on webui, I got HTTP ERROR 503. > !截屏2023-04-08 12.40.30.png|width=479,height=179! > I also find 503 in nifi-request.log > > {code:java} > 10.12.69.33 - - [08/Apr/2023:04:24:13 +] "GET > /nifi-api/access/oidc/logout HTTP/1.1" 503 425 > "https://36.138.166.203:18088/nifi/"; "Mozilla/5.0 (Macintosh; Intel Mac OS X > 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 > Safari/605.1.15"{code} > > and WARNs in nifi-user.log, 36.133.55.100 is load balance's external IP. It > can not be accessed in intra net. > > {code:java} > 2023-04-08 12:24:43,511 WARN [NiFi Web Server-59] > o.a.n.w.s.o.r.StandardTokenRevocationResponseClient Token Revocation Request > processing failed > org.springframework.web.client.ResourceAccessException: I/O error on POST > request for > "https://36.133.55.100:8943/realms/zznode/protocol/openid-connect/revoke": > connect timed out; nested exception is java.net.SocketTimeoutException: > connect timed out > at > org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:791) > at > org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:666) > at > org.apache.nifi.web.security.oidc.revocation.StandardTokenRevocationResponseClient.getResponseEntity(StandardTokenRevocationResponseClient.java:81) > at > org.apache.nifi.web.security.oidc.revocation.StandardTokenRevocationResponseClient.getRevocationResponse(StandardTokenRevocationResponseClient.java:70) > at > org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.processRefreshTokenRevocation(OidcLogoutSuccessHandler.java:181) > at > org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.processLogoutRequest(OidcLogoutSuccessHandler.java:159) > at > org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.onLogoutSuccess(OidcLogoutSuccessHandler.java:127) > at > org.apache.nifi.web.security.logout.StandardLogoutFilter.doFilterInternal(StandardLogoutFilter.java:62) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) > at > org.apache.nifi.web.security.csrf.SkipReplicatedCsrfFilter.doFilterInternal(SkipReplicatedCsrfFilter.java:59) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) > at > org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) > at > org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:225) > at > org.springfra
[jira] [Commented] (NIFI-11409) OIDC Token Revocation Error on Logout
[ https://issues.apache.org/jira/browse/NIFI-11409?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17711948#comment-17711948 ] macdoor615 commented on NIFI-11409: --- [~exceptionfactory] Unfortunately, my problem has not been solved yet. Here is my network topology, !macdoor network topology.png|width=416,height=352! NiFi Server is behind a firewall and cannot access the Internet from inside, while WebUI is outside the firewall and cannot directly access intranet resources, only through nginx. Take authorization_endpoint and revocation_endpoint as an example, WebUI gets OpenID Connect Discovery configuration from NiFi Server (step 1,2,3 in the figure), so their URLs share the same hostname. If I set hostname to external URL, start with [https://36.133.55.100:8943/,] WebUI can successfully call authorization_endpoint (step 4 in the figure), but NiFi Server will timeout when calling revocation_endpoint (step 5 in the figure). In this scenario I can login but not logout. {noformat} "authorization_endpoint": "https://36.133.55.100:8943/realms/zznode/protocol/openid-connect/auth";, "revocation_endpoint": "https://36.133.55.100:8943/realms/zznode/protocol/openid-connect/revoke"; {noformat} On the contrary, I set hostname to internal URL, start with https://hb3-prod-lb-000:8943/, WebUI will timeout when calling authorization_endpoint. In this scenario I cannot login. {noformat} "authorization_endpoint": "https://hb3-prod-lb-000:8943/realms/zznode/protocol/openid-connect/auth";, "revocation_endpoint": "https://hb3-prod-lb-000:8943/realms/zznode/protocol/openid-connect/revoke"; {noformat} Maybe I can add host in MacBook's /etc/hosts file {code:java} 36.133.55 hb3-prod-lb-000{code} But I still hope to find an elegant way > OIDC Token Revocation Error on Logout > - > > Key: NIFI-11409 > URL: https://issues.apache.org/jira/browse/NIFI-11409 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework >Affects Versions: 1.21.0 > Environment: NiFi 1.21.0 cluster with 4 nodes > openjdk version "11.0.18" 2023-01-17 LTS > OpenJDK Runtime Environment (Red_Hat-11.0.18.0.10-1.el7_9) (build > 11.0.18+10-LTS) > OpenJDK 64-Bit Server VM (Red_Hat-11.0.18.0.10-1.el7_9) (build > 11.0.18+10-LTS, mixed mode, sharing) > Linux hb3-ifz-bridge-004 3.10.0-1160.76.1.el7.x86_64 #1 SMP Wed Aug 10 > 16:21:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux > Keycloak 20.0.2 >Reporter: macdoor615 >Assignee: David Handermann >Priority: Major > Attachments: RFC6749 flow.png, macdoor network topology.png, > 截屏2023-04-08 12.40.30.png, 截屏2023-04-09 13.17.25.png, 截屏2023-04-09 > 13.33.25.png > > > My NiFi 1.21.0 cluster has 4 nodes and using oidc authentication. > I can log in properly, but when I click logout on webui, I got HTTP ERROR 503. > !