[GitHub] [nifi] exceptionfactory commented on pull request #7013: NIFI-4890 Refactor OIDC with support for Refresh Tokens
exceptionfactory commented on PR #7013: URL: https://github.com/apache/nifi/pull/7013#issuecomment-1485828462 Thanks for the feedback and testing @mtien-apache and @mcgilman! I pushed one more update correcting some spelling and naming issues. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@nifi.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [nifi] exceptionfactory commented on pull request #7013: NIFI-4890 Refactor OIDC with support for Refresh Tokens
exceptionfactory commented on PR #7013: URL: https://github.com/apache/nifi/pull/7013#issuecomment-1482106518 > Tested happy path using [1]. Only behavioral difference I noticed was an update to the needed "Sign-out redirect URI" specified in the Okta configuration. > > [1] https://exceptionfactory.com/posts/2022/12/21/integrating-apache-nifi-with-okta-oidc-authentication/ Thanks for testing @greyp9. The updated OpenID Connect section of the Administrator's Guide notes the logout destination path, but it is worth calling out the change as a migration guide note when this is ready to go. The updated logout destination removes the relative path elements in favor for declaring the direct `/nifi/logout-complete` path. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@nifi.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [nifi] exceptionfactory commented on pull request #7013: NIFI-4890 Refactor OIDC with support for Refresh Tokens
exceptionfactory commented on PR #7013: URL: https://github.com/apache/nifi/pull/7013#issuecomment-1478804044 Thanks for the testing @emiliosetiadarma! After some discussion with @mcgilman, I pushed an update to change the source of initial application Bearer Token expiration. The previous implementation derived the application Bearer Token expiration from the ID Token, but the update changes the approach to derive the expiration from the Access Token. This strategy aligns both initial expiration and refreshed expiration to derive from the Access Token expiration. Some Identity Providers return the same expiration value for both the ID Token and the Access Token, so the end result will not change for those providers. Changing the source of the application Bearer Token expiration to the Access Token expiration provides a consistent approach, and the updated section of the Administrator's Guide reflects these changes. Some Identity Providers make the Access Token expiration configurable, so this also aligns with expected integration behavior. I also rebased the pull request from the current main branch. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@nifi.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
