[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16122022#comment-16122022
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on the issue:

https://github.com/apache/nifi/pull/2047
  
Ran `contrib-check` and all tests pass. +1, merging. 


> Add OpenId Connect support for authenticating users
> ---
>
> Key: NIFI-4210
> URL: https://issues.apache.org/jira/browse/NIFI-4210
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core Framework, Core UI
>Reporter: Matt Gilman
>Assignee: Matt Gilman
>
> Add support for authenticating users with the OpenId Connection 
> specification. Evaluate whether a new extension point is necessary to allow 
> for a given provider to supply custom code for instance to implement custom 
> token validation.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16122024#comment-16122024
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user asfgit closed the pull request at:

https://github.com/apache/nifi/pull/2047


> Add OpenId Connect support for authenticating users
> ---
>
> Key: NIFI-4210
> URL: https://issues.apache.org/jira/browse/NIFI-4210
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core Framework, Core UI
>Reporter: Matt Gilman
>Assignee: Matt Gilman
>
> Add support for authenticating users with the OpenId Connection 
> specification. Evaluate whether a new extension point is necessary to allow 
> for a given provider to supply custom code for instance to implement custom 
> token validation.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF subversion and git services (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16122021#comment-16122021
 ] 

ASF subversion and git services commented on NIFI-4210:
---

Commit 528b82634f528468970eaa655c0085b1c9592b71 in nifi's branch 
refs/heads/master from [~mcgilman]
[ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=528b826 ]

NIFI-4210:
- Introducing support for OpenId Connect.
- Updating REST API and UI to support the authorization code flow.
- Adding/fixing documentation.
- Implementing time constant equality checks where appropriate.
- Corrected error handling during startup and throughout the OIDC login 
sequence.
- Redacting the token values from the user log.
- Defaulting to RS256 when not preferred algorithm is specified.
- Marking the OIDC endpoints as non-guaranteed in to allow for minor 
adjustments if/when additional SSO techniques are introduced.

This closes #2047.

Signed-off-by: Andy LoPresto 


> Add OpenId Connect support for authenticating users
> ---
>
> Key: NIFI-4210
> URL: https://issues.apache.org/jira/browse/NIFI-4210
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core Framework, Core UI
>Reporter: Matt Gilman
>Assignee: Matt Gilman
>
> Add support for authenticating users with the OpenId Connection 
> specification. Evaluate whether a new extension point is necessary to allow 
> for a given provider to supply custom code for instance to implement custom 
> token validation.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16120851#comment-16120851
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on the issue:

https://github.com/apache/nifi/pull/2047
  
I continued reviewing with a custom IdP from Auth0. This provider can 
integrate with other providers, including Google, Facebook, etc. and also have 
its own custom users stored locally. @mcgilman and I were able to receive a 
success response from Auth0 for a custom user, but the token signature could 
not be validated. We traced this to determine that on startup, when the 
`TokenValidator` is initialized, if no 
`nifi.security.user.oidc.preferred.jwsalgorithm` is present in 
`nifi.properties`, the first value of `id_token_signing_alg_values_supported` 
in the response from the OpenID Connect Discovery Document URI is used. In 
Auth0's case, this was `HS256` as opposed to `RS256`, but the tokens returned 
were signed with `RS256`, resulting in NiFi returning an error "Unable to 
exchange authorization for ID token: Unable to parse the response from the 
Token request: Signed JWT rejected: Another algorithm expected, or no matching 
key(s) found". 

The Auth0 OIDC Discovery Document response:

```

{"issuer":"https://apachenifi.auth0.com/","authorization_endpoint":"https://apachenifi.auth0.com/authorize","token_endpoint":"https://apachenifi.auth0.com/oauth/token","userinfo_endpoint":"https://apachenifi.auth0.com/userinfo","mfa_challenge_endpoint":"https://apachenifi.auth0.com/mfa/challenge","jwks_uri":"https://apachenifi.auth0.com/.well-known/jwks.json","registration_endpoint":"https://apachenifi.auth0.com/oidc/register","scopes_supported":["openid","profile","offline_access","name","given_name","family_name","nickname","email","email_verified","picture","created_at","identities","phone","address"],"response_types_supported":["code","token","id_token","code
 token","code id_token","token id_token","code token 
id_token"],"response_modes_supported":["query","fragment","form_post"],"subject_types_supported":["public"],"id_token_signing_alg_values_supported":["HS256","RS256"],"token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post"],"claims_supported":["aud","auth_time","created_at","email","email_verified","exp","family_name","given_name","iat","identities","iss","name","nickname","phone_number","picture","sub"]}
```

We decided to change the initialization logic to default to `RS256` as it 
is required by the [OpenID Connect 
Specification](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata)
 to always be present in this response. 

> id_token_signing_alg_values_supported
> REQUIRED. JSON array containing a list of the JWS signing algorithms (alg 
values) supported by the OP for the ID Token to encode the Claims in a JWT 
[JWT]. **The algorithm RS256 MUST be included**. The value none MAY be 
supported, but MUST NOT be used unless the Response Type used returns no ID 
Token from the Authorization Endpoint (such as when using the Authorization 
Code Flow).

I manually provided `RS256` as a configuration value for 
`nifi.security.user.oidc.preferred.jwsalgorithm` in `nifi.properties` and was 
able to successfully sign in as the user. 