截屏2023-04-08 12.40.30.png|width=479,height=179! > I also find 503 in nifi-request.log > > {code:java} > 10.12.69.33 - - [08/Apr/2023:04:24:13 +] "GET > /nifi-api/access/oidc/logout HTTP/1.1" 503 425 > "https://36.138.166.203:18088/nifi/"; "Mozilla/5.0 (Macintosh; Intel Mac OS X > 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 > Safari/605.1.15"{code} > > and WARNs in nifi-user.log, 36.133.55.100 is load balance's external IP. It > can not be accessed in intra net. > > {code:java} > 2023-04-08 12:24:43,511 WARN [NiFi Web Server-59] > o.a.n.w.s.o.r.StandardTokenRevocationResponseClient Token Revocation Request > processing failed > org.springframework.web.client.ResourceAccessException: I/O error on POST > request for > "https://36.133.55.100:8943/realms/zznode/protocol/openid-connect/revoke": > connect timed out; nested exception is java.net.SocketTimeoutException: > connect timed out > at > org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:791) > at > org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:666) > at > org.apache.nifi.web.security.oidc.revocation.StandardTokenRevocationResponseClient.getResponseEntity(StandardTokenRevocationResponseClient.java:81) > at > org.apache.nifi.web.security.oidc.revocation.StandardTokenRevocationResponseClient.getRevocationResponse(StandardTokenRevocationResponseClient.java:70) > at > org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.processRefreshTokenRevocation(OidcLogoutSuccessHandler.java:181) > at > org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.processLogoutRequest(OidcLogoutSuccessHandler.java:159) > at > org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.onLogoutSuccess(OidcLogoutSuccessHandler.java:127) > at > org.apache.nifi.web.security.logout.StandardLogoutFilter.doFilterInternal(StandardLogoutFilter.java:62
[jira] [Commented] (NIFI-11409) OIDC Token Revocation Error on Logout
[ https://issues.apache.org/jira/browse/NIFI-11409?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17711919#comment-17711919 ] David Handermann commented on NIFI-11409: - Thanks for the reply [~macdoor615]. Changing the NiFi OIDC integration to a user-agent based application would open up other integration possibilities as you mentioned. One major factor is that OIDC is just one several options for NiFi along with SAML, not to mention username and password options like LDAP or Kerberos. This might be worth exploring, but it would require significant effort and refactoring. As far as your issue with token revocation, are you able to adjust the revocation endpoint URI to match the other endpoints with which NiFi is already able to communicate? > OIDC Token Revocation Error on Logout > - > > Key: NIFI-11409 > URL: https://issues.apache.org/jira/browse/NIFI-11409 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework >Affects Versions: 1.21.0 > Environment: NiFi 1.21.0 cluster with 4 nodes > openjdk version "11.0.18" 2023-01-17 LTS > OpenJDK Runtime Environment (Red_Hat-11.0.18.0.10-1.el7_9) (build > 11.0.18+10-LTS) > OpenJDK 64-Bit Server VM (Red_Hat-11.0.18.0.10-1.el7_9) (build > 11.0.18+10-LTS, mixed mode, sharing) > Linux hb3-ifz-bridge-004 3.10.0-1160.76.1.el7.x86_64 #1 SMP Wed Aug 10 > 16:21:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux > Keycloak 20.0.2 >Reporter: macdoor615 >Assignee: David Handermann >Priority: Major > Attachments: RFC6749 flow.png, 截屏2023-04-08 12.40.30.png, > 截屏2023-04-09 13.17.25.png, 截屏2023-04-09 13.33.25.png > > > My NiFi 1.21.0 cluster has 4 nodes and using oidc authentication. > I can log in properly, but when I click logout on webui, I got HTTP ERROR 503. > !截屏2023-04-08 12.40.30.png|width=479,height=179! > I also find 503 in nifi-request.log > > {code:java} > 10.12.69.33 - - [08/Apr/2023:04:24:13 +] "GET > /nifi-api/access/oidc/logout HTTP/1.1" 503 425 > "https://36.138.166.203:18088/nifi/"; "Mozilla/5.0 (Macintosh; Intel Mac OS X > 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 > Safari/605.1.15"{code} > > and WARNs in nifi-user.log, 36.133.55.100 is load balance's external IP. It > can not be accessed in intra net. > > {code:java} > 2023-04-08 12:24:43,511 WARN [NiFi Web Server-59] > o.a.n.w.s.o.r.StandardTokenRevocationResponseClient Token Revocation Request > processing failed > org.springframework.web.client.ResourceAccessException: I/O error on POST > request for > "https://36.133.55.100:8943/realms/zznode/protocol/openid-connect/revoke": > connect timed out; nested exception is java.net.SocketTimeoutException: > connect timed out > at > org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:791) > at > org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:666) > at > org.apache.nifi.web.security.oidc.revocation.StandardTokenRevocationResponseClient.getResponseEntity(StandardTokenRevocationResponseClient.java:81) > at > org.apache.nifi.web.security.oidc.revocation.StandardTokenRevocationResponseClient.getRevocationResponse(StandardTokenRevocationResponseClient.java:70) > at > org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.processRefreshTokenRevocation(OidcLogoutSuccessHandler.java:181) > at > org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.processLogoutRequest(OidcLogoutSuccessHandler.java:159) > at > org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.onLogoutSuccess(OidcLogoutSuccessHandler.java:127) > at > org.apache.nifi.web.security.logout.StandardLogoutFilter.doFilterInternal(StandardLogoutFilter.java:62) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) > at > org.apache.nifi.web.security.csrf.SkipReplicatedCsrfFilter.doFilterInternal(SkipReplicatedCsrfFilter.java:59) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) > at > org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) > at > org.springframework.security.web
