[jira] [Commented] (NIFI-11438) OIDC requests all available scopes
[
https://issues.apache.org/jira/browse/NIFI-11438?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17711530#comment-17711530
]
Jody DesRoches commented on NIFI-11438:
---
It's possible that the optional scopes listed in the OpenID Connect Core spec
you referenced would be OK. ADFS lists many other scopes that seem very
unrelated to the OpenID workflow used by NiFi. For example, some _*_cert_
values and _user_impersonation_
> OIDC requests all available scopes
> --
>
> Key: NIFI-11438
> URL: https://issues.apache.org/jira/browse/NIFI-11438
> Project: Apache NiFi
> Issue Type: Bug
> Components: Security
>Affects Versions: 1.21.0
> Environment: Windows ADFS used for OIDC
>Reporter: Jody DesRoches
>Assignee: David Handermann
>Priority: Major
>
> OIDC configuration that works with 1.20.0 fails to login with version 1.21.0.
> Logging exceptions in ADFS that indicate NiFi is requesting forbidden
> resources.
> NiFi is requesting all scopes listed in
> ../adfs/.well-known/openid-configuration under {_}scopes_supported{_}.
> *Expected* only request scopes "{_}openid{_} _email"_ plus values in
> "{_}nifi.security.user.oidc.additional.scopes"{_}
> Source code affecting scope selection:
> [https://github.com/apache/nifi/blob/3322ad7a20c99dec01ee0c3f530c0566acd13258/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProvider.java#L80]
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (NIFI-11438) OIDC requests all available scopes
[
https://issues.apache.org/jira/browse/NIFI-11438?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17711528#comment-17711528
]
Jody DesRoches commented on NIFI-11438:
---
[~exceptionfactory] Thanks for jumping on this.
The current behavior in 1.21.0 is to disallow authentication.
> OIDC requests all available scopes
> --
>
> Key: NIFI-11438
> URL: https://issues.apache.org/jira/browse/NIFI-11438
> Project: Apache NiFi
> Issue Type: Bug
> Components: Security
>Affects Versions: 1.21.0
> Environment: Windows ADFS used for OIDC
>Reporter: Jody DesRoches
>Assignee: David Handermann
>Priority: Major
>
> OIDC configuration that works with 1.20.0 fails to login with version 1.21.0.
> Logging exceptions in ADFS that indicate NiFi is requesting forbidden
> resources.
> NiFi is requesting all scopes listed in
> ../adfs/.well-known/openid-configuration under {_}scopes_supported{_}.
> *Expected* only request scopes "{_}openid{_} _email"_ plus values in
> "{_}nifi.security.user.oidc.additional.scopes"{_}
> Source code affecting scope selection:
> [https://github.com/apache/nifi/blob/3322ad7a20c99dec01ee0c3f530c0566acd13258/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProvider.java#L80]
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (NIFI-11438) OIDC requests all available scopes
[
https://issues.apache.org/jira/browse/NIFI-11438?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jody DesRoches updated NIFI-11438:
--
Description:
OIDC configuration that works with 1.20.0 fails to login with version 1.21.0.
Logging exceptions in ADFS that indicate NiFi is requesting forbidden resources.
NiFi is requesting all scopes listed in
../adfs/.well-known/openid-configuration under {_}scopes_supported{_}.
*Expected* only request scopes "{_}openid{_} _email"_ plus values in
"{_}nifi.security.user.oidc.additional.scopes"{_}
Source code affecting scope selection:
[https://github.com/apache/nifi/blob/3322ad7a20c99dec01ee0c3f530c0566acd13258/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProvider.java#L80]
was:
OIDC configuration that works with 1.20.0 fails to login with version 1.21.0.
Logging exceptions in ADFS that indicate NiFi is requesting forbidden resources.
NiFi is requesting all scopes listed in
../adfs/.well-known/openid-configuration under {_}scopes_supported{_}.
*Expected* only request scopes "{_}openid{_} ** _email"_ plus values in
"{_}nifi.security.user.oidc.additional.scopes"{_}
Source code affecting scope selection:
https://github.com/apache/nifi/blob/3322ad7a20c99dec01ee0c3f530c0566acd13258/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProvider.java#L80
> OIDC requests all available scopes
> --
>
> Key: NIFI-11438
> URL: https://issues.apache.org/jira/browse/NIFI-11438
> Project: Apache NiFi
> Issue Type: Bug
> Components: Security
>Affects Versions: 1.21.0
> Environment: Windows ADFS used for OIDC
>Reporter: Jody DesRoches
>Priority: Major
>
> OIDC configuration that works with 1.20.0 fails to login with version 1.21.0.
> Logging exceptions in ADFS that indicate NiFi is requesting forbidden
> resources.
> NiFi is requesting all scopes listed in
> ../adfs/.well-known/openid-configuration under {_}scopes_supported{_}.
> *Expected* only request scopes "{_}openid{_} _email"_ plus values in
> "{_}nifi.security.user.oidc.additional.scopes"{_}
> Source code affecting scope selection:
> [https://github.com/apache/nifi/blob/3322ad7a20c99dec01ee0c3f530c0566acd13258/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProvider.java#L80]
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Created] (NIFI-11438) OIDC requests all available scopes
Jody DesRoches created NIFI-11438:
-
Summary: OIDC requests all available scopes
Key: NIFI-11438
URL: https://issues.apache.org/jira/browse/NIFI-11438
Project: Apache NiFi
Issue Type: Bug
Components: Security
Affects Versions: 1.21.0
Environment: Windows ADFS used for OIDC
Reporter: Jody DesRoches
OIDC configuration that works with 1.20.0 fails to login with version 1.21.0.
Logging exceptions in ADFS that indicate NiFi is requesting forbidden resources.
NiFi is requesting all scopes listed in
../adfs/.well-known/openid-configuration under {_}scopes_supported{_}.
*Expected* only request scopes "{_}openid{_} ** _email"_ plus values in
"{_}nifi.security.user.oidc.additional.scopes"{_}
Source code affecting scope selection:
https://github.com/apache/nifi/blob/3322ad7a20c99dec01ee0c3f530c0566acd13258/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/registration/StandardClientRegistrationProvider.java#L80
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (NIFI-5754) bootstrap.conf not found in NiFiPropertiesLoader with custom conf.dir value
[
https://issues.apache.org/jira/browse/NIFI-5754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16664144#comment-16664144
]
Jody DesRoches commented on NIFI-5754:
--
Sorry I don't have an environment that I can test and build a pull request at
this time.
It appears calling static method
org.apache.nifi.bootstrap.RunNiFi.getDefaultBootstrapConfFile() in
org.apache.nifi.properties.NiFiPropertiesLoader would be a good solution to
ensure consistency.
> bootstrap.conf not found in NiFiPropertiesLoader with custom conf.dir value
> ---
>
> Key: NIFI-5754
> URL: https://issues.apache.org/jira/browse/NIFI-5754
> Project: Apache NiFi
> Issue Type: Bug
> Components: Configuration Management
>Affects Versions: 1.7.1
> Environment: N/A
>Reporter: Jody DesRoches
>Priority: Major
>
> Issue in NiFiPropertiesLoader when trying to find
> "nifi.bootstrap.sensitive.key="
> When starting the nifi service, $NIFI_HOME/conf/bootstrap.conf is used. When
> NiFiPropertiesLoader attempts to decrypt nifi.properties it guesses that
> bootstrap.conf exists in the same directory as nifi.properties. This is not
> true if "conf.dir" has been defined in bootstrap.conf.
> Apparent problem is on NiFiPropertiesLoader line 113. Method
> extractKeyFromBootstrapFile() should call
> extractKeyFromBootstrapFile("$NIFI_HOME/conf/bootstrap.conf") by default as
> the method comment indicates. Instead it calls this method with an empty
> string resulting in an IOException on service startup if the conf.dir has
> been customized.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (NIFI-5754) bootstrap.conf not found in NiFiPropertiesLoader with custom conf.dir value
[
https://issues.apache.org/jira/browse/NIFI-5754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16664089#comment-16664089
]
Jody DesRoches commented on NIFI-5754:
--
Work around is to keep a copy of bootstrap.conf in $NIFI_HOME/conf and
conf.dir/ but I haven't tested how that would be affected by running
encrypt-config.sh. Where will the hexkey actually be stored?
> bootstrap.conf not found in NiFiPropertiesLoader with custom conf.dir value
> ---
>
> Key: NIFI-5754
> URL: https://issues.apache.org/jira/browse/NIFI-5754
> Project: Apache NiFi
> Issue Type: Bug
> Components: Configuration Management
>Affects Versions: 1.7.1
> Environment: N/A
>Reporter: Jody DesRoches
>Priority: Major
>
> Issue in NiFiPropertiesLoader when trying to find
> "nifi.bootstrap.sensitive.key="
> When starting the nifi service, $NIFI_HOME/conf/bootstrap.conf is used. When
> NiFiPropertiesLoader attempts to decrypt nifi.properties it guesses that
> bootstrap.conf exists in the same directory as nifi.properties. This is not
> true if "conf.dir" has been defined in bootstrap.conf.
> Apparent problem is on NiFiPropertiesLoader line 113. Method
> extractKeyFromBootstrapFile() should call
> extractKeyFromBootstrapFile("$NIFI_HOME/conf/bootstrap.conf") by default as
> the method comment indicates. Instead it calls this method with an empty
> string resulting in an IOException on service startup if the conf.dir has
> been customized.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Created] (NIFI-5754) bootstrap.conf not found in NiFiPropertiesLoader with custom conf.dir value
Jody DesRoches created NIFI-5754:
Summary: bootstrap.conf not found in NiFiPropertiesLoader with
custom conf.dir value
Key: NIFI-5754
URL: https://issues.apache.org/jira/browse/NIFI-5754
Project: Apache NiFi
Issue Type: Bug
Components: Configuration Management
Affects Versions: 1.7.1
Environment: N/A
Reporter: Jody DesRoches
Issue in NiFiPropertiesLoader when trying to find
"nifi.bootstrap.sensitive.key="
When starting the nifi service, $NIFI_HOME/conf/bootstrap.conf is used. When
NiFiPropertiesLoader attempts to decrypt nifi.properties it guesses that
bootstrap.conf exists in the same directory as nifi.properties. This is not
true if "conf.dir" has been defined in bootstrap.conf.
Apparent problem is on NiFiPropertiesLoader line 113. Method
extractKeyFromBootstrapFile() should call
extractKeyFromBootstrapFile("$NIFI_HOME/conf/bootstrap.conf") by default as the
method comment indicates. Instead it calls this method with an empty string
resulting in an IOException on service startup if the conf.dir has been
customized.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