> Add OpenId Connect support for authenticating users
> ---
>
> Key: NIFI-4210
> URL: https://issues.apache.org/jira/browse/NIFI-4210
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core Framework, Core UI
>Reporter: Matt Gilman
>Assignee: Matt Gilman
>
> Add support for authenticating users with the OpenId Connection 
> specification. Evaluate whether a new extension point is necessary to allow 
> for a given provider to supply custom code for instance to implement custom 
> token validation.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16119840#comment-16119840
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user mcgilman commented on the issue:

https://github.com/apache/nifi/pull/2047
  
@alopresto This is not something that was introduced in this PR though I am 
happy to address it here. Will push a new commit shortly. Thanks!


> Add OpenId Connect support for authenticating users
> ---
>
> Key: NIFI-4210
> URL: https://issues.apache.org/jira/browse/NIFI-4210
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core Framework, Core UI
>Reporter: Matt Gilman
>Assignee: Matt Gilman
>
> Add support for authenticating users with the OpenId Connection 
> specification. Evaluate whether a new extension point is necessary to allow 
> for a given provider to supply custom code for instance to implement custom 
> token validation.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16119325#comment-16119325
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on the issue:

https://github.com/apache/nifi/pull/2047
  
I'm still reviewing. I have this working very well with Google being the 
IdP. One thing I have noticed in the `nifi-user.log` is that the token is 
logged at `INFO` level on every request. I believe this is from 
[`NiFiAuthenticationFilter:174`](https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationFilter.java#L174-L174)
 (line 53 also prints the token). I think these lines should be fixed -- I 
understand wanting to print the incoming information to help with debugging, 
but I don't think the raw token should be printed here, so there should be some 
control logic or the `#toString()` method should be overridden. 

```
2017-08-08 19:21:18,784 INFO [NiFi Web Server-18] 
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for 
(eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhbG9wcmVzdG8uYXBhY2hlQGdtYWlsLmNvbSIsImlzcyI6Imh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbSIsImF1ZCI6Imh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbSIsInByZWZlcnJlZF91c2VybmFtZSI6ImFsb3ByZXN0by5hcGFjaGVAZ21haWwuY29tIiwia2lkIjoxLCJleHAiOjE1MDIyNDg4NzcsImlhdCI6MTUwMjI0NTI3OH0.hHb4zJljXgv9ja_x46nFjxkYAXgGmuPXtJEm44Mrxj4)
 GET https://localhost:9443/nifi-api/flow/current-user (source ip: 127.0.0.1)
2017-08-08 19:21:18,839 INFO [NiFi Web Server-18] 
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for 
alopresto.apa...@gmail.com
2017-08-08 19:21:18,918 INFO [NiFi Web Server-84] 
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for 
(eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhbG9wcmVzdG8uYXBhY2hlQGdtYWlsLmNvbSIsImlzcyI6Imh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbSIsImF1ZCI6Imh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbSIsInByZWZlcnJlZF91c2VybmFtZSI6ImFsb3ByZXN0by5hcGFjaGVAZ21haWwuY29tIiwia2lkIjoxLCJleHAiOjE1MDIyNDg4NzcsImlhdCI6MTUwMjI0NTI3OH0.hHb4zJljXgv9ja_x46nFjxkYAXgGmuPXtJEm44Mrxj4)
 GET https://localhost:9443/nifi-api/flow/client-id (source ip: 127.0.0.1)
2017-08-08 19:21:18,920 INFO [NiFi Web Server-84] 
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for 
alopresto.apa...@gmail.com
```




> Add OpenId Connect support for authenticating users
> ---
>
> Key: NIFI-4210
> URL: https://issues.apache.org/jira/browse/NIFI-4210
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core Framework, Core UI
>Reporter: Matt Gilman
>Assignee: Matt Gilman
>
> Add support for authenticating users with the OpenId Connection 
> specification. Evaluate whether a new extension point is necessary to allow 
> for a given provider to supply custom code for instance to implement custom 
> token validation.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16112682#comment-16112682
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r131135419
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java
 ---
@@ -0,0 +1,339 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.proc.BadJOSEException;
+import com.nimbusds.jose.util.DefaultResourceRetriever;
+import com.nimbusds.jose.util.ResourceRetriever;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.ParseException;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.TokenErrorResponse;
+import com.nimbusds.oauth2.sdk.TokenRequest;
+import com.nimbusds.oauth2.sdk.TokenResponse;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
+import com.nimbusds.oauth2.sdk.auth.Secret;
+import com.nimbusds.oauth2.sdk.http.HTTPRequest;
+import com.nimbusds.oauth2.sdk.http.HTTPResponse;
+import com.nimbusds.oauth2.sdk.id.ClientID;
+import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
+import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
+import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoRequest;
+import com.nimbusds.openid.connect.sdk.UserInfoResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
+import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
+import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
+import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
+import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
+import net.minidev.json.JSONObject;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.util.FormatUtils;
+import org.apache.nifi.util.NiFiProperties;
+import org.apache.nifi.web.security.jwt.JwtService;
+import org.apache.nifi.web.security.token.LoginAuthenticationToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URL;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+
+import static 
com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME;
+
+/**
+ * OidcProvider for managing the OpenId Connect Authorization flow.
+ */
+public class StandardOidcIdentityProvider implements OidcIdentityProvider {
+
+private static final Logger logger = 
LoggerFactory.getLogger(StandardOidcIdentityProvider.class);
+
+private NiFiProperties properties;
+private JwtService jwtService;
+private OIDCProviderMetadata oidcProviderMetadata;
+private int oidcConnectTimeout;
+private int oidcReadTimeout;
+private IDTokenValidator tokenValidator;
+private ClientID clientId;
+private Secret clientSecret;
+
+/**
+ * Creates a new StandardOidcIdentityProvider.
+ *
+ * @param jwtService jwt service
+ * @param properties properties
+ */
+public StandardOidcIdentityProvider(final JwtService jwtService, 