[jira] [Commented] (NIFI-11409) OIDC Token Revocation Error on Logout
[ https://issues.apache.org/jira/browse/NIFI-11409?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17711905#comment-17711905 ] macdoor615 commented on NIFI-11409: --- [~exceptionfactory] You are right. The current implementation of NiFi is spec compliant. My issue should not be a bug but a new feature. I suggest NiFi support user-agent-based application in future version. In this way, NiFi can support more complex network environments. In fact, the current WebUI of NiFi is already very powerful. > OIDC Token Revocation Error on Logout > - > > Key: NIFI-11409 > URL: https://issues.apache.org/jira/browse/NIFI-11409 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework >Affects Versions: 1.21.0 > Environment: NiFi 1.21.0 cluster with 4 nodes > openjdk version "11.0.18" 2023-01-17 LTS > OpenJDK Runtime Environment (Red_Hat-11.0.18.0.10-1.el7_9) (build > 11.0.18+10-LTS) > OpenJDK 64-Bit Server VM (Red_Hat-11.0.18.0.10-1.el7_9) (build > 11.0.18+10-LTS, mixed mode, sharing) > Linux hb3-ifz-bridge-004 3.10.0-1160.76.1.el7.x86_64 #1 SMP Wed Aug 10 > 16:21:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux > Keycloak 20.0.2 >Reporter: macdoor615 >Assignee: David Handermann >Priority: Major > Attachments: RFC6749 flow.png, 截屏2023-04-08 12.40.30.png, > 截屏2023-04-09 13.17.25.png, 截屏2023-04-09 13.33.25.png > > > My NiFi 1.21.0 cluster has 4 nodes and using oidc authentication. > I can log in properly, but when I click logout on webui, I got HTTP ERROR 503. > !截屏2023-04-08 12.40.30.png|width=479,height=179! > I also find 503 in nifi-request.log > > {code:java} > 10.12.69.33 - - [08/Apr/2023:04:24:13 +] "GET > /nifi-api/access/oidc/logout HTTP/1.1" 503 425 > "https://36.138.166.203:18088/nifi/"; "Mozilla/5.0 (Macintosh; Intel Mac OS X > 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 > Safari/605.1.15"{code} > > and WARNs in nifi-user.log, 36.133.55.100 is load balance's external IP. It > can not be accessed in intra net. > > {code:java} > 2023-04-08 12:24:43,511 WARN [NiFi Web Server-59] > o.a.n.w.s.o.r.StandardTokenRevocationResponseClient Token Revocation Request > processing failed > org.springframework.web.client.ResourceAccessException: I/O error on POST > request for > "https://36.133.55.100:8943/realms/zznode/protocol/openid-connect/revoke": > connect timed out; nested exception is java.net.SocketTimeoutException: > connect timed out > at > org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:791) > at > org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:666) > at > org.apache.nifi.web.security.oidc.revocation.StandardTokenRevocationResponseClient.getResponseEntity(StandardTokenRevocationResponseClient.java:81) > at > org.apache.nifi.web.security.oidc.revocation.StandardTokenRevocationResponseClient.getRevocationResponse(StandardTokenRevocationResponseClient.java:70) > at > org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.processRefreshTokenRevocation(OidcLogoutSuccessHandler.java:181) > at > org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.processLogoutRequest(OidcLogoutSuccessHandler.java:159) > at > org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.onLogoutSuccess(OidcLogoutSuccessHandler.java:127) > at > org.apache.nifi.web.security.logout.StandardLogoutFilter.doFilterInternal(StandardLogoutFilter.java:62) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) > at > org.apache.nifi.web.security.csrf.SkipReplicatedCsrfFilter.doFilterInternal(SkipReplicatedCsrfFilter.java:59) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) > at > org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) > at > org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:225) > at > org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:190) > at > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFi
[jira] [Commented] (NIFI-11409) OIDC Token Revocation Error on Logout
[ https://issues.apache.org/jira/browse/NIFI-11409?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17711887#comment-17711887 ] David Handermann commented on NIFI-11409: - [~macdoor615] Although it is possible to think of the NiFi UI and the NiFi Server as separate applications, the current OIDC integration does not follow that approach. [RFC 6749 Section 2.1|https://www.rfc-editor.org/rfc/rfc6749.html#section-2.1] defines two different types of clients: {{confidential}} and {{public}}. Under the heading, the Section 2.1 also defines {{web applications}} and {{user-agent based applications}}. Following those definitions, NiFi falls into the confidential web application category. That is why the NiFi server currently handles the token request and token revocation communication with the Authorization Server. > OIDC Token Revocation Error on Logout > - > > Key: NIFI-11409 > URL: https://issues.apache.org/jira/browse/NIFI-11409 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework >Affects Versions: 1.21.0 > Environment: NiFi 1.21.0 cluster with 4 nodes > openjdk version "11.0.18" 2023-01-17 LTS > OpenJDK Runtime Environment (Red_Hat-11.0.18.0.10-1.el7_9) (build > 11.0.18+10-LTS) > OpenJDK 64-Bit Server VM (Red_Hat-11.0.18.0.10-1.el7_9) (build > 11.0.18+10-LTS, mixed mode, sharing) > Linux hb3-ifz-bridge-004 3.10.0-1160.76.1.el7.x86_64 #1 SMP Wed Aug 10 > 16:21:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux > Keycloak 20.0.2 >Reporter: macdoor615 >Assignee: David Handermann >Priority: Major > Attachments: RFC6749 flow.png, 截屏2023-04-08 12.40.30.png, > 截屏2023-04-09 13.17.25.png, 截屏2023-04-09 13.33.25.png > > > My NiFi 1.21.0 cluster has 4 nodes and using oidc authentication. > I can log in properly, but when I click logout on webui, I got HTTP ERROR 503. > !截屏2023-04-08 12.40.30.png|width=479,height=179! > I also find 503 in nifi-request.log > > {code:java} > 10.12.69.33 - - [08/Apr/2023:04:24:13 +] "GET > /nifi-api/access/oidc/logout HTTP/1.1" 503 425 > "https://36.138.166.203:18088/nifi/"; "Mozilla/5.0 (Macintosh; Intel Mac OS X > 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 > Safari/605.1.15"{code} > > and WARNs in nifi-user.log, 36.133.55.100 is load balance's external IP. It > can not be accessed in intra net. > > {code:java} > 2023-04-08 12:24:43,511 WARN [NiFi Web Server-59] > o.a.n.w.s.o.r.StandardTokenRevocationResponseClient Token Revocation Request > processing failed > org.springframework.web.client.ResourceAccessException: I/O error on POST > request for > "https://36.133.55.100:8943/realms/zznode/protocol/openid-connect/revoke": > connect timed out; nested exception is java.net.SocketTimeoutException: > connect timed out > at > org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:791) > at > org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:666) > at > org.apache.nifi.web.security.oidc.revocation.StandardTokenRevocationResponseClient.getResponseEntity(StandardTokenRevocationResponseClient.java:81) > at > org.apache.nifi.web.security.oidc.revocation.StandardTokenRevocationResponseClient.getRevocationResponse(StandardTokenRevocationResponseClient.java:70) > at > org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.processRefreshTokenRevocation(OidcLogoutSuccessHandler.java:181) > at > org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.processLogoutRequest(OidcLogoutSuccessHandler.java:159) > at > org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.onLogoutSuccess(OidcLogoutSuccessHandler.java:127) > at > org.apache.nifi.web.security.logout.StandardLogoutFilter.doFilterInternal(StandardLogoutFilter.java:62) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) > at > org.apache.nifi.web.security.csrf.SkipReplicatedCsrfFilter.doFilterInternal(SkipReplicatedCsrfFilter.java:59) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) > at > org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterCh
[jira] [Commented] (NIFI-11409) OIDC Token Revocation Error on Logout
[ https://issues.apache.org/jira/browse/NIFI-11409?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17711715#comment-17711715 ] macdoor615 commented on NIFI-11409: --- [~exceptionfactory] You said "As the client, NiFi needs to call the revocation endpoint directly, not through the browser" I think NiFi consists of two applications, one is the NiFi WebUI running in the browser, and the other is the NiFi Server running in the background. My understanding of the specification of the RFC6749 is that NiFi WebUI act as the role of Client, and NiFi server act as the role of Resource Server. Client exchanges token with Authorization Server and Resource Server . Resource Server does not exchange tokens with the Authorization Server directly. So I think it should be NiFi WebUI to exchange token with keycloak. NiFi server cannot act as the role of Client and Resource Server at the same time [https://www.rfc-editor.org/rfc/rfc6749#section-1.5] !RFC6749 flow.png|width=635,height=351! > OIDC Token Revocation Error on Logout > - > > Key: NIFI-11409 > URL: https://issues.apache.org/jira/browse/NIFI-11409 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework >Affects Versions: 1.21.0 > Environment: NiFi 1.21.0 cluster with 4 nodes > openjdk version "11.0.18" 2023-01-17 LTS > OpenJDK Runtime Environment (Red_Hat-11.0.18.0.10-1.el7_9) (build > 11.0.18+10-LTS) > OpenJDK 64-Bit Server VM (Red_Hat-11.0.18.0.10-1.el7_9) (build > 11.0.18+10-LTS, mixed mode, sharing) > Linux hb3-ifz-bridge-004 3.10.0-1160.76.1.el7.x86_64 #1 SMP Wed Aug 10 > 16:21:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux > Keycloak 20.0.2 >Reporter: macdoor615 >Assignee: David Handermann >Priority: Major > Attachments: RFC6749 flow.png, 截屏2023-04-08 12.40.30.png, > 截屏2023-04-09 13.17.25.png, 截屏2023-04-09 13.33.25.png > > > My NiFi 1.21.0 cluster has 4 nodes and using oidc authentication. > I can log in properly, but when I click logout on webui, I got HTTP ERROR 503. > !