[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[asfgit]

Github user asfgit closed the pull request at:

https://github.com/apache/nifi/pull/2047


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[mcgilman]

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r131135419
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java
 ---
@@ -0,0 +1,339 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.proc.BadJOSEException;
+import com.nimbusds.jose.util.DefaultResourceRetriever;
+import com.nimbusds.jose.util.ResourceRetriever;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.ParseException;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.TokenErrorResponse;
+import com.nimbusds.oauth2.sdk.TokenRequest;
+import com.nimbusds.oauth2.sdk.TokenResponse;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
+import com.nimbusds.oauth2.sdk.auth.Secret;
+import com.nimbusds.oauth2.sdk.http.HTTPRequest;
+import com.nimbusds.oauth2.sdk.http.HTTPResponse;
+import com.nimbusds.oauth2.sdk.id.ClientID;
+import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
+import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
+import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoRequest;
+import com.nimbusds.openid.connect.sdk.UserInfoResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
+import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
+import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
+import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
+import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
+import net.minidev.json.JSONObject;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.util.FormatUtils;
+import org.apache.nifi.util.NiFiProperties;
+import org.apache.nifi.web.security.jwt.JwtService;
+import org.apache.nifi.web.security.token.LoginAuthenticationToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URL;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+
+import static 
com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME;
+
+/**
+ * OidcProvider for managing the OpenId Connect Authorization flow.
+ */
+public class StandardOidcIdentityProvider implements OidcIdentityProvider {
+
+private static final Logger logger = 
LoggerFactory.getLogger(StandardOidcIdentityProvider.class);
+
+private NiFiProperties properties;
+private JwtService jwtService;
+private OIDCProviderMetadata oidcProviderMetadata;
+private int oidcConnectTimeout;
+private int oidcReadTimeout;
+private IDTokenValidator tokenValidator;
+private ClientID clientId;
+private Secret clientSecret;
+
+/**
+ * Creates a new StandardOidcIdentityProvider.
+ *
+ * @param jwtService jwt service
+ * @param properties properties
+ */
+public StandardOidcIdentityProvider(final JwtService jwtService, final 
NiFiProperties properties) {
+this.properties = properties;
+this.jwtService = jwtService;
+
+// attempt to process the oidc configuration if configured
+if 

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[alopresto]

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r131015708
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java
 ---
@@ -0,0 +1,339 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.proc.BadJOSEException;
+import com.nimbusds.jose.util.DefaultResourceRetriever;
+import com.nimbusds.jose.util.ResourceRetriever;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.ParseException;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.TokenErrorResponse;
+import com.nimbusds.oauth2.sdk.TokenRequest;
+import com.nimbusds.oauth2.sdk.TokenResponse;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
+import com.nimbusds.oauth2.sdk.auth.Secret;
+import com.nimbusds.oauth2.sdk.http.HTTPRequest;
+import com.nimbusds.oauth2.sdk.http.HTTPResponse;
+import com.nimbusds.oauth2.sdk.id.ClientID;
+import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
+import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
+import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoRequest;
+import com.nimbusds.openid.connect.sdk.UserInfoResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
+import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
+import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
+import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
+import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
+import net.minidev.json.JSONObject;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.util.FormatUtils;
+import org.apache.nifi.util.NiFiProperties;
+import org.apache.nifi.web.security.jwt.JwtService;
+import org.apache.nifi.web.security.token.LoginAuthenticationToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URL;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+
+import static 
com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME;
+
+/**
+ * OidcProvider for managing the OpenId Connect Authorization flow.
+ */
+public class StandardOidcIdentityProvider implements OidcIdentityProvider {
+
+private static final Logger logger = 
LoggerFactory.getLogger(StandardOidcIdentityProvider.class);
+
+private NiFiProperties properties;
+private JwtService jwtService;
+private OIDCProviderMetadata oidcProviderMetadata;
+private int oidcConnectTimeout;
+private int oidcReadTimeout;
+private IDTokenValidator tokenValidator;
+private ClientID clientId;
+private Secret clientSecret;
+
+/**
+ * Creates a new StandardOidcIdentityProvider.
+ *
+ * @param jwtService jwt service
+ * @param properties properties
+ */
+public StandardOidcIdentityProvider(final JwtService jwtService, final 
NiFiProperties properties) {
+this.properties = properties;
+this.jwtService = jwtService;
+
+// attempt to process the oidc configuration if configured
+if 

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[alopresto]

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r131015276
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
@@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
 return generateOkResponse(entity).build();
 }
 
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/request")
+@ApiOperation(
+value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
+)
+public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+// generate a cookie to associate this login sequence
+final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
+cookie.setPath("/");
+cookie.setHttpOnly(true);
+cookie.setMaxAge(60);
+cookie.setSecure(true);
+httpServletResponse.addCookie(cookie);
+
+// get the state for this request
+final State state = oidcService.createState(oidcRequestIdentifier);
+
+// build the authorization uri
+final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
+.queryParam("client_id", oidcService.getClientId())
+.queryParam("response_type", "code")
+.queryParam("scope", oidcService.getScope().toString())
+.queryParam("state", state.getValue())
+.queryParam("redirect_uri", getOidcCallback())
+.build();
+
+// generate the response
+httpServletResponse.sendRedirect(authorizationUri.toString());
+}
+
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/callback")
+@ApiOperation(
+value = "Redirect/callback URI for processing the result of 
the OpenId Connect login sequence."
+)
+public void oidcCallback(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = 
getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER);
+if (oidcRequestIdentifier == null) {
--- End diff --

I was concerned that a malformed cookie could have an empty/whitespace 
content but not be `null`. Looks like the cookie spec and browser 
implementations prevent that, so this is resolved. 