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16111861#comment-16111861
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r131015276
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
@@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
 return generateOkResponse(entity).build();
 }
 
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/request")
+@ApiOperation(
+value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
+)
+public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+// generate a cookie to associate this login sequence
+final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
+cookie.setPath("/");
+cookie.setHttpOnly(true);
+cookie.setMaxAge(60);
+cookie.setSecure(true);
+httpServletResponse.addCookie(cookie);
+
+// get the state for this request
+final State state = oidcService.createState(oidcRequestIdentifier);
+
+// build the authorization uri
+final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
+.queryParam("client_id", oidcService.getClientId())
+.queryParam("response_type", "code")
+.queryParam("scope", oidcService.getScope().toString())
+.queryParam("state", state.getValue())
+.queryParam("redirect_uri", getOidcCallback())
+.build();
+
+// generate the response
+httpServletResponse.sendRedirect(authorizationUri.toString());
+}
+
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/callback")
+@ApiOperation(
+value = "Redirect/callback URI for processing the result of 
the OpenId Connect login sequence."
+)
+public void oidcCallback(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = 
getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER);
+if (oidcRequestIdentifier == null) {
--- End diff --

I was concerned that a malformed cookie could have an empty/whitespace 
content but not be `null`. Looks like the cookie spec and browser 
implementations prevent that, so this is resolved. 


> Add OpenId Connect support for authenticating users
> ---
>
> Key: NIFI-4210
> URL: https://issues.apache.org/jira/browse/NIFI-4210
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core Framework, Core UI
>Reporter: Matt Gilman
>Assignee: Matt Gilman
>
> Add support for authenticating users with the OpenId Connection 
> specification. Evaluate whether a new extension point is necessary to allow 
> for a given provider to supply custom code for instance to implement custom 
> token validation.



--
This message 

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16111512#comment-16111512
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130962746
  
--- Diff: pom.xml ---
@@ -95,7 +95,7 @@
 9.4.3.v20170317
 4.10.4
 4.2.4.RELEASE
-4.0.3.RELEASE
+4.2.3.RELEASE
--- End diff --

I'm not aware of the changes. Just realized we hadn't upgraded in awhile. 
I'm happy to back this out and create another JIRA to investigate further.


> Add OpenId Connect support for authenticating users
> ---
>
> Key: NIFI-4210
> URL: https://issues.apache.org/jira/browse/NIFI-4210
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core Framework, Core UI
>Reporter: Matt Gilman
>Assignee: Matt Gilman
>
> Add support for authenticating users with the OpenId Connection 
> specification. Evaluate whether a new extension point is necessary to allow 
> for a given provider to supply custom code for instance to implement custom 
> token validation.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16111510#comment-16111510
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130962379
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java
 ---
@@ -0,0 +1,339 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.proc.BadJOSEException;
+import com.nimbusds.jose.util.DefaultResourceRetriever;
+import com.nimbusds.jose.util.ResourceRetriever;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.ParseException;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.TokenErrorResponse;
+import com.nimbusds.oauth2.sdk.TokenRequest;
+import com.nimbusds.oauth2.sdk.TokenResponse;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
+import com.nimbusds.oauth2.sdk.auth.Secret;
+import com.nimbusds.oauth2.sdk.http.HTTPRequest;
+import com.nimbusds.oauth2.sdk.http.HTTPResponse;
+import com.nimbusds.oauth2.sdk.id.ClientID;
+import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
+import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
+import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoRequest;
+import com.nimbusds.openid.connect.sdk.UserInfoResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
+import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
+import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
+import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
+import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
+import net.minidev.json.JSONObject;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.util.FormatUtils;
+import org.apache.nifi.util.NiFiProperties;
+import org.apache.nifi.web.security.jwt.JwtService;
+import org.apache.nifi.web.security.token.LoginAuthenticationToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URL;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+
+import static 
com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME;
+
+/**
+ * OidcProvider for managing the OpenId Connect Authorization flow.
+ */
+public class StandardOidcIdentityProvider implements OidcIdentityProvider {
+
+private static final Logger logger = 
LoggerFactory.getLogger(StandardOidcIdentityProvider.class);
+
+private NiFiProperties properties;
+private JwtService jwtService;
+private OIDCProviderMetadata oidcProviderMetadata;
+private int oidcConnectTimeout;
+private int oidcReadTimeout;
+private IDTokenValidator tokenValidator;
+private ClientID clientId;
+private Secret clientSecret;
+
+/**
+ * Creates a new StandardOidcIdentityProvider.
+ *
+ * @param jwtService jwt service
+ * @param properties properties
+ */
+public StandardOidcIdentityProvider(final JwtService jwtService, 