截屏2023-04-08 12.40.30.png|width=479,height=179! > I also find 503 in nifi-request.log > > {code:java} > 10.12.69.33 - - [08/Apr/2023:04:24:13 +] "GET > /nifi-api/access/oidc/logout HTTP/1.1" 503 425 > "https://36.138.166.203:18088/nifi/"; "Mozilla/5.0 (Macintosh; Intel Mac OS X > 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 > Safari/605.1.15"{code} > > and WARNs in nifi-user.log, 36.133.55.100 is load balance's external IP. It > can not be accessed in intra net. > > {code:java} > 2023-04-08 12:24:43,511 WARN [NiFi Web Server-59] > o.a.n.w.s.o.r.StandardTokenRevocationResponseClient Token Revocation Request > processing failed > org.springframework.web.client.ResourceAccessException: I/O error on POST > request for > "https://36.133.55.100:8943/realms/zznode/protocol/openid-connect/revoke": > connect timed out; nested exception is java.net.SocketTimeoutException: > connect timed out > at > org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:791) > at > org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:666) > at > org.apache.nifi.web.security.oidc.revocation.StandardTokenRevocationResponseClient.getResponseEntity(StandardTokenRevocationResponseClient.java:81) > at > org.apache.nifi.web.security.oidc.revocation.StandardTokenRevocationResponseClient.getRevocationResponse(StandardTokenRevocationResponseClient.java:70) > at > org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.processRefreshTokenRevocation(OidcLogoutSuccessHandler.java:181) > at > org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.processLogoutRequest(OidcLogoutSuccessHandler.java:159) > at > org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.onLogoutSuccess(OidcLogoutSuccessHandler.java:127) > at > org.apache.nifi.web.security.logout.StandardLogoutFilter.doFilterInternal(StandardLogoutFilter.java:62) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) > at > org.apache.nifi.web.security.csrf.SkipReplicatedCsrfFilter.doFilterInternal(SkipReplicatedCsrfFilter.java:59) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) > at > org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62) > at > org.springframework.web.filter.
[jira] [Commented] (NIFI-11409) OIDC Token Revocation Error on Logout
[ https://issues.apache.org/jira/browse/NIFI-11409?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17710265#comment-17710265 ] David Handermann commented on NIFI-11409: - [~macdoor615] NiFi 1.20.0 and earlier did not call the revocation_endpoint in all circumstances. In particular, if the OIDC Provider supported the end_session_endpoint, NiFi would not call the revocation_endpoint. Now that NiFi supports Refresh Tokens in 1.21.0, NiFi will always attempt to revoke tokens on logout. As the client, NiFi needs to call the revocation endpoint directly, not through the browser. > OIDC Token Revocation Error on Logout > - > > Key: NIFI-11409 > URL: https://issues.apache.org/jira/browse/NIFI-11409 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework >Affects Versions: 1.21.0 > Environment: NiFi 1.21.0 cluster with 4 nodes > openjdk version "11.0.18" 2023-01-17 LTS > OpenJDK Runtime Environment (Red_Hat-11.0.18.0.10-1.el7_9) (build > 11.0.18+10-LTS) > OpenJDK 64-Bit Server VM (Red_Hat-11.0.18.0.10-1.el7_9) (build > 11.0.18+10-LTS, mixed mode, sharing) > Linux hb3-ifz-bridge-004 3.10.0-1160.76.1.el7.x86_64 #1 SMP Wed Aug 10 > 16:21:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux > Keycloak 20.0.2 >Reporter: macdoor615 >Assignee: David Handermann >Priority: Major > Attachments: 截屏2023-04-08 12.40.30.png, 截屏2023-04-09 13.17.25.png, > 截屏2023-04-09 13.33.25.png > > > My NiFi 1.21.0 cluster has 4 nodes and using oidc authentication. > I can log in properly, but when I click logout on webui, I got HTTP ERROR 503. > !截屏2023-04-08 12.40.30.png|width=479,height=179! > I also find 503 in nifi-request.log > > {code:java} > 10.12.69.33 - - [08/Apr/2023:04:24:13 +] "GET > /nifi-api/access/oidc/logout HTTP/1.1" 503 425 > "https://36.138.166.203:18088/nifi/"; "Mozilla/5.0 (Macintosh; Intel Mac OS X > 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 > Safari/605.1.15"{code} > > and WARNs in nifi-user.log, 36.133.55.100 is load balance's external IP. It > can not be accessed in intra net. > > {code:java} > 2023-04-08 12:24:43,511 WARN [NiFi Web Server-59] > o.a.n.w.s.o.r.StandardTokenRevocationResponseClient Token Revocation Request > processing failed > org.springframework.web.client.ResourceAccessException: I/O error on POST > request for > "https://36.133.55.100:8943/realms/zznode/protocol/openid-connect/revoke": > connect timed out; nested exception is java.net.SocketTimeoutException: > connect timed out > at > org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:791) > at > org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:666) > at > org.apache.nifi.web.security.oidc.revocation.StandardTokenRevocationResponseClient.getResponseEntity(StandardTokenRevocationResponseClient.java:81) > at > org.apache.nifi.web.security.oidc.revocation.StandardTokenRevocationResponseClient.getRevocationResponse(StandardTokenRevocationResponseClient.java:70) > at > org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.processRefreshTokenRevocation(OidcLogoutSuccessHandler.java:181) > at > org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.processLogoutRequest(OidcLogoutSuccessHandler.java:159) > at > org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.onLogoutSuccess(OidcLogoutSuccessHandler.java:127) > at > org.apache.nifi.web.security.logout.StandardLogoutFilter.doFilterInternal(StandardLogoutFilter.java:62) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) > at > org.apache.nifi.web.security.csrf.SkipReplicatedCsrfFilter.doFilterInternal(SkipReplicatedCsrfFilter.java:59) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) > at > org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) > at > org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:225) > at > org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:190) > at > org.springfra
[jira] [Commented] (NIFI-11409) OIDC Token Revocation Error on Logout
[ https://issues.apache.org/jira/browse/NIFI-11409?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17710255#comment-17710255 ] macdoor615 commented on NIFI-11409: --- [~exceptionfactory] hb3-prod-lb-000 is internal IP, 36.133.55.100 is external IP. Maybe the revocation_endpoint should be called from the browser, not from the server side of nifi? > OIDC Token Revocation Error on Logout > - > > Key: NIFI-11409 > URL: https://issues.apache.org/jira/browse/NIFI-11409 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework >Affects Versions: 1.21.0 > Environment: NiFi 1.21.0 cluster with 4 nodes > openjdk version "11.0.18" 2023-01-17 LTS > OpenJDK Runtime Environment (Red_Hat-11.0.18.0.10-1.el7_9) (build > 11.0.18+10-LTS) > OpenJDK 64-Bit Server VM (Red_Hat-11.0.18.0.10-1.el7_9) (build > 11.0.18+10-LTS, mixed mode, sharing) > Linux hb3-ifz-bridge-004 3.10.0-1160.76.1.el7.x86_64 #1 SMP Wed Aug 10 > 16:21:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux > Keycloak 20.0.2 >Reporter: macdoor615 >Assignee: David Handermann >Priority: Major > Attachments: 截屏2023-04-08 12.40.30.png, 截屏2023-04-09 13.17.25.png, > 截屏2023-04-09 13.33.25.png > > > My NiFi 1.21.0 cluster has 4 nodes and using oidc authentication. > I can log in properly, but when I click logout on webui, I got HTTP ERROR 503. > !截屏2023-04-08 12.40.30.png|width=479,height=179! > I also find 503 in nifi-request.log > > {code:java} > 10.12.69.33 - - [08/Apr/2023:04:24:13 +] "GET > /nifi-api/access/oidc/logout HTTP/1.1" 503 425 > "https://36.138.166.203:18088/nifi/"; "Mozilla/5.0 (Macintosh; Intel Mac OS X > 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 > Safari/605.1.15"{code} > > and WARNs in nifi-user.log, 36.133.55.100 is load balance's external IP. It > can not be accessed in intra net. > > {code:java} > 2023-04-08 12:24:43,511 WARN [NiFi Web Server-59] > o.a.n.w.s.o.r.StandardTokenRevocationResponseClient Token Revocation Request > processing failed > org.springframework.web.client.ResourceAccessException: I/O error on POST > request for > "https://36.133.55.100:8943/realms/zznode/protocol/openid-connect/revoke": > connect timed out; nested exception is java.net.SocketTimeoutException: > connect timed out > at > org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:791) > at > org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:666) > at > org.apache.nifi.web.security.oidc.revocation.StandardTokenRevocationResponseClient.getResponseEntity(StandardTokenRevocationResponseClient.java:81) > at > org.apache.nifi.web.security.oidc.revocation.StandardTokenRevocationResponseClient.getRevocationResponse(StandardTokenRevocationResponseClient.java:70) > at > org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.processRefreshTokenRevocation(OidcLogoutSuccessHandler.java:181) > at > org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.processLogoutRequest(OidcLogoutSuccessHandler.java:159) > at > org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.onLogoutSuccess(OidcLogoutSuccessHandler.java:127) > at > org.apache.nifi.web.security.logout.StandardLogoutFilter.doFilterInternal(StandardLogoutFilter.java:62) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) > at > org.apache.nifi.web.security.csrf.SkipReplicatedCsrfFilter.doFilterInternal(SkipReplicatedCsrfFilter.java:59) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) > at > org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) > at > org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:225) > at > org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:190) > at > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354) > at > org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267) > at > org.eclipse.jetty.servlet.Filt
[jira] [Commented] (NIFI-11409) OIDC Token Revocation Error on Logout
[ https://issues.apache.org/jira/browse/NIFI-11409?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17710253#comment-17710253 ] David Handermann commented on NIFI-11409: - [~macdoor615] The OIDC Discovery URL is working, but for some reason, the server is returning different hostnames for different endpoints, which is why the revocation is not working. Is there some filtering process being run on the load balancer that changes the URLs returned from the Keycloak server? > OIDC Token Revocation Error on Logout > - > > Key: NIFI-11409 > URL: https://issues.apache.org/jira/browse/NIFI-11409 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework >Affects Versions: 1.21.0 > Environment: NiFi 1.21.0 cluster with 4 nodes > openjdk version "11.0.18" 2023-01-17 LTS > OpenJDK Runtime Environment (Red_Hat-11.0.18.0.10-1.el7_9) (build > 11.0.18+10-LTS) > OpenJDK 64-Bit Server VM (Red_Hat-11.0.18.0.10-1.el7_9) (build > 11.0.18+10-LTS, mixed mode, sharing) > Linux hb3-ifz-bridge-004 3.10.0-1160.76.1.el7.x86_64 #1 SMP Wed Aug 10 > 16:21:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux > Keycloak 20.0.2 >Reporter: macdoor615 >Assignee: David Handermann >Priority: Major > Attachments: 截屏2023-04-08 12.40.30.png, 截屏2023-04-09 13.17.25.png, > 截屏2023-04-09 13.33.25.png > > > My NiFi 1.21.0 cluster has 4 nodes and using oidc authentication. > I can log in properly, but when I click logout on webui, I got HTTP ERROR 503. > !截屏2023-04-08 12.40.30.png|width=479,height=179! > I also find 503 in nifi-request.log > > {code:java} > 10.12.69.33 - - [08/Apr/2023:04:24:13 +] "GET > /nifi-api/access/oidc/logout HTTP/1.1" 503 425 > "https://36.138.166.203:18088/nifi/"; "Mozilla/5.0 (Macintosh; Intel Mac OS X > 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 > Safari/605.1.15"{code} > > and WARNs in nifi-user.log, 36.133.55.100 is load balance's external IP. It > can not be accessed in intra net. > > {code:java} > 2023-04-08 12:24:43,511 WARN [NiFi Web Server-59] > o.a.n.w.s.o.r.StandardTokenRevocationResponseClient Token Revocation Request > processing failed > org.springframework.web.client.ResourceAccessException: I/O error on POST > request for > "https://36.133.55.100:8943/realms/zznode/protocol/openid-connect/revoke": > connect timed out; nested exception is java.net.SocketTimeoutException: > connect timed out > at > org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:791) > at > org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:666) > at > org.apache.nifi.web.security.oidc.revocation.StandardTokenRevocationResponseClient.getResponseEntity(StandardTokenRevocationResponseClient.java:81) > at > org.apache.nifi.web.security.oidc.revocation.StandardTokenRevocationResponseClient.getRevocationResponse(StandardTokenRevocationResponseClient.java:70) > at > org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.processRefreshTokenRevocation(OidcLogoutSuccessHandler.java:181) > at > org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.processLogoutRequest(OidcLogoutSuccessHandler.java:159) > at > org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.onLogoutSuccess(OidcLogoutSuccessHandler.java:127) > at > org.apache.nifi.web.security.logout.StandardLogoutFilter.doFilterInternal(StandardLogoutFilter.java:62) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) > at > org.apache.nifi.web.security.csrf.SkipReplicatedCsrfFilter.doFilterInternal(SkipReplicatedCsrfFilter.java:59) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) > at > org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) > at > org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:225) > at > org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:190) > at > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354) > at > org.
[jira] [Commented] (NIFI-11409) OIDC Token Revocation Error on Logout
[ https://issues.apache.org/jira/browse/NIFI-11409?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17710248#comment-17710248 ] David Handermann commented on NIFI-11409: - [~macdoor615] The cluster process replicates HTTP requests, so the failure appears to be related to the replication process. The standalone logout apparently throws the same error, but it doesn't prevent displaying the logout page because it doesn't need to replicate the request to other nodes. > OIDC Token Revocation Error on Logout > - > > Key: NIFI-11409 > URL: https://issues.apache.org/jira/browse/NIFI-11409 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework >Affects Versions: 1.21.0 > Environment: NiFi 1.21.0 cluster with 4 nodes > openjdk version "11.0.18" 2023-01-17 LTS > OpenJDK Runtime Environment (Red_Hat-11.0.18.0.10-1.el7_9) (build > 11.0.18+10-LTS) > OpenJDK 64-Bit Server VM (Red_Hat-11.0.18.0.10-1.el7_9) (build > 11.0.18+10-LTS, mixed mode, sharing) > Linux hb3-ifz-bridge-004 3.10.0-1160.76.1.el7.x86_64 #1 SMP Wed Aug 10 > 16:21:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux > Keycloak 20.0.2 >Reporter: macdoor615 >Assignee: David Handermann >Priority: Major > Attachments: 截屏2023-04-08 12.40.30.png, 截屏2023-04-09 13.17.25.png, > 截屏2023-04-09 13.33.25.png > > > My NiFi 1.21.0 cluster has 4 nodes and using oidc authentication. > I can log in properly, but when I click logout on webui, I got HTTP ERROR 503. > !截屏2023-04-08 12.40.30.png|width=479,height=179! > I also find 503 in nifi-request.log > > {code:java} > 10.12.69.33 - - [08/Apr/2023:04:24:13 +] "GET > /nifi-api/access/oidc/logout HTTP/1.1" 503 425 > "https://36.138.166.203:18088/nifi/"; "Mozilla/5.0 (Macintosh; Intel Mac OS X > 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 > Safari/605.1.15"{code} > > and WARNs in nifi-user.log, 36.133.55.100 is load balance's external IP. It > can not be accessed in intra net. > > {code:java} > 2023-04-08 12:24:43,511 WARN [NiFi Web Server-59] > o.a.n.w.s.o.r.StandardTokenRevocationResponseClient Token Revocation Request > processing failed > org.springframework.web.client.ResourceAccessException: I/O error on POST > request for > "https://36.133.55.100:8943/realms/zznode/protocol/openid-connect/revoke": > connect timed out; nested exception is java.net.SocketTimeoutException: > connect timed out > at > org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:791) > at > org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:666) > at > org.apache.nifi.web.security.oidc.revocation.StandardTokenRevocationResponseClient.getResponseEntity(StandardTokenRevocationResponseClient.java:81) > at > org.apache.nifi.web.security.oidc.revocation.StandardTokenRevocationResponseClient.getRevocationResponse(StandardTokenRevocationResponseClient.java:70) > at > org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.processRefreshTokenRevocation(OidcLogoutSuccessHandler.java:181) > at > org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.processLogoutRequest(OidcLogoutSuccessHandler.java:159) > at > org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.onLogoutSuccess(OidcLogoutSuccessHandler.java:127) > at > org.apache.nifi.web.security.logout.StandardLogoutFilter.doFilterInternal(StandardLogoutFilter.java:62) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) > at > org.apache.nifi.web.security.csrf.SkipReplicatedCsrfFilter.doFilterInternal(SkipReplicatedCsrfFilter.java:59) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) > at > org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) > at > org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:225) > at > org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:190) > at > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354) > at > org.springf
[jira] [Commented] (NIFI-11409) OIDC Token Revocation Error on Logout
[ https://issues.apache.org/jira/browse/NIFI-11409?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17710246#comment-17710246 ] macdoor615 commented on NIFI-11409: --- [~exceptionfactory] But why can the standalone nifi server logout correctly? only nifi cluster has this problem? > OIDC Token Revocation Error on Logout > - > > Key: NIFI-11409 > URL: https://issues.apache.org/jira/browse/NIFI-11409 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework >Affects Versions: 1.21.0 > Environment: NiFi 1.21.0 cluster with 4 nodes > openjdk version "11.0.18" 2023-01-17 LTS > OpenJDK Runtime Environment (Red_Hat-11.0.18.0.10-1.el7_9) (build > 11.0.18+10-LTS) > OpenJDK 64-Bit Server VM (Red_Hat-11.0.18.0.10-1.el7_9) (build > 11.0.18+10-LTS, mixed mode, sharing) > Linux hb3-ifz-bridge-004 3.10.0-1160.76.1.el7.x86_64 #1 SMP Wed Aug 10 > 16:21:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux > Keycloak 20.0.2 >Reporter: macdoor615 >Assignee: David Handermann >Priority: Major > Attachments: 截屏2023-04-08 12.40.30.png, 截屏2023-04-09 13.17.25.png, > 截屏2023-04-09 13.33.25.png > > > My NiFi 1.21.0 cluster has 4 nodes and using oidc authentication. > I can log in properly, but when I click logout on webui, I got HTTP ERROR 503. > !截屏2023-04-08 12.40.30.png|width=479,height=179! > I also find 503 in nifi-request.log > > {code:java} > 10.12.69.33 - - [08/Apr/2023:04:24:13 +] "GET > /nifi-api/access/oidc/logout HTTP/1.1" 503 425 > "https://36.138.166.203:18088/nifi/"; "Mozilla/5.0 (Macintosh; Intel Mac OS X > 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 > Safari/605.1.15"{code} > > and WARNs in nifi-user.log, 36.133.55.100 is load balance's external IP. It > can not be accessed in intra net. > > {code:java} > 2023-04-08 12:24:43,511 WARN [NiFi Web Server-59] > o.a.n.w.s.o.r.StandardTokenRevocationResponseClient Token Revocation Request > processing failed > org.springframework.web.client.ResourceAccessException: I/O error on POST > request for > "https://36.133.55.100:8943/realms/zznode/protocol/openid-connect/revoke": > connect timed out; nested exception is java.net.SocketTimeoutException: > connect timed out > at > org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:791) > at > org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:666) > at > org.apache.nifi.web.security.oidc.revocation.StandardTokenRevocationResponseClient.getResponseEntity(StandardTokenRevocationResponseClient.java:81) > at > org.apache.nifi.web.security.oidc.revocation.StandardTokenRevocationResponseClient.getRevocationResponse(StandardTokenRevocationResponseClient.java:70) > at > org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.processRefreshTokenRevocation(OidcLogoutSuccessHandler.java:181) > at > org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.processLogoutRequest(OidcLogoutSuccessHandler.java:159) > at > org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler.onLogoutSuccess(OidcLogoutSuccessHandler.java:127) > at > org.apache.nifi.web.security.logout.StandardLogoutFilter.doFilterInternal(StandardLogoutFilter.java:62) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) > at > org.apache.nifi.web.security.csrf.SkipReplicatedCsrfFilter.doFilterInternal(SkipReplicatedCsrfFilter.java:59) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) > at > org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) > at > org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:225) > at > org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:190) > at > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354) > at > org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267) > at > org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) > at > org.eclipse.