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[mcgilman]

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130962746
  
--- Diff: pom.xml ---
@@ -95,7 +95,7 @@
 9.4.3.v20170317
 4.10.4
 4.2.4.RELEASE
-4.0.3.RELEASE
+4.2.3.RELEASE
--- End diff --

I'm not aware of the changes. Just realized we hadn't upgraded in awhile. 
I'm happy to back this out and create another JIRA to investigate further.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[mcgilman]

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130962379
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java
 ---
@@ -0,0 +1,339 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.proc.BadJOSEException;
+import com.nimbusds.jose.util.DefaultResourceRetriever;
+import com.nimbusds.jose.util.ResourceRetriever;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.ParseException;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.TokenErrorResponse;
+import com.nimbusds.oauth2.sdk.TokenRequest;
+import com.nimbusds.oauth2.sdk.TokenResponse;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
+import com.nimbusds.oauth2.sdk.auth.Secret;
+import com.nimbusds.oauth2.sdk.http.HTTPRequest;
+import com.nimbusds.oauth2.sdk.http.HTTPResponse;
+import com.nimbusds.oauth2.sdk.id.ClientID;
+import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
+import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
+import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoRequest;
+import com.nimbusds.openid.connect.sdk.UserInfoResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
+import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
+import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
+import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
+import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
+import net.minidev.json.JSONObject;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.util.FormatUtils;
+import org.apache.nifi.util.NiFiProperties;
+import org.apache.nifi.web.security.jwt.JwtService;
+import org.apache.nifi.web.security.token.LoginAuthenticationToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URL;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+
+import static 
com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME;
+
+/**
+ * OidcProvider for managing the OpenId Connect Authorization flow.
+ */
+public class StandardOidcIdentityProvider implements OidcIdentityProvider {
+
+private static final Logger logger = 
LoggerFactory.getLogger(StandardOidcIdentityProvider.class);
+
+private NiFiProperties properties;
+private JwtService jwtService;
+private OIDCProviderMetadata oidcProviderMetadata;
+private int oidcConnectTimeout;
+private int oidcReadTimeout;
+private IDTokenValidator tokenValidator;
+private ClientID clientId;
+private Secret clientSecret;
+
+/**
+ * Creates a new StandardOidcIdentityProvider.
+ *
+ * @param jwtService jwt service
+ * @param properties properties
+ */
+public StandardOidcIdentityProvider(final JwtService jwtService, final 
NiFiProperties properties) {
+this.properties = properties;
+this.jwtService = jwtService;
+
+// attempt to process the oidc configuration if configured
+if 

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[alopresto]

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130951566
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java
 ---
@@ -0,0 +1,339 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.proc.BadJOSEException;
+import com.nimbusds.jose.util.DefaultResourceRetriever;
+import com.nimbusds.jose.util.ResourceRetriever;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.ParseException;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.TokenErrorResponse;
+import com.nimbusds.oauth2.sdk.TokenRequest;
+import com.nimbusds.oauth2.sdk.TokenResponse;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
+import com.nimbusds.oauth2.sdk.auth.Secret;
+import com.nimbusds.oauth2.sdk.http.HTTPRequest;
+import com.nimbusds.oauth2.sdk.http.HTTPResponse;
+import com.nimbusds.oauth2.sdk.id.ClientID;
+import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
+import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
+import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoRequest;
+import com.nimbusds.openid.connect.sdk.UserInfoResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
+import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
+import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
+import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
+import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
+import net.minidev.json.JSONObject;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.util.FormatUtils;
+import org.apache.nifi.util.NiFiProperties;
+import org.apache.nifi.web.security.jwt.JwtService;
+import org.apache.nifi.web.security.token.LoginAuthenticationToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URL;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+
+import static 
com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME;
+
+/**
+ * OidcProvider for managing the OpenId Connect Authorization flow.
+ */
+public class StandardOidcIdentityProvider implements OidcIdentityProvider {
+
+private static final Logger logger = 
LoggerFactory.getLogger(StandardOidcIdentityProvider.class);
+
+private NiFiProperties properties;
+private JwtService jwtService;
+private OIDCProviderMetadata oidcProviderMetadata;
+private int oidcConnectTimeout;
+private int oidcReadTimeout;
+private IDTokenValidator tokenValidator;
+private ClientID clientId;
+private Secret clientSecret;
+
+/**
+ * Creates a new StandardOidcIdentityProvider.
+ *
+ * @param jwtService jwt service
+ * @param properties properties
+ */
+public StandardOidcIdentityProvider(final JwtService jwtService, final 
NiFiProperties properties) {
+this.properties = properties;
+this.jwtService = jwtService;
+
+// attempt to process the oidc configuration if configured
+if 

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[alopresto]

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130951002
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java
 ---
@@ -0,0 +1,339 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.proc.BadJOSEException;
+import com.nimbusds.jose.util.DefaultResourceRetriever;
+import com.nimbusds.jose.util.ResourceRetriever;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.ParseException;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.TokenErrorResponse;
+import com.nimbusds.oauth2.sdk.TokenRequest;
+import com.nimbusds.oauth2.sdk.TokenResponse;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
+import com.nimbusds.oauth2.sdk.auth.Secret;
+import com.nimbusds.oauth2.sdk.http.HTTPRequest;
+import com.nimbusds.oauth2.sdk.http.HTTPResponse;
+import com.nimbusds.oauth2.sdk.id.ClientID;
+import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
+import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
+import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoRequest;
+import com.nimbusds.openid.connect.sdk.UserInfoResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
+import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
+import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
+import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
+import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
+import net.minidev.json.JSONObject;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.util.FormatUtils;
+import org.apache.nifi.util.NiFiProperties;
+import org.apache.nifi.web.security.jwt.JwtService;
+import org.apache.nifi.web.security.token.LoginAuthenticationToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URL;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+
+import static 
com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME;
+
+/**
+ * OidcProvider for managing the OpenId Connect Authorization flow.
+ */
+public class StandardOidcIdentityProvider implements OidcIdentityProvider {
+
+private static final Logger logger = 
LoggerFactory.getLogger(StandardOidcIdentityProvider.class);
+
+private NiFiProperties properties;
+private JwtService jwtService;
+private OIDCProviderMetadata oidcProviderMetadata;
+private int oidcConnectTimeout;
+private int oidcReadTimeout;
+private IDTokenValidator tokenValidator;
+private ClientID clientId;
+private Secret clientSecret;
+
+/**
+ * Creates a new StandardOidcIdentityProvider.
+ *
+ * @param jwtService jwt service
+ * @param properties properties
+ */
+public StandardOidcIdentityProvider(final JwtService jwtService, final 
NiFiProperties properties) {
+this.properties = properties;
+this.jwtService = jwtService;
+
+// attempt to process the oidc configuration if configured
+if 

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[mcgilman]

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130943341
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java
 ---
@@ -0,0 +1,339 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.proc.BadJOSEException;
+import com.nimbusds.jose.util.DefaultResourceRetriever;
+import com.nimbusds.jose.util.ResourceRetriever;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.ParseException;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.TokenErrorResponse;
+import com.nimbusds.oauth2.sdk.TokenRequest;
+import com.nimbusds.oauth2.sdk.TokenResponse;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
+import com.nimbusds.oauth2.sdk.auth.Secret;
+import com.nimbusds.oauth2.sdk.http.HTTPRequest;
+import com.nimbusds.oauth2.sdk.http.HTTPResponse;
+import com.nimbusds.oauth2.sdk.id.ClientID;
+import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
+import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
+import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoRequest;
+import com.nimbusds.openid.connect.sdk.UserInfoResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
+import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
+import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
+import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
+import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
+import net.minidev.json.JSONObject;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.util.FormatUtils;
+import org.apache.nifi.util.NiFiProperties;
+import org.apache.nifi.web.security.jwt.JwtService;
+import org.apache.nifi.web.security.token.LoginAuthenticationToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URL;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+
+import static 
com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME;
+
+/**
+ * OidcProvider for managing the OpenId Connect Authorization flow.
+ */
+public class StandardOidcIdentityProvider implements OidcIdentityProvider {
+
+private static final Logger logger = 
LoggerFactory.getLogger(StandardOidcIdentityProvider.class);
+
+private NiFiProperties properties;
+private JwtService jwtService;
+private OIDCProviderMetadata oidcProviderMetadata;
+private int oidcConnectTimeout;
+private int oidcReadTimeout;
+private IDTokenValidator tokenValidator;
+private ClientID clientId;
+private Secret clientSecret;
+
+/**
+ * Creates a new StandardOidcIdentityProvider.
+ *
+ * @param jwtService jwt service
+ * @param properties properties
+ */
+public StandardOidcIdentityProvider(final JwtService jwtService, final 
NiFiProperties properties) {
+this.properties = properties;
+this.jwtService = jwtService;
+
+// attempt to process the oidc configuration if configured
+if 

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[alopresto]

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130940968
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java
 ---
@@ -0,0 +1,339 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.proc.BadJOSEException;
+import com.nimbusds.jose.util.DefaultResourceRetriever;
+import com.nimbusds.jose.util.ResourceRetriever;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.ParseException;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.TokenErrorResponse;
+import com.nimbusds.oauth2.sdk.TokenRequest;
+import com.nimbusds.oauth2.sdk.TokenResponse;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
+import com.nimbusds.oauth2.sdk.auth.Secret;
+import com.nimbusds.oauth2.sdk.http.HTTPRequest;
+import com.nimbusds.oauth2.sdk.http.HTTPResponse;
+import com.nimbusds.oauth2.sdk.id.ClientID;
+import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
+import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
+import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoRequest;
+import com.nimbusds.openid.connect.sdk.UserInfoResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
+import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
+import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
+import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
+import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
+import net.minidev.json.JSONObject;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.util.FormatUtils;
+import org.apache.nifi.util.NiFiProperties;
+import org.apache.nifi.web.security.jwt.JwtService;
+import org.apache.nifi.web.security.token.LoginAuthenticationToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URL;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+
+import static 
com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME;
+
+/**
+ * OidcProvider for managing the OpenId Connect Authorization flow.
+ */
+public class StandardOidcIdentityProvider implements OidcIdentityProvider {
+
+private static final Logger logger = 
LoggerFactory.getLogger(StandardOidcIdentityProvider.class);
+
+private NiFiProperties properties;
+private JwtService jwtService;
+private OIDCProviderMetadata oidcProviderMetadata;
+private int oidcConnectTimeout;
+private int oidcReadTimeout;
+private IDTokenValidator tokenValidator;
+private ClientID clientId;
+private Secret clientSecret;
+
+/**
+ * Creates a new StandardOidcIdentityProvider.
+ *
+ * @param jwtService jwt service
+ * @param properties properties
+ */
+public StandardOidcIdentityProvider(final JwtService jwtService, final 
NiFiProperties properties) {
+this.properties = properties;
+this.jwtService = jwtService;
+
+// attempt to process the oidc configuration if configured
+if 

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[alopresto]

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130939060
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java
 ---
@@ -0,0 +1,339 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.proc.BadJOSEException;
+import com.nimbusds.jose.util.DefaultResourceRetriever;
+import com.nimbusds.jose.util.ResourceRetriever;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.ParseException;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.TokenErrorResponse;
+import com.nimbusds.oauth2.sdk.TokenRequest;
+import com.nimbusds.oauth2.sdk.TokenResponse;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
+import com.nimbusds.oauth2.sdk.auth.Secret;
+import com.nimbusds.oauth2.sdk.http.HTTPRequest;
+import com.nimbusds.oauth2.sdk.http.HTTPResponse;
+import com.nimbusds.oauth2.sdk.id.ClientID;
+import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
+import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
+import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoRequest;
+import com.nimbusds.openid.connect.sdk.UserInfoResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
+import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
+import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
+import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
+import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
+import net.minidev.json.JSONObject;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.util.FormatUtils;
+import org.apache.nifi.util.NiFiProperties;
+import org.apache.nifi.web.security.jwt.JwtService;
+import org.apache.nifi.web.security.token.LoginAuthenticationToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URL;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+
+import static 
com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME;
+
+/**
+ * OidcProvider for managing the OpenId Connect Authorization flow.
+ */
+public class StandardOidcIdentityProvider implements OidcIdentityProvider {
+
+private static final Logger logger = 
LoggerFactory.getLogger(StandardOidcIdentityProvider.class);
+
+private NiFiProperties properties;
+private JwtService jwtService;
+private OIDCProviderMetadata oidcProviderMetadata;
+private int oidcConnectTimeout;
+private int oidcReadTimeout;
+private IDTokenValidator tokenValidator;
+private ClientID clientId;
+private Secret clientSecret;
+
+/**
+ * Creates a new StandardOidcIdentityProvider.
+ *
+ * @param jwtService jwt service
+ * @param properties properties
+ */
+public StandardOidcIdentityProvider(final JwtService jwtService, final 
NiFiProperties properties) {
+this.properties = properties;
+this.jwtService = jwtService;
+
+// attempt to process the oidc configuration if configured
+if 

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[mcgilman]

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130884930
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
 ---
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.nifi.web.security.util.CacheKey;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
+
+/**
+ * OidcService is a service for managing the OpenId Connect Authorization 
flow.
+ */
+public class OidcService {
+
+private OidcIdentityProvider identityProvider;
+private Cache stateLookupForPendingRequests; // 
identifier from cookie -> state value
+private Cache jwtLookupForCompletedRequests; // 
identifier from cookie -> jwt or identity (and generate jwt on retrieval)
+
+/**
+ * Creates a new OtpService with an expiration of 5 minutes.
+ */
+public OidcService(final OidcIdentityProvider identityProvider) {
+this(identityProvider, 60, TimeUnit.SECONDS);
+}
+
+/**
+ * Creates a new OtpService.
+ *
+ * @param duration  The expiration duration
+ * @param units The expiration units
+ * @throws NullPointerException If units is null
+ * @throws IllegalArgumentException If duration is negative
+ */
+public OidcService(final OidcIdentityProvider identityProvider, final 
int duration, final TimeUnit units) {
+this.identityProvider = identityProvider;
+this.stateLookupForPendingRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+this.jwtLookupForCompletedRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+}
+
+/**
+ * Returns whether OpenId Connect is enabled.
+ *
+ * @return whether OpenId Connect is enabled
+ */
+public boolean isOidcEnabled() {
+return identityProvider.isOidcEnabled();
+}
+
+/**
+ * Returns the OpenId Connect authorization endpoint.
+ *
+ * @return the authorization endpoint
+ */
+public URI getAuthorizationEndpoint() {
+return identityProvider.getAuthorizationEndpoint();
+}
+
+/**
+ * Returns the OpenId Connect scope.
+ *
+ * @return scope
+ */
+public Scope getScope() {
+return identityProvider.getScope();
+}
+
+/**
+ * Returns the OpenId Connect client id.
+ *
+ * @return client id
+ */
+public String getClientId() {
+return identityProvider.getClientId().getValue();
+}
+
+/**
+ * Initiates an OpenId Connection authorization code flow using the 
specified request identifier to maintain state.
+ *
+ * @param oidcRequestIdentifier request identifier
+ * @return state
+ */
+public State createState(final String oidcRequestIdentifier) {
+if (!isOidcEnabled()) {
+throw new 
IllegalStateException(OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED);
+}
+
+final CacheKey oidcRequestIdentifierKey = new 
CacheKey(oidcRequestIdentifier);
+final State state = 

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[mcgilman]

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130882716
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
 ---
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.nifi.web.security.util.CacheKey;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
+
+/**
+ * OidcService is a service for managing the OpenId Connect Authorization 
flow.
+ */
+public class OidcService {
+
+private OidcIdentityProvider identityProvider;
+private Cache stateLookupForPendingRequests; // 
identifier from cookie -> state value
+private Cache jwtLookupForCompletedRequests; // 
identifier from cookie -> jwt or identity (and generate jwt on retrieval)
+
+/**
+ * Creates a new OtpService with an expiration of 5 minutes.
+ */
+public OidcService(final OidcIdentityProvider identityProvider) {
+this(identityProvider, 60, TimeUnit.SECONDS);
+}
+
+/**
+ * Creates a new OtpService.
+ *
+ * @param duration  The expiration duration
+ * @param units The expiration units
+ * @throws NullPointerException If units is null
+ * @throws IllegalArgumentException If duration is negative
+ */
+public OidcService(final OidcIdentityProvider identityProvider, final 
int duration, final TimeUnit units) {
+this.identityProvider = identityProvider;
+this.stateLookupForPendingRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+this.jwtLookupForCompletedRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+}
+
+/**
+ * Returns whether OpenId Connect is enabled.
+ *
+ * @return whether OpenId Connect is enabled
+ */
+public boolean isOidcEnabled() {
+return identityProvider.isOidcEnabled();
+}
+
+/**
+ * Returns the OpenId Connect authorization endpoint.
+ *
+ * @return the authorization endpoint
+ */
+public URI getAuthorizationEndpoint() {
+return identityProvider.getAuthorizationEndpoint();
+}
+
+/**
+ * Returns the OpenId Connect scope.
+ *
+ * @return scope
+ */
+public Scope getScope() {
+return identityProvider.getScope();
+}
+
+/**
+ * Returns the OpenId Connect client id.
+ *
+ * @return client id
+ */
+public String getClientId() {
+return identityProvider.getClientId().getValue();
+}
+
+/**
+ * Initiates an OpenId Connection authorization code flow using the 
specified request identifier to maintain state.
+ *
+ * @param oidcRequestIdentifier request identifier
+ * @return state
+ */
+public State createState(final String oidcRequestIdentifier) {
+if (!isOidcEnabled()) {
+throw new 
IllegalStateException(OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED);
+}
+
+final CacheKey oidcRequestIdentifierKey = new 
CacheKey(oidcRequestIdentifier);
+final State state = 

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[mcgilman]

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130879118
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
 ---
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.nifi.web.security.util.CacheKey;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
+
+/**
+ * OidcService is a service for managing the OpenId Connect Authorization 
flow.
+ */
+public class OidcService {
+
+private OidcIdentityProvider identityProvider;
+private Cache stateLookupForPendingRequests; // 
identifier from cookie -> state value
+private Cache jwtLookupForCompletedRequests; // 
identifier from cookie -> jwt or identity (and generate jwt on retrieval)
+
+/**
+ * Creates a new OtpService with an expiration of 5 minutes.
+ */
+public OidcService(final OidcIdentityProvider identityProvider) {
+this(identityProvider, 60, TimeUnit.SECONDS);
+}
+
+/**
+ * Creates a new OtpService.
+ *
+ * @param duration  The expiration duration
+ * @param units The expiration units
+ * @throws NullPointerException If units is null
+ * @throws IllegalArgumentException If duration is negative
+ */
+public OidcService(final OidcIdentityProvider identityProvider, final 
int duration, final TimeUnit units) {
+this.identityProvider = identityProvider;
+this.stateLookupForPendingRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+this.jwtLookupForCompletedRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+}
+
+/**
+ * Returns whether OpenId Connect is enabled.
+ *
+ * @return whether OpenId Connect is enabled
+ */
+public boolean isOidcEnabled() {
+return identityProvider.isOidcEnabled();
--- End diff --

Got it.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[mcgilman]

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130878806
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
 ---
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.nifi.web.security.util.CacheKey;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
+
+/**
+ * OidcService is a service for managing the OpenId Connect Authorization 
flow.
+ */
+public class OidcService {
+
+private OidcIdentityProvider identityProvider;
+private Cache stateLookupForPendingRequests; // 
identifier from cookie -> state value
+private Cache jwtLookupForCompletedRequests; // 
identifier from cookie -> jwt or identity (and generate jwt on retrieval)
+
+/**
+ * Creates a new OtpService with an expiration of 5 minutes.
+ */
+public OidcService(final OidcIdentityProvider identityProvider) {
+this(identityProvider, 60, TimeUnit.SECONDS);
+}
+
+/**
+ * Creates a new OtpService.
+ *
+ * @param duration  The expiration duration
--- End diff --

Got it.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[mcgilman]

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130878563
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
@@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
 return generateOkResponse(entity).build();
 }
 
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/request")
+@ApiOperation(
+value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
+)
+public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+// generate a cookie to associate this login sequence
+final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
+cookie.setPath("/");
+cookie.setHttpOnly(true);
+cookie.setMaxAge(60);
+cookie.setSecure(true);
+httpServletResponse.addCookie(cookie);
+
+// get the state for this request
+final State state = oidcService.createState(oidcRequestIdentifier);
+
+// build the authorization uri
+final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
+.queryParam("client_id", oidcService.getClientId())
+.queryParam("response_type", "code")
+.queryParam("scope", oidcService.getScope().toString())
+.queryParam("state", state.getValue())
+.queryParam("redirect_uri", getOidcCallback())
+.build();
+
+// generate the response
+httpServletResponse.sendRedirect(authorizationUri.toString());
+}
+
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/callback")
+@ApiOperation(
+value = "Redirect/callback URI for processing the result of 
the OpenId Connect login sequence."
+)
+public void oidcCallback(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = 
getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER);
+if (oidcRequestIdentifier == null) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"The login request identifier was not found in the request. Unable to 
continue.");
+return;
+}
+
+final com.nimbusds.openid.connect.sdk.AuthenticationResponse 
oidcResponse = AuthenticationResponseParser.parse(getRequestUri());
+if (oidcResponse.indicatesSuccess()) {
+final AuthenticationSuccessResponse successfulOidcResponse = 
(AuthenticationSuccessResponse) oidcResponse;
+
+// confirm state
+final State state = successfulOidcResponse.getState();
+if (!oidcService.isStateValid(oidcRequestIdentifier, state)) {
+logger.error("Purposed state does not match the stored 
state. Unable to continue login process.");
+
+// remove the oidc request cookie
+removeOidcRequestCookie(httpServletResponse);
+
+// forward to the error page
+forwardToMessagePage(httpServletRequest, 
httpServletResponse, "Purposed state 

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[mcgilman]

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130873359
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
@@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
 return generateOkResponse(entity).build();
 }
 
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/request")
+@ApiOperation(
+value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
+)
+public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+// generate a cookie to associate this login sequence
+final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
+cookie.setPath("/");
+cookie.setHttpOnly(true);
+cookie.setMaxAge(60);
+cookie.setSecure(true);
+httpServletResponse.addCookie(cookie);
+
+// get the state for this request
+final State state = oidcService.createState(oidcRequestIdentifier);
+
+// build the authorization uri
+final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
+.queryParam("client_id", oidcService.getClientId())
+.queryParam("response_type", "code")
+.queryParam("scope", oidcService.getScope().toString())
+.queryParam("state", state.getValue())
+.queryParam("redirect_uri", getOidcCallback())
+.build();
+
+// generate the response
+httpServletResponse.sendRedirect(authorizationUri.toString());
+}
+
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/callback")
+@ApiOperation(
+value = "Redirect/callback URI for processing the result of 
the OpenId Connect login sequence."
+)
+public void oidcCallback(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = 
getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER);
+if (oidcRequestIdentifier == null) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"The login request identifier was not found in the request. Unable to 
continue.");
+return;
+}
+
+final com.nimbusds.openid.connect.sdk.AuthenticationResponse 
oidcResponse = AuthenticationResponseParser.parse(getRequestUri());
+if (oidcResponse.indicatesSuccess()) {
+final AuthenticationSuccessResponse successfulOidcResponse = 
(AuthenticationSuccessResponse) oidcResponse;
+
+// confirm state
+final State state = successfulOidcResponse.getState();
+if (!oidcService.isStateValid(oidcRequestIdentifier, state)) {
+logger.error("Purposed state does not match the stored 
state. Unable to continue login process.");
--- End diff --

That's a typo. It was meant to say the "Proposed state". I'll update 
accordingly.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and 

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[mcgilman]

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130871309
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
@@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
 return generateOkResponse(entity).build();
 }
 
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/request")
+@ApiOperation(
+value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
+)
+public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+// generate a cookie to associate this login sequence
+final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
+cookie.setPath("/");
+cookie.setHttpOnly(true);
+cookie.setMaxAge(60);
+cookie.setSecure(true);
+httpServletResponse.addCookie(cookie);
+
+// get the state for this request
+final State state = oidcService.createState(oidcRequestIdentifier);
+
+// build the authorization uri
+final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
+.queryParam("client_id", oidcService.getClientId())
+.queryParam("response_type", "code")
+.queryParam("scope", oidcService.getScope().toString())
+.queryParam("state", state.getValue())
+.queryParam("redirect_uri", getOidcCallback())
+.build();
+
+// generate the response
+httpServletResponse.sendRedirect(authorizationUri.toString());
+}
+
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/callback")
+@ApiOperation(
+value = "Redirect/callback URI for processing the result of 
the OpenId Connect login sequence."
+)
+public void oidcCallback(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = 
getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER);
+if (oidcRequestIdentifier == null) {
--- End diff --

`getCookieValue` returns null when no cookie is found with the specified 
name. I'll update the Javadoc's on that method to make it clearer.

If there is a cookie with that name, we attempt to use the associated value 
in the login process. We have not formally defined a format for this 
identifier. Rather, we've left it just a `String` for now in case we choose to 
change it later.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[alopresto]

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130762623
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
 ---
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.nifi.web.security.util.CacheKey;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
+
+/**
+ * OidcService is a service for managing the OpenId Connect Authorization 
flow.
+ */
+public class OidcService {
+
+private OidcIdentityProvider identityProvider;
+private Cache stateLookupForPendingRequests; // 
identifier from cookie -> state value
+private Cache jwtLookupForCompletedRequests; // 
identifier from cookie -> jwt or identity (and generate jwt on retrieval)
+
+/**
+ * Creates a new OtpService with an expiration of 5 minutes.
+ */
+public OidcService(final OidcIdentityProvider identityProvider) {
+this(identityProvider, 60, TimeUnit.SECONDS);
+}
+
+/**
+ * Creates a new OtpService.
+ *
+ * @param duration  The expiration duration
+ * @param units The expiration units
+ * @throws NullPointerException If units is null
+ * @throws IllegalArgumentException If duration is negative
+ */
+public OidcService(final OidcIdentityProvider identityProvider, final 
int duration, final TimeUnit units) {
+this.identityProvider = identityProvider;
+this.stateLookupForPendingRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+this.jwtLookupForCompletedRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+}
+
+/**
+ * Returns whether OpenId Connect is enabled.
+ *
+ * @return whether OpenId Connect is enabled
+ */
+public boolean isOidcEnabled() {
+return identityProvider.isOidcEnabled();
+}
+
+/**
+ * Returns the OpenId Connect authorization endpoint.
+ *
+ * @return the authorization endpoint
+ */
+public URI getAuthorizationEndpoint() {
+return identityProvider.getAuthorizationEndpoint();
+}
+
+/**
+ * Returns the OpenId Connect scope.
+ *
+ * @return scope
+ */
+public Scope getScope() {
+return identityProvider.getScope();
+}
+
+/**
+ * Returns the OpenId Connect client id.
+ *
+ * @return client id
+ */
+public String getClientId() {
+return identityProvider.getClientId().getValue();
+}
+
+/**
+ * Initiates an OpenId Connection authorization code flow using the 
specified request identifier to maintain state.
+ *
+ * @param oidcRequestIdentifier request identifier
+ * @return state
+ */
+public State createState(final String oidcRequestIdentifier) {
+if (!isOidcEnabled()) {
+throw new 
IllegalStateException(OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED);
+}
+
+final CacheKey oidcRequestIdentifierKey = new 
CacheKey(oidcRequestIdentifier);
+final State state = 

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[alopresto]

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130757944
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
 ---
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.nifi.web.security.util.CacheKey;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
+
+/**
+ * OidcService is a service for managing the OpenId Connect Authorization 
flow.
+ */
+public class OidcService {
+
+private OidcIdentityProvider identityProvider;
+private Cache stateLookupForPendingRequests; // 
identifier from cookie -> state value
+private Cache jwtLookupForCompletedRequests; // 
identifier from cookie -> jwt or identity (and generate jwt on retrieval)
+
+/**
+ * Creates a new OtpService with an expiration of 5 minutes.
+ */
+public OidcService(final OidcIdentityProvider identityProvider) {
+this(identityProvider, 60, TimeUnit.SECONDS);
+}
+
+/**
+ * Creates a new OtpService.
+ *
+ * @param duration  The expiration duration
+ * @param units The expiration units
+ * @throws NullPointerException If units is null
+ * @throws IllegalArgumentException If duration is negative
+ */
+public OidcService(final OidcIdentityProvider identityProvider, final 
int duration, final TimeUnit units) {
+this.identityProvider = identityProvider;
+this.stateLookupForPendingRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+this.jwtLookupForCompletedRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+}
+
+/**
+ * Returns whether OpenId Connect is enabled.
+ *
+ * @return whether OpenId Connect is enabled
+ */
+public boolean isOidcEnabled() {
+return identityProvider.isOidcEnabled();
+}
+
+/**
+ * Returns the OpenId Connect authorization endpoint.
+ *
+ * @return the authorization endpoint
+ */
+public URI getAuthorizationEndpoint() {
+return identityProvider.getAuthorizationEndpoint();
+}
+
+/**
+ * Returns the OpenId Connect scope.
+ *
+ * @return scope
+ */
+public Scope getScope() {
+return identityProvider.getScope();
+}
+
+/**
+ * Returns the OpenId Connect client id.
+ *
+ * @return client id
+ */
+public String getClientId() {
+return identityProvider.getClientId().getValue();
+}
+
+/**
+ * Initiates an OpenId Connection authorization code flow using the 
specified request identifier to maintain state.
+ *
+ * @param oidcRequestIdentifier request identifier
+ * @return state
+ */
+public State createState(final String oidcRequestIdentifier) {
+if (!isOidcEnabled()) {
+throw new 
IllegalStateException(OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED);
+}
+
+final CacheKey oidcRequestIdentifierKey = new 
CacheKey(oidcRequestIdentifier);
+final State state = 

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[alopresto]

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130750100
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
 ---
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.nifi.web.security.util.CacheKey;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
+
+/**
+ * OidcService is a service for managing the OpenId Connect Authorization 
flow.
+ */
+public class OidcService {
+
+private OidcIdentityProvider identityProvider;
+private Cache stateLookupForPendingRequests; // 
identifier from cookie -> state value
+private Cache jwtLookupForCompletedRequests; // 
identifier from cookie -> jwt or identity (and generate jwt on retrieval)
+
+/**
+ * Creates a new OtpService with an expiration of 5 minutes.
+ */
+public OidcService(final OidcIdentityProvider identityProvider) {
+this(identityProvider, 60, TimeUnit.SECONDS);
+}
+
+/**
+ * Creates a new OtpService.
+ *
+ * @param duration  The expiration duration
+ * @param units The expiration units
+ * @throws NullPointerException If units is null
+ * @throws IllegalArgumentException If duration is negative
+ */
+public OidcService(final OidcIdentityProvider identityProvider, final 
int duration, final TimeUnit units) {
+this.identityProvider = identityProvider;
+this.stateLookupForPendingRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+this.jwtLookupForCompletedRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+}
+
+/**
+ * Returns whether OpenId Connect is enabled.
+ *
+ * @return whether OpenId Connect is enabled
+ */
+public boolean isOidcEnabled() {
+return identityProvider.isOidcEnabled();
+}
+
+/**
+ * Returns the OpenId Connect authorization endpoint.
+ *
+ * @return the authorization endpoint
+ */
+public URI getAuthorizationEndpoint() {
+return identityProvider.getAuthorizationEndpoint();
+}
+
+/**
+ * Returns the OpenId Connect scope.
+ *
+ * @return scope
+ */
+public Scope getScope() {
+return identityProvider.getScope();
+}
+
+/**
+ * Returns the OpenId Connect client id.
+ *
+ * @return client id
+ */
+public String getClientId() {
+return identityProvider.getClientId().getValue();
+}
+
+/**
+ * Initiates an OpenId Connection authorization code flow using the 
specified request identifier to maintain state.
+ *
+ * @param oidcRequestIdentifier request identifier
+ * @return state
+ */
+public State createState(final String oidcRequestIdentifier) {
+if (!isOidcEnabled()) {
+throw new 
IllegalStateException(OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED);
+}
+
+final CacheKey oidcRequestIdentifierKey = new 
CacheKey(oidcRequestIdentifier);
+final State state = 

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[alopresto]

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130748733
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
 ---
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.nifi.web.security.util.CacheKey;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
+
+/**
+ * OidcService is a service for managing the OpenId Connect Authorization 
flow.
+ */
+public class OidcService {
+
+private OidcIdentityProvider identityProvider;
+private Cache stateLookupForPendingRequests; // 
identifier from cookie -> state value
+private Cache jwtLookupForCompletedRequests; // 
identifier from cookie -> jwt or identity (and generate jwt on retrieval)
+
+/**
+ * Creates a new OtpService with an expiration of 5 minutes.
+ */
+public OidcService(final OidcIdentityProvider identityProvider) {
+this(identityProvider, 60, TimeUnit.SECONDS);
+}
+
+/**
+ * Creates a new OtpService.
+ *
+ * @param duration  The expiration duration
+ * @param units The expiration units
+ * @throws NullPointerException If units is null
+ * @throws IllegalArgumentException If duration is negative
+ */
+public OidcService(final OidcIdentityProvider identityProvider, final 
int duration, final TimeUnit units) {
+this.identityProvider = identityProvider;
+this.stateLookupForPendingRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+this.jwtLookupForCompletedRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+}
+
+/**
+ * Returns whether OpenId Connect is enabled.
+ *
+ * @return whether OpenId Connect is enabled
+ */
+public boolean isOidcEnabled() {
+return identityProvider.isOidcEnabled();
--- End diff --

This can throw an NPE if the identity provider isn't defined. 


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[alopresto]

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130748639
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
 ---
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.nifi.web.security.util.CacheKey;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
+
+/**
+ * OidcService is a service for managing the OpenId Connect Authorization 
flow.
+ */
+public class OidcService {
+
+private OidcIdentityProvider identityProvider;
+private Cache stateLookupForPendingRequests; // 
identifier from cookie -> state value
+private Cache jwtLookupForCompletedRequests; // 
identifier from cookie -> jwt or identity (and generate jwt on retrieval)
+
+/**
+ * Creates a new OtpService with an expiration of 5 minutes.
+ */
+public OidcService(final OidcIdentityProvider identityProvider) {
+this(identityProvider, 60, TimeUnit.SECONDS);
--- End diff --

The Javadoc says the expiration is 5 minutes, but it looks like this is 
hardcoded to 1 minute. 


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[alopresto]

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130748365
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
@@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
 return generateOkResponse(entity).build();
 }
 
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/request")
+@ApiOperation(
+value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
+)
+public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+// generate a cookie to associate this login sequence
+final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
+cookie.setPath("/");
+cookie.setHttpOnly(true);
+cookie.setMaxAge(60);
+cookie.setSecure(true);
+httpServletResponse.addCookie(cookie);
+
+// get the state for this request
+final State state = oidcService.createState(oidcRequestIdentifier);
+
+// build the authorization uri
+final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
+.queryParam("client_id", oidcService.getClientId())
+.queryParam("response_type", "code")
+.queryParam("scope", oidcService.getScope().toString())
+.queryParam("state", state.getValue())
+.queryParam("redirect_uri", getOidcCallback())
+.build();
+
+// generate the response
+httpServletResponse.sendRedirect(authorizationUri.toString());
+}
+
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/callback")
+@ApiOperation(
+value = "Redirect/callback URI for processing the result of 
the OpenId Connect login sequence."
+)
+public void oidcCallback(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = 
getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER);
+if (oidcRequestIdentifier == null) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"The login request identifier was not found in the request. Unable to 
continue.");
+return;
+}
+
+final com.nimbusds.openid.connect.sdk.AuthenticationResponse 
oidcResponse = AuthenticationResponseParser.parse(getRequestUri());
+if (oidcResponse.indicatesSuccess()) {
+final AuthenticationSuccessResponse successfulOidcResponse = 
(AuthenticationSuccessResponse) oidcResponse;
+
+// confirm state
+final State state = successfulOidcResponse.getState();
+if (!oidcService.isStateValid(oidcRequestIdentifier, state)) {
+logger.error("Purposed state does not match the stored 
state. Unable to continue login process.");
+
+// remove the oidc request cookie
+removeOidcRequestCookie(httpServletResponse);
+
+// forward to the error page
+forwardToMessagePage(httpServletRequest, 
httpServletResponse, "Purposed state 

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[alopresto]

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130748112
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
@@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
 return generateOkResponse(entity).build();
 }
 
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/request")
+@ApiOperation(
+value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
+)
+public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+// generate a cookie to associate this login sequence
+final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
+cookie.setPath("/");
+cookie.setHttpOnly(true);
+cookie.setMaxAge(60);
+cookie.setSecure(true);
+httpServletResponse.addCookie(cookie);
+
+// get the state for this request
+final State state = oidcService.createState(oidcRequestIdentifier);
+
+// build the authorization uri
+final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
+.queryParam("client_id", oidcService.getClientId())
+.queryParam("response_type", "code")
+.queryParam("scope", oidcService.getScope().toString())
+.queryParam("state", state.getValue())
+.queryParam("redirect_uri", getOidcCallback())
+.build();
+
+// generate the response
+httpServletResponse.sendRedirect(authorizationUri.toString());
+}
+
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/callback")
+@ApiOperation(
+value = "Redirect/callback URI for processing the result of 
the OpenId Connect login sequence."
+)
+public void oidcCallback(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = 
getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER);
+if (oidcRequestIdentifier == null) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"The login request identifier was not found in the request. Unable to 
continue.");
+return;
+}
+
+final com.nimbusds.openid.connect.sdk.AuthenticationResponse 
oidcResponse = AuthenticationResponseParser.parse(getRequestUri());
+if (oidcResponse.indicatesSuccess()) {
+final AuthenticationSuccessResponse successfulOidcResponse = 
(AuthenticationSuccessResponse) oidcResponse;
+
+// confirm state
+final State state = successfulOidcResponse.getState();
+if (!oidcService.isStateValid(oidcRequestIdentifier, state)) {
+logger.error("Purposed state does not match the stored 
state. Unable to continue login process.");
+
+// remove the oidc request cookie
+removeOidcRequestCookie(httpServletResponse);
+
+// forward to the error page
+forwardToMessagePage(httpServletRequest, 
httpServletResponse, "Purposed state 

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[alopresto]

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130747485
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
@@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
 return generateOkResponse(entity).build();
 }
 
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/request")
+@ApiOperation(
+value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
+)
+public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+// generate a cookie to associate this login sequence
+final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
+cookie.setPath("/");
+cookie.setHttpOnly(true);
+cookie.setMaxAge(60);
+cookie.setSecure(true);
+httpServletResponse.addCookie(cookie);
+
+// get the state for this request
+final State state = oidcService.createState(oidcRequestIdentifier);
+
+// build the authorization uri
+final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
+.queryParam("client_id", oidcService.getClientId())
+.queryParam("response_type", "code")
+.queryParam("scope", oidcService.getScope().toString())
+.queryParam("state", state.getValue())
+.queryParam("redirect_uri", getOidcCallback())
+.build();
+
+// generate the response
+httpServletResponse.sendRedirect(authorizationUri.toString());
+}
+
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/callback")
+@ApiOperation(
+value = "Redirect/callback URI for processing the result of 
the OpenId Connect login sequence."
+)
+public void oidcCallback(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = 
getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER);
+if (oidcRequestIdentifier == null) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"The login request identifier was not found in the request. Unable to 
continue.");
+return;
+}
+
+final com.nimbusds.openid.connect.sdk.AuthenticationResponse 
oidcResponse = AuthenticationResponseParser.parse(getRequestUri());
+if (oidcResponse.indicatesSuccess()) {
+final AuthenticationSuccessResponse successfulOidcResponse = 
(AuthenticationSuccessResponse) oidcResponse;
+
+// confirm state
+final State state = successfulOidcResponse.getState();
+if (!oidcService.isStateValid(oidcRequestIdentifier, state)) {
+logger.error("Purposed state does not match the stored 
state. Unable to continue login process.");
--- End diff --

I don't understand what "Purposed state" refers to here. 


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the 

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[alopresto]

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130747327
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
@@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
 return generateOkResponse(entity).build();
 }
 
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/request")
+@ApiOperation(
+value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
+)
+public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+// generate a cookie to associate this login sequence
+final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
+cookie.setPath("/");
+cookie.setHttpOnly(true);
+cookie.setMaxAge(60);
+cookie.setSecure(true);
+httpServletResponse.addCookie(cookie);
+
+// get the state for this request
+final State state = oidcService.createState(oidcRequestIdentifier);
+
+// build the authorization uri
+final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
+.queryParam("client_id", oidcService.getClientId())
+.queryParam("response_type", "code")
+.queryParam("scope", oidcService.getScope().toString())
+.queryParam("state", state.getValue())
+.queryParam("redirect_uri", getOidcCallback())
+.build();
+
+// generate the response
+httpServletResponse.sendRedirect(authorizationUri.toString());
+}
+
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/callback")
+@ApiOperation(
+value = "Redirect/callback URI for processing the result of 
the OpenId Connect login sequence."
+)
+public void oidcCallback(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = 
getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER);
+if (oidcRequestIdentifier == null) {
--- End diff --

Can this return value be an empty/blank String rather than `null`?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[alopresto]

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130747016
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
@@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
 return generateOkResponse(entity).build();
 }
 
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/request")
+@ApiOperation(
+value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
+)
+public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+// generate a cookie to associate this login sequence
+final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
+cookie.setPath("/");
+cookie.setHttpOnly(true);
+cookie.setMaxAge(60);
+cookie.setSecure(true);
+httpServletResponse.addCookie(cookie);
+
+// get the state for this request
+final State state = oidcService.createState(oidcRequestIdentifier);
+
+// build the authorization uri
+final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
--- End diff --

My initial understanding is that all of these parameters are required for 
the call to work -- can we validate that the values are present and valid 
before attempting the request?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect

[mcgilman]

GitHub user mcgilman opened a pull request:

https://github.com/apache/nifi/pull/2047

NIFI-4210: Add support for OpenId Connect

NIFI-4210:
- Introducing support for OpenId Connect.
- Updating REST API and UI to support the authorization code flow.

You can merge this pull request into a Git repository by running:

$ git pull https://github.com/mcgilman/nifi NIFI-4210

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/nifi/pull/2047.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #2047


commit 4859baa29f42ff98e3747527cb0135e306baa7d2
Author: Matt Gilman 
Date:   2017-08-01T14:46:45Z

NIFI-4210:
- Introducing support for OpenId Connect.
- Updating REST API and UI to support the authorization code flow.




---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---