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16111503#comment-16111503
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130961276
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java
 ---
@@ -0,0 +1,339 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.proc.BadJOSEException;
+import com.nimbusds.jose.util.DefaultResourceRetriever;
+import com.nimbusds.jose.util.ResourceRetriever;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.ParseException;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.TokenErrorResponse;
+import com.nimbusds.oauth2.sdk.TokenRequest;
+import com.nimbusds.oauth2.sdk.TokenResponse;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
+import com.nimbusds.oauth2.sdk.auth.Secret;
+import com.nimbusds.oauth2.sdk.http.HTTPRequest;
+import com.nimbusds.oauth2.sdk.http.HTTPResponse;
+import com.nimbusds.oauth2.sdk.id.ClientID;
+import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
+import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
+import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoRequest;
+import com.nimbusds.openid.connect.sdk.UserInfoResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
+import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
+import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
+import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
+import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
+import net.minidev.json.JSONObject;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.util.FormatUtils;
+import org.apache.nifi.util.NiFiProperties;
+import org.apache.nifi.web.security.jwt.JwtService;
+import org.apache.nifi.web.security.token.LoginAuthenticationToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URL;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+
+import static 
com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME;
+
+/**
+ * OidcProvider for managing the OpenId Connect Authorization flow.
+ */
+public class StandardOidcIdentityProvider implements OidcIdentityProvider {
+
+private static final Logger logger = 
LoggerFactory.getLogger(StandardOidcIdentityProvider.class);
+
+private NiFiProperties properties;
+private JwtService jwtService;
+private OIDCProviderMetadata oidcProviderMetadata;
+private int oidcConnectTimeout;
+private int oidcReadTimeout;
+private IDTokenValidator tokenValidator;
+private ClientID clientId;
+private Secret clientSecret;
+
+/**
+ * Creates a new StandardOidcIdentityProvider.
+ *
+ * @param jwtService jwt service
+ * @param properties properties
+ */
+public StandardOidcIdentityProvider(final JwtService jwtService, 

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16111453#comment-16111453
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130954077
  
--- Diff: pom.xml ---
@@ -95,7 +95,7 @@
 9.4.3.v20170317
 4.10.4
 4.2.4.RELEASE
-4.0.3.RELEASE
+4.2.3.RELEASE
--- End diff --

Any big changes in going from 4.0 to 4.2?


> Add OpenId Connect support for authenticating users
> ---
>
> Key: NIFI-4210
> URL: https://issues.apache.org/jira/browse/NIFI-4210
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core Framework, Core UI
>Reporter: Matt Gilman
>Assignee: Matt Gilman
>
> Add support for authenticating users with the OpenId Connection 
> specification. Evaluate whether a new extension point is necessary to allow 
> for a given provider to supply custom code for instance to implement custom 
> token validation.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16111436#comment-16111436
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130951566
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java
 ---
@@ -0,0 +1,339 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.proc.BadJOSEException;
+import com.nimbusds.jose.util.DefaultResourceRetriever;
+import com.nimbusds.jose.util.ResourceRetriever;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.ParseException;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.TokenErrorResponse;
+import com.nimbusds.oauth2.sdk.TokenRequest;
+import com.nimbusds.oauth2.sdk.TokenResponse;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
+import com.nimbusds.oauth2.sdk.auth.Secret;
+import com.nimbusds.oauth2.sdk.http.HTTPRequest;
+import com.nimbusds.oauth2.sdk.http.HTTPResponse;
+import com.nimbusds.oauth2.sdk.id.ClientID;
+import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
+import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
+import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoRequest;
+import com.nimbusds.openid.connect.sdk.UserInfoResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
+import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
+import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
+import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
+import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
+import net.minidev.json.JSONObject;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.util.FormatUtils;
+import org.apache.nifi.util.NiFiProperties;
+import org.apache.nifi.web.security.jwt.JwtService;
+import org.apache.nifi.web.security.token.LoginAuthenticationToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URL;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+
+import static 
com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME;
+
+/**
+ * OidcProvider for managing the OpenId Connect Authorization flow.
+ */
+public class StandardOidcIdentityProvider implements OidcIdentityProvider {
+
+private static final Logger logger = 
LoggerFactory.getLogger(StandardOidcIdentityProvider.class);
+
+private NiFiProperties properties;
+private JwtService jwtService;
+private OIDCProviderMetadata oidcProviderMetadata;
+private int oidcConnectTimeout;
+private int oidcReadTimeout;
+private IDTokenValidator tokenValidator;
+private ClientID clientId;
+private Secret clientSecret;
+
+/**
+ * Creates a new StandardOidcIdentityProvider.
+ *
+ * @param jwtService jwt service
+ * @param properties properties
+ */
+public StandardOidcIdentityProvider(final JwtService jwtService, 

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16111433#comment-16111433
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130951002
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java
 ---
@@ -0,0 +1,339 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.proc.BadJOSEException;
+import com.nimbusds.jose.util.DefaultResourceRetriever;
+import com.nimbusds.jose.util.ResourceRetriever;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.ParseException;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.TokenErrorResponse;
+import com.nimbusds.oauth2.sdk.TokenRequest;
+import com.nimbusds.oauth2.sdk.TokenResponse;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
+import com.nimbusds.oauth2.sdk.auth.Secret;
+import com.nimbusds.oauth2.sdk.http.HTTPRequest;
+import com.nimbusds.oauth2.sdk.http.HTTPResponse;
+import com.nimbusds.oauth2.sdk.id.ClientID;
+import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
+import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
+import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoRequest;
+import com.nimbusds.openid.connect.sdk.UserInfoResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
+import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
+import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
+import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
+import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
+import net.minidev.json.JSONObject;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.util.FormatUtils;
+import org.apache.nifi.util.NiFiProperties;
+import org.apache.nifi.web.security.jwt.JwtService;
+import org.apache.nifi.web.security.token.LoginAuthenticationToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URL;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+
+import static 
com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME;
+
+/**
+ * OidcProvider for managing the OpenId Connect Authorization flow.
+ */
+public class StandardOidcIdentityProvider implements OidcIdentityProvider {
+
+private static final Logger logger = 
LoggerFactory.getLogger(StandardOidcIdentityProvider.class);
+
+private NiFiProperties properties;
+private JwtService jwtService;
+private OIDCProviderMetadata oidcProviderMetadata;
+private int oidcConnectTimeout;
+private int oidcReadTimeout;
+private IDTokenValidator tokenValidator;
+private ClientID clientId;
+private Secret clientSecret;
+
+/**
+ * Creates a new StandardOidcIdentityProvider.
+ *
+ * @param jwtService jwt service
+ * @param properties properties
+ */
+public StandardOidcIdentityProvider(final JwtService jwtService, 

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16111380#comment-16111380
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130943341
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java
 ---
@@ -0,0 +1,339 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.proc.BadJOSEException;
+import com.nimbusds.jose.util.DefaultResourceRetriever;
+import com.nimbusds.jose.util.ResourceRetriever;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.ParseException;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.TokenErrorResponse;
+import com.nimbusds.oauth2.sdk.TokenRequest;
+import com.nimbusds.oauth2.sdk.TokenResponse;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
+import com.nimbusds.oauth2.sdk.auth.Secret;
+import com.nimbusds.oauth2.sdk.http.HTTPRequest;
+import com.nimbusds.oauth2.sdk.http.HTTPResponse;
+import com.nimbusds.oauth2.sdk.id.ClientID;
+import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
+import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
+import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoRequest;
+import com.nimbusds.openid.connect.sdk.UserInfoResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
+import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
+import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
+import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
+import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
+import net.minidev.json.JSONObject;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.util.FormatUtils;
+import org.apache.nifi.util.NiFiProperties;
+import org.apache.nifi.web.security.jwt.JwtService;
+import org.apache.nifi.web.security.token.LoginAuthenticationToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URL;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+
+import static 
com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME;
+
+/**
+ * OidcProvider for managing the OpenId Connect Authorization flow.
+ */
+public class StandardOidcIdentityProvider implements OidcIdentityProvider {
+
+private static final Logger logger = 
LoggerFactory.getLogger(StandardOidcIdentityProvider.class);
+
+private NiFiProperties properties;
+private JwtService jwtService;
+private OIDCProviderMetadata oidcProviderMetadata;
+private int oidcConnectTimeout;
+private int oidcReadTimeout;
+private IDTokenValidator tokenValidator;
+private ClientID clientId;
+private Secret clientSecret;
+
+/**
+ * Creates a new StandardOidcIdentityProvider.
+ *
+ * @param jwtService jwt service
+ * @param properties properties
+ */
+public StandardOidcIdentityProvider(final JwtService jwtService, 

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16111360#comment-16111360
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130940968
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java
 ---
@@ -0,0 +1,339 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.proc.BadJOSEException;
+import com.nimbusds.jose.util.DefaultResourceRetriever;
+import com.nimbusds.jose.util.ResourceRetriever;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.ParseException;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.TokenErrorResponse;
+import com.nimbusds.oauth2.sdk.TokenRequest;
+import com.nimbusds.oauth2.sdk.TokenResponse;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
+import com.nimbusds.oauth2.sdk.auth.Secret;
+import com.nimbusds.oauth2.sdk.http.HTTPRequest;
+import com.nimbusds.oauth2.sdk.http.HTTPResponse;
+import com.nimbusds.oauth2.sdk.id.ClientID;
+import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
+import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
+import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoRequest;
+import com.nimbusds.openid.connect.sdk.UserInfoResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
+import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
+import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
+import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
+import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
+import net.minidev.json.JSONObject;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.util.FormatUtils;
+import org.apache.nifi.util.NiFiProperties;
+import org.apache.nifi.web.security.jwt.JwtService;
+import org.apache.nifi.web.security.token.LoginAuthenticationToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URL;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+
+import static 
com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME;
+
+/**
+ * OidcProvider for managing the OpenId Connect Authorization flow.
+ */
+public class StandardOidcIdentityProvider implements OidcIdentityProvider {
+
+private static final Logger logger = 
LoggerFactory.getLogger(StandardOidcIdentityProvider.class);
+
+private NiFiProperties properties;
+private JwtService jwtService;
+private OIDCProviderMetadata oidcProviderMetadata;
+private int oidcConnectTimeout;
+private int oidcReadTimeout;
+private IDTokenValidator tokenValidator;
+private ClientID clientId;
+private Secret clientSecret;
+
+/**
+ * Creates a new StandardOidcIdentityProvider.
+ *
+ * @param jwtService jwt service
+ * @param properties properties
+ */
+public StandardOidcIdentityProvider(final JwtService jwtService, 

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16111344#comment-16111344
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130939060
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java
 ---
@@ -0,0 +1,339 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.proc.BadJOSEException;
+import com.nimbusds.jose.util.DefaultResourceRetriever;
+import com.nimbusds.jose.util.ResourceRetriever;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.ParseException;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.TokenErrorResponse;
+import com.nimbusds.oauth2.sdk.TokenRequest;
+import com.nimbusds.oauth2.sdk.TokenResponse;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
+import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
+import com.nimbusds.oauth2.sdk.auth.Secret;
+import com.nimbusds.oauth2.sdk.http.HTTPRequest;
+import com.nimbusds.oauth2.sdk.http.HTTPResponse;
+import com.nimbusds.oauth2.sdk.id.ClientID;
+import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
+import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
+import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
+import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoRequest;
+import com.nimbusds.openid.connect.sdk.UserInfoResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
+import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
+import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
+import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
+import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
+import net.minidev.json.JSONObject;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.util.FormatUtils;
+import org.apache.nifi.util.NiFiProperties;
+import org.apache.nifi.web.security.jwt.JwtService;
+import org.apache.nifi.web.security.token.LoginAuthenticationToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URL;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+
+import static 
com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME;
+
+/**
+ * OidcProvider for managing the OpenId Connect Authorization flow.
+ */
+public class StandardOidcIdentityProvider implements OidcIdentityProvider {
+
+private static final Logger logger = 
LoggerFactory.getLogger(StandardOidcIdentityProvider.class);
+
+private NiFiProperties properties;
+private JwtService jwtService;
+private OIDCProviderMetadata oidcProviderMetadata;
+private int oidcConnectTimeout;
+private int oidcReadTimeout;
+private IDTokenValidator tokenValidator;
+private ClientID clientId;
+private Secret clientSecret;
+
+/**
+ * Creates a new StandardOidcIdentityProvider.
+ *
+ * @param jwtService jwt service
+ * @param properties properties
+ */
+public StandardOidcIdentityProvider(final JwtService jwtService, 

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16110963#comment-16110963
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130884901
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
 ---
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.nifi.web.security.util.CacheKey;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
+
+/**
+ * OidcService is a service for managing the OpenId Connect Authorization 
flow.
+ */
+public class OidcService {
+
+private OidcIdentityProvider identityProvider;
+private Cache stateLookupForPendingRequests; // 
identifier from cookie -> state value
+private Cache jwtLookupForCompletedRequests; // 
identifier from cookie -> jwt or identity (and generate jwt on retrieval)
+
+/**
+ * Creates a new OtpService with an expiration of 5 minutes.
+ */
+public OidcService(final OidcIdentityProvider identityProvider) {
+this(identityProvider, 60, TimeUnit.SECONDS);
+}
+
+/**
+ * Creates a new OtpService.
+ *
+ * @param duration  The expiration duration
+ * @param units The expiration units
+ * @throws NullPointerException If units is null
+ * @throws IllegalArgumentException If duration is negative
+ */
+public OidcService(final OidcIdentityProvider identityProvider, final 
int duration, final TimeUnit units) {
+this.identityProvider = identityProvider;
+this.stateLookupForPendingRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+this.jwtLookupForCompletedRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+}
+
+/**
+ * Returns whether OpenId Connect is enabled.
+ *
+ * @return whether OpenId Connect is enabled
+ */
+public boolean isOidcEnabled() {
+return identityProvider.isOidcEnabled();
+}
+
+/**
+ * Returns the OpenId Connect authorization endpoint.
+ *
+ * @return the authorization endpoint
+ */
+public URI getAuthorizationEndpoint() {
+return identityProvider.getAuthorizationEndpoint();
+}
+
+/**
+ * Returns the OpenId Connect scope.
+ *
+ * @return scope
+ */
+public Scope getScope() {
+return identityProvider.getScope();
+}
+
+/**
+ * Returns the OpenId Connect client id.
+ *
+ * @return client id
+ */
+public String getClientId() {
+return identityProvider.getClientId().getValue();
+}
+
+/**
+ * Initiates an OpenId Connection authorization code flow using the 
specified request identifier to maintain state.
+ *
+ * @param oidcRequestIdentifier request identifier
+ * @return state
+ */
+public State createState(final String oidcRequestIdentifier) {
+if (!isOidcEnabled()) {
+  

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16110964#comment-16110964
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130884930
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
 ---
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.nifi.web.security.util.CacheKey;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
+
+/**
+ * OidcService is a service for managing the OpenId Connect Authorization 
flow.
+ */
+public class OidcService {
+
+private OidcIdentityProvider identityProvider;
+private Cache stateLookupForPendingRequests; // 
identifier from cookie -> state value
+private Cache jwtLookupForCompletedRequests; // 
identifier from cookie -> jwt or identity (and generate jwt on retrieval)
+
+/**
+ * Creates a new OtpService with an expiration of 5 minutes.
+ */
+public OidcService(final OidcIdentityProvider identityProvider) {
+this(identityProvider, 60, TimeUnit.SECONDS);
+}
+
+/**
+ * Creates a new OtpService.
+ *
+ * @param duration  The expiration duration
+ * @param units The expiration units
+ * @throws NullPointerException If units is null
+ * @throws IllegalArgumentException If duration is negative
+ */
+public OidcService(final OidcIdentityProvider identityProvider, final 
int duration, final TimeUnit units) {
+this.identityProvider = identityProvider;
+this.stateLookupForPendingRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+this.jwtLookupForCompletedRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+}
+
+/**
+ * Returns whether OpenId Connect is enabled.
+ *
+ * @return whether OpenId Connect is enabled
+ */
+public boolean isOidcEnabled() {
+return identityProvider.isOidcEnabled();
+}
+
+/**
+ * Returns the OpenId Connect authorization endpoint.
+ *
+ * @return the authorization endpoint
+ */
+public URI getAuthorizationEndpoint() {
+return identityProvider.getAuthorizationEndpoint();
+}
+
+/**
+ * Returns the OpenId Connect scope.
+ *
+ * @return scope
+ */
+public Scope getScope() {
+return identityProvider.getScope();
+}
+
+/**
+ * Returns the OpenId Connect client id.
+ *
+ * @return client id
+ */
+public String getClientId() {
+return identityProvider.getClientId().getValue();
+}
+
+/**
+ * Initiates an OpenId Connection authorization code flow using the 
specified request identifier to maintain state.
+ *
+ * @param oidcRequestIdentifier request identifier
+ * @return state
+ */
+public State createState(final String oidcRequestIdentifier) {
+if (!isOidcEnabled()) {
+  

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16110946#comment-16110946
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130882716
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
 ---
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.nifi.web.security.util.CacheKey;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
+
+/**
+ * OidcService is a service for managing the OpenId Connect Authorization 
flow.
+ */
+public class OidcService {
+
+private OidcIdentityProvider identityProvider;
+private Cache stateLookupForPendingRequests; // 
identifier from cookie -> state value
+private Cache jwtLookupForCompletedRequests; // 
identifier from cookie -> jwt or identity (and generate jwt on retrieval)
+
+/**
+ * Creates a new OtpService with an expiration of 5 minutes.
+ */
+public OidcService(final OidcIdentityProvider identityProvider) {
+this(identityProvider, 60, TimeUnit.SECONDS);
+}
+
+/**
+ * Creates a new OtpService.
+ *
+ * @param duration  The expiration duration
+ * @param units The expiration units
+ * @throws NullPointerException If units is null
+ * @throws IllegalArgumentException If duration is negative
+ */
+public OidcService(final OidcIdentityProvider identityProvider, final 
int duration, final TimeUnit units) {
+this.identityProvider = identityProvider;
+this.stateLookupForPendingRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+this.jwtLookupForCompletedRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+}
+
+/**
+ * Returns whether OpenId Connect is enabled.
+ *
+ * @return whether OpenId Connect is enabled
+ */
+public boolean isOidcEnabled() {
+return identityProvider.isOidcEnabled();
+}
+
+/**
+ * Returns the OpenId Connect authorization endpoint.
+ *
+ * @return the authorization endpoint
+ */
+public URI getAuthorizationEndpoint() {
+return identityProvider.getAuthorizationEndpoint();
+}
+
+/**
+ * Returns the OpenId Connect scope.
+ *
+ * @return scope
+ */
+public Scope getScope() {
+return identityProvider.getScope();
+}
+
+/**
+ * Returns the OpenId Connect client id.
+ *
+ * @return client id
+ */
+public String getClientId() {
+return identityProvider.getClientId().getValue();
+}
+
+/**
+ * Initiates an OpenId Connection authorization code flow using the 
specified request identifier to maintain state.
+ *
+ * @param oidcRequestIdentifier request identifier
+ * @return state
+ */
+public State createState(final String oidcRequestIdentifier) {
+if (!isOidcEnabled()) {
+  

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16110916#comment-16110916
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130878847
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
 ---
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.nifi.web.security.util.CacheKey;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
+
+/**
+ * OidcService is a service for managing the OpenId Connect Authorization 
flow.
+ */
+public class OidcService {
+
+private OidcIdentityProvider identityProvider;
+private Cache stateLookupForPendingRequests; // 
identifier from cookie -> state value
+private Cache jwtLookupForCompletedRequests; // 
identifier from cookie -> jwt or identity (and generate jwt on retrieval)
+
+/**
+ * Creates a new OtpService with an expiration of 5 minutes.
+ */
+public OidcService(final OidcIdentityProvider identityProvider) {
+this(identityProvider, 60, TimeUnit.SECONDS);
--- End diff --

Got it.


> Add OpenId Connect support for authenticating users
> ---
>
> Key: NIFI-4210
> URL: https://issues.apache.org/jira/browse/NIFI-4210
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core Framework, Core UI
>Reporter: Matt Gilman
>Assignee: Matt Gilman
>
> Add support for authenticating users with the OpenId Connection 
> specification. Evaluate whether a new extension point is necessary to allow 
> for a given provider to supply custom code for instance to implement custom 
> token validation.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16110914#comment-16110914
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130878563
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
@@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
 return generateOkResponse(entity).build();
 }
 
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/request")
+@ApiOperation(
+value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
+)
+public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+// generate a cookie to associate this login sequence
+final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
+cookie.setPath("/");
+cookie.setHttpOnly(true);
+cookie.setMaxAge(60);
+cookie.setSecure(true);
+httpServletResponse.addCookie(cookie);
+
+// get the state for this request
+final State state = oidcService.createState(oidcRequestIdentifier);
+
+// build the authorization uri
+final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
+.queryParam("client_id", oidcService.getClientId())
+.queryParam("response_type", "code")
+.queryParam("scope", oidcService.getScope().toString())
+.queryParam("state", state.getValue())
+.queryParam("redirect_uri", getOidcCallback())
+.build();
+
+// generate the response
+httpServletResponse.sendRedirect(authorizationUri.toString());
+}
+
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/callback")
+@ApiOperation(
+value = "Redirect/callback URI for processing the result of 
the OpenId Connect login sequence."
+)
+public void oidcCallback(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = 
getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER);
+if (oidcRequestIdentifier == null) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"The login request identifier was not found in the request. Unable to 
continue.");
+return;
+}
+
+final com.nimbusds.openid.connect.sdk.AuthenticationResponse 
oidcResponse = AuthenticationResponseParser.parse(getRequestUri());
+if (oidcResponse.indicatesSuccess()) {
+final AuthenticationSuccessResponse successfulOidcResponse = 
(AuthenticationSuccessResponse) oidcResponse;
+
+// confirm state
+final State state = successfulOidcResponse.getState();
+if (!oidcService.isStateValid(oidcRequestIdentifier, state)) {
+logger.error("Purposed state does not match the stored 
state. Unable to continue login process.");
+
+// remove the oidc 

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16110875#comment-16110875
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130873359
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
@@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
 return generateOkResponse(entity).build();
 }
 
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/request")
+@ApiOperation(
+value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
+)
+public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+// generate a cookie to associate this login sequence
+final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
+cookie.setPath("/");
+cookie.setHttpOnly(true);
+cookie.setMaxAge(60);
+cookie.setSecure(true);
+httpServletResponse.addCookie(cookie);
+
+// get the state for this request
+final State state = oidcService.createState(oidcRequestIdentifier);
+
+// build the authorization uri
+final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
+.queryParam("client_id", oidcService.getClientId())
+.queryParam("response_type", "code")
+.queryParam("scope", oidcService.getScope().toString())
+.queryParam("state", state.getValue())
+.queryParam("redirect_uri", getOidcCallback())
+.build();
+
+// generate the response
+httpServletResponse.sendRedirect(authorizationUri.toString());
+}
+
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/callback")
+@ApiOperation(
+value = "Redirect/callback URI for processing the result of 
the OpenId Connect login sequence."
+)
+public void oidcCallback(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = 
getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER);
+if (oidcRequestIdentifier == null) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"The login request identifier was not found in the request. Unable to 
continue.");
+return;
+}
+
+final com.nimbusds.openid.connect.sdk.AuthenticationResponse 
oidcResponse = AuthenticationResponseParser.parse(getRequestUri());
+if (oidcResponse.indicatesSuccess()) {
+final AuthenticationSuccessResponse successfulOidcResponse = 
(AuthenticationSuccessResponse) oidcResponse;
+
+// confirm state
+final State state = successfulOidcResponse.getState();
+if (!oidcService.isStateValid(oidcRequestIdentifier, state)) {
+logger.error("Purposed state does not match the stored 
state. Unable to continue login process.");
--- End diff --

That's a typo. It 

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16110873#comment-16110873
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130872958
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
@@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
 return generateOkResponse(entity).build();
 }
 
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/request")
+@ApiOperation(
+value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
+)
+public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+// generate a cookie to associate this login sequence
+final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
+cookie.setPath("/");
+cookie.setHttpOnly(true);
+cookie.setMaxAge(60);
+cookie.setSecure(true);
+httpServletResponse.addCookie(cookie);
+
+// get the state for this request
+final State state = oidcService.createState(oidcRequestIdentifier);
+
+// build the authorization uri
+final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
--- End diff --

The only value that isn't checked here is the authorization endpoint. The 
remainder of the checks are done during start up in the 
`StandardOidcIdentityProvider` constructor. I'll update it to verify the 
presence of the endpoints that we explicitly invoke.


> Add OpenId Connect support for authenticating users
> ---
>
> Key: NIFI-4210
> URL: https://issues.apache.org/jira/browse/NIFI-4210
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core Framework, Core UI
>Reporter: Matt Gilman
>Assignee: Matt Gilman
>
> Add support for authenticating users with the OpenId Connection 
> specification. Evaluate whether a new extension point is necessary to allow 
> for a given provider to supply custom code for instance to implement custom 
> token validation.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16110865#comment-16110865
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user mcgilman commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130871309
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
@@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
 return generateOkResponse(entity).build();
 }
 
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/request")
+@ApiOperation(
+value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
+)
+public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+// generate a cookie to associate this login sequence
+final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
+cookie.setPath("/");
+cookie.setHttpOnly(true);
+cookie.setMaxAge(60);
+cookie.setSecure(true);
+httpServletResponse.addCookie(cookie);
+
+// get the state for this request
+final State state = oidcService.createState(oidcRequestIdentifier);
+
+// build the authorization uri
+final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
+.queryParam("client_id", oidcService.getClientId())
+.queryParam("response_type", "code")
+.queryParam("scope", oidcService.getScope().toString())
+.queryParam("state", state.getValue())
+.queryParam("redirect_uri", getOidcCallback())
+.build();
+
+// generate the response
+httpServletResponse.sendRedirect(authorizationUri.toString());
+}
+
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/callback")
+@ApiOperation(
+value = "Redirect/callback URI for processing the result of 
the OpenId Connect login sequence."
+)
+public void oidcCallback(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = 
getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER);
+if (oidcRequestIdentifier == null) {
--- End diff --

`getCookieValue` returns null when no cookie is found with the specified 
name. I'll update the Javadoc's on that method to make it clearer.

If there is a cookie with that name, we attempt to use the associated value 
in the login process. We have not formally defined a format for this 
identifier. Rather, we've left it just a `String` for now in case we choose to 
change it later.


> Add OpenId Connect support for authenticating users
> ---
>
> Key: NIFI-4210
> URL: https://issues.apache.org/jira/browse/NIFI-4210
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core Framework, Core UI
>Reporter: Matt Gilman
>Assignee: Matt Gilman
>
> Add support for authenticating users with the OpenId 

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16110048#comment-16110048
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130762623
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
 ---
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.nifi.web.security.util.CacheKey;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
+
+/**
+ * OidcService is a service for managing the OpenId Connect Authorization 
flow.
+ */
+public class OidcService {
+
+private OidcIdentityProvider identityProvider;
+private Cache stateLookupForPendingRequests; // 
identifier from cookie -> state value
+private Cache jwtLookupForCompletedRequests; // 
identifier from cookie -> jwt or identity (and generate jwt on retrieval)
+
+/**
+ * Creates a new OtpService with an expiration of 5 minutes.
+ */
+public OidcService(final OidcIdentityProvider identityProvider) