[jira] [Commented] (NIFI-12418) Identity Provider Groups Missing in Refreshed Bearer Token
[ https://issues.apache.org/jira/browse/NIFI-12418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17798290#comment-17798290 ] ASF subversion and git services commented on NIFI-12418: Commit db919bc49401262edfad3c5beb00b169433954ce in nifi's branch refs/heads/support/nifi-1.x from David Handermann [ https://gitbox.apache.org/repos/asf?p=nifi.git;h=db919bc494 ] NIFI-12418 Corrected Provider Groups Missing in Refreshed Tokens (#8126) - Updated OidcBearerTokenRefreshFilter to maintain current Identity Provider Groups when generating refreshed application Bearer Tokens - Refactored LoginAuthenticationToken to remove unnecessary optional constructors and use java.time.Instant for expiration - Added Issuer Provider with implementation for Bearer Token Issuer based on host and port properties > Identity Provider Groups Missing in Refreshed Bearer Token > -- > > Key: NIFI-12418 > URL: https://issues.apache.org/jira/browse/NIFI-12418 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework, Security >Affects Versions: 2.0.0-M1, 1.24.0 >Reporter: David Handermann >Assignee: David Handermann >Priority: Minor > Labels: backport-needed > Time Spent: 0.5h > Remaining Estimate: 0h > > The OIDC Bearer Token Refresh Filter is responsible for renewing application > Bearer Tokens when NiFi is integrated with an OpenID Connect Identity > Provider that supports the Refresh Token Grant Type. > NiFi 1.23.0 introduced changes for handling group membership information > supplied from an Identity Provider, passing the groups in the application > Bearer Token instead of persisting the groups in the local database > repository. > As a result of these handling changes, the Identity Provider group membership > information is not retained when the OIDC Bearer Token Refresh Filter > generates a new token. In deployments where the configured User Group > Provider does not provide the group information, this behavior can result in > authorization failures after refreshing the token. > The Bearer Token Refresh Filter should be corrected to retrieve group > membership information from the new Identity Provider token. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (NIFI-12418) Identity Provider Groups Missing in Refreshed Bearer Token
[ https://issues.apache.org/jira/browse/NIFI-12418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17798283#comment-17798283 ] ASF subversion and git services commented on NIFI-12418: Commit 80700cc6c6c9e50b14ad006f05a649efe9cb1fd5 in nifi's branch refs/heads/main from David Handermann [ https://gitbox.apache.org/repos/asf?p=nifi.git;h=80700cc6c6 ] NIFI-12418 Corrected Provider Groups Missing in Refreshed Tokens (#8126) - Updated OidcBearerTokenRefreshFilter to maintain current Identity Provider Groups when generating refreshed application Bearer Tokens - Refactored LoginAuthenticationToken to remove unnecessary optional constructors and use java.time.Instant for expiration - Added Issuer Provider with implementation for Bearer Token Issuer based on host and port properties > Identity Provider Groups Missing in Refreshed Bearer Token > -- > > Key: NIFI-12418 > URL: https://issues.apache.org/jira/browse/NIFI-12418 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework, Security >Affects Versions: 2.0.0-M1, 1.24.0 >Reporter: David Handermann >Assignee: David Handermann >Priority: Minor > Labels: backport-needed > Time Spent: 0.5h > Remaining Estimate: 0h > > The OIDC Bearer Token Refresh Filter is responsible for renewing application > Bearer Tokens when NiFi is integrated with an OpenID Connect Identity > Provider that supports the Refresh Token Grant Type. > NiFi 1.23.0 introduced changes for handling group membership information > supplied from an Identity Provider, passing the groups in the application > Bearer Token instead of persisting the groups in the local database > repository. > As a result of these handling changes, the Identity Provider group membership > information is not retained when the OIDC Bearer Token Refresh Filter > generates a new token. In deployments where the configured User Group > Provider does not provide the group information, this behavior can result in > authorization failures after refreshing the token. > The Bearer Token Refresh Filter should be corrected to retrieve group > membership information from the new Identity Provider token. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (NIFI-12418) Identity Provider Groups Missing in Refreshed Bearer Token
[ https://issues.apache.org/jira/browse/NIFI-12418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17790251#comment-17790251 ] David Handermann commented on NIFI-12418: - Reference dev mailing list thread: https://lists.apache.org/thread/54tpom04nv526ql8zv91n7ll1wc24sdh > Identity Provider Groups Missing in Refreshed Bearer Token > -- > > Key: NIFI-12418 > URL: https://issues.apache.org/jira/browse/NIFI-12418 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework, Security >Affects Versions: 2.0.0-M1, 1.24.0 >Reporter: David Handermann >Assignee: David Handermann >Priority: Minor > > The OIDC Bearer Token Refresh Filter is responsible for renewing application > Bearer Tokens when NiFi is integrated with an OpenID Connect Identity > Provider that supports the Refresh Token Grant Type. > NiFi 1.23.0 introduced changes for handling group membership information > supplied from an Identity Provider, passing the groups in the application > Bearer Token instead of persisting the groups in the local database > repository. > As a result of these handling changes, the Identity Provider group membership > information is not retained when the OIDC Bearer Token Refresh Filter > generates a new token. In deployments where the configured User Group > Provider does not provide the group information, this behavior can result in > authorization failures after refreshing the token. > The Bearer Token Refresh Filter should be corrected to retrieve group > membership information from the new Identity Provider token. -- This message was sent by Atlassian Jira (v8.20.10#820010)
