[jira] [Commented] (NIFI-11438) OIDC requests all available scopes
[ https://issues.apache.org/jira/browse/NIFI-11438?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17711530#comment-17711530 ] Jody DesRoches commented on NIFI-11438: --- It's possible that the optional scopes listed in the OpenID Connect Core spec you referenced would be OK. ADFS lists many other scopes that seem very unrelated to the OpenID workflow used by NiFi. For example, some _*_cert_ values and _user_impersonation_ > OIDC requests all available scopes > -- > > Key: NIFI-11438 > URL: https://issues.apache.org/jira/browse/NIFI-11438 > Project: Apache NiFi > Issue Type: Bug > Components: Security >Affects Versions: 1.21.0 > Environment: Windows ADFS used for OIDC >Reporter: Jody DesRoches >Assignee: David Handermann >Priority: Major > > OIDC configuration that works with 1.20.0 fails to login with version 1.21.0. > Logging exceptions in ADFS that indicate NiFi is requesting forbidden > resources. > NiFi is requesting all scopes listed in > ../adfs/.well-known/openid-configuration under {_}scopes_supported{_}. > *Expected* only request scopes "{_}openid{_} _email"_ plus values in > "{_}nifi.security.user.oidc.additional.scopes"{_} > Source code affecting scope selection: > [https://github.com/apache/nifi/blob/3322ad7a20c99dec01ee0c3f530c0566acd13258/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProvider.java#L80] > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (NIFI-11438) OIDC requests all available scopes
[ https://issues.apache.org/jira/browse/NIFI-11438?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17711528#comment-17711528 ] Jody DesRoches commented on NIFI-11438: --- [~exceptionfactory] Thanks for jumping on this. The current behavior in 1.21.0 is to disallow authentication. > OIDC requests all available scopes > -- > > Key: NIFI-11438 > URL: https://issues.apache.org/jira/browse/NIFI-11438 > Project: Apache NiFi > Issue Type: Bug > Components: Security >Affects Versions: 1.21.0 > Environment: Windows ADFS used for OIDC >Reporter: Jody DesRoches >Assignee: David Handermann >Priority: Major > > OIDC configuration that works with 1.20.0 fails to login with version 1.21.0. > Logging exceptions in ADFS that indicate NiFi is requesting forbidden > resources. > NiFi is requesting all scopes listed in > ../adfs/.well-known/openid-configuration under {_}scopes_supported{_}. > *Expected* only request scopes "{_}openid{_} _email"_ plus values in > "{_}nifi.security.user.oidc.additional.scopes"{_} > Source code affecting scope selection: > [https://github.com/apache/nifi/blob/3322ad7a20c99dec01ee0c3f530c0566acd13258/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProvider.java#L80] > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (NIFI-11438) OIDC requests all available scopes
[ https://issues.apache.org/jira/browse/NIFI-11438?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jody DesRoches updated NIFI-11438: -- Description: OIDC configuration that works with 1.20.0 fails to login with version 1.21.0. Logging exceptions in ADFS that indicate NiFi is requesting forbidden resources. NiFi is requesting all scopes listed in ../adfs/.well-known/openid-configuration under {_}scopes_supported{_}. *Expected* only request scopes "{_}openid{_} _email"_ plus values in "{_}nifi.security.user.oidc.additional.scopes"{_} Source code affecting scope selection: [https://github.com/apache/nifi/blob/3322ad7a20c99dec01ee0c3f530c0566acd13258/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProvider.java#L80] was: OIDC configuration that works with 1.20.0 fails to login with version 1.21.0. Logging exceptions in ADFS that indicate NiFi is requesting forbidden resources. NiFi is requesting all scopes listed in ../adfs/.well-known/openid-configuration under {_}scopes_supported{_}. *Expected* only request scopes "{_}openid{_} ** _email"_ plus values in "{_}nifi.security.user.oidc.additional.scopes"{_} Source code affecting scope selection: https://github.com/apache/nifi/blob/3322ad7a20c99dec01ee0c3f530c0566acd13258/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProvider.java#L80 > OIDC requests all available scopes > -- > > Key: NIFI-11438 > URL: https://issues.apache.org/jira/browse/NIFI-11438 > Project: Apache NiFi > Issue Type: Bug > Components: Security >Affects Versions: 1.21.0 > Environment: Windows ADFS used for OIDC >Reporter: Jody DesRoches >Priority: Major > > OIDC configuration that works with 1.20.0 fails to login with version 1.21.0. > Logging exceptions in ADFS that indicate NiFi is requesting forbidden > resources. > NiFi is requesting all scopes listed in > ../adfs/.well-known/openid-configuration under {_}scopes_supported{_}. > *Expected* only request scopes "{_}openid{_} _email"_ plus values in > "{_}nifi.security.user.oidc.additional.scopes"{_} > Source code affecting scope selection: > [https://github.com/apache/nifi/blob/3322ad7a20c99dec01ee0c3f530c0566acd13258/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProvider.java#L80] > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (NIFI-11438) OIDC requests all available scopes
Jody DesRoches created NIFI-11438: - Summary: OIDC requests all available scopes Key: NIFI-11438 URL: https://issues.apache.org/jira/browse/NIFI-11438 Project: Apache NiFi Issue Type: Bug Components: Security Affects Versions: 1.21.0 Environment: Windows ADFS used for OIDC Reporter: Jody DesRoches OIDC configuration that works with 1.20.0 fails to login with version 1.21.0. Logging exceptions in ADFS that indicate NiFi is requesting forbidden resources. NiFi is requesting all scopes listed in ../adfs/.well-known/openid-configuration under {_}scopes_supported{_}. *Expected* only request scopes "{_}openid{_} ** _email"_ plus values in "{_}nifi.security.user.oidc.additional.scopes"{_} Source code affecting scope selection: https://github.com/apache/nifi/blob/3322ad7a20c99dec01ee0c3f530c0566acd13258/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProvider.java#L80 -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (NIFI-5754) bootstrap.conf not found in NiFiPropertiesLoader with custom conf.dir value
[ https://issues.apache.org/jira/browse/NIFI-5754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16664144#comment-16664144 ] Jody DesRoches commented on NIFI-5754: -- Sorry I don't have an environment that I can test and build a pull request at this time. It appears calling static method org.apache.nifi.bootstrap.RunNiFi.getDefaultBootstrapConfFile() in org.apache.nifi.properties.NiFiPropertiesLoader would be a good solution to ensure consistency. > bootstrap.conf not found in NiFiPropertiesLoader with custom conf.dir value > --- > > Key: NIFI-5754 > URL: https://issues.apache.org/jira/browse/NIFI-5754 > Project: Apache NiFi > Issue Type: Bug > Components: Configuration Management >Affects Versions: 1.7.1 > Environment: N/A >Reporter: Jody DesRoches >Priority: Major > > Issue in NiFiPropertiesLoader when trying to find > "nifi.bootstrap.sensitive.key=" > When starting the nifi service, $NIFI_HOME/conf/bootstrap.conf is used. When > NiFiPropertiesLoader attempts to decrypt nifi.properties it guesses that > bootstrap.conf exists in the same directory as nifi.properties. This is not > true if "conf.dir" has been defined in bootstrap.conf. > Apparent problem is on NiFiPropertiesLoader line 113. Method > extractKeyFromBootstrapFile() should call > extractKeyFromBootstrapFile("$NIFI_HOME/conf/bootstrap.conf") by default as > the method comment indicates. Instead it calls this method with an empty > string resulting in an IOException on service startup if the conf.dir has > been customized. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (NIFI-5754) bootstrap.conf not found in NiFiPropertiesLoader with custom conf.dir value
[ https://issues.apache.org/jira/browse/NIFI-5754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16664089#comment-16664089 ] Jody DesRoches commented on NIFI-5754: -- Work around is to keep a copy of bootstrap.conf in $NIFI_HOME/conf and conf.dir/ but I haven't tested how that would be affected by running encrypt-config.sh. Where will the hexkey actually be stored? > bootstrap.conf not found in NiFiPropertiesLoader with custom conf.dir value > --- > > Key: NIFI-5754 > URL: https://issues.apache.org/jira/browse/NIFI-5754 > Project: Apache NiFi > Issue Type: Bug > Components: Configuration Management >Affects Versions: 1.7.1 > Environment: N/A >Reporter: Jody DesRoches >Priority: Major > > Issue in NiFiPropertiesLoader when trying to find > "nifi.bootstrap.sensitive.key=" > When starting the nifi service, $NIFI_HOME/conf/bootstrap.conf is used. When > NiFiPropertiesLoader attempts to decrypt nifi.properties it guesses that > bootstrap.conf exists in the same directory as nifi.properties. This is not > true if "conf.dir" has been defined in bootstrap.conf. > Apparent problem is on NiFiPropertiesLoader line 113. Method > extractKeyFromBootstrapFile() should call > extractKeyFromBootstrapFile("$NIFI_HOME/conf/bootstrap.conf") by default as > the method comment indicates. Instead it calls this method with an empty > string resulting in an IOException on service startup if the conf.dir has > been customized. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (NIFI-5754) bootstrap.conf not found in NiFiPropertiesLoader with custom conf.dir value
Jody DesRoches created NIFI-5754: Summary: bootstrap.conf not found in NiFiPropertiesLoader with custom conf.dir value Key: NIFI-5754 URL: https://issues.apache.org/jira/browse/NIFI-5754 Project: Apache NiFi Issue Type: Bug Components: Configuration Management Affects Versions: 1.7.1 Environment: N/A Reporter: Jody DesRoches Issue in NiFiPropertiesLoader when trying to find "nifi.bootstrap.sensitive.key=" When starting the nifi service, $NIFI_HOME/conf/bootstrap.conf is used. When NiFiPropertiesLoader attempts to decrypt nifi.properties it guesses that bootstrap.conf exists in the same directory as nifi.properties. This is not true if "conf.dir" has been defined in bootstrap.conf. Apparent problem is on NiFiPropertiesLoader line 113. Method extractKeyFromBootstrapFile() should call extractKeyFromBootstrapFile("$NIFI_HOME/conf/bootstrap.conf") by default as the method comment indicates. Instead it calls this method with an empty string resulting in an IOException on service startup if the conf.dir has been customized. -- This message was sent by Atlassian JIRA (v7.6.3#76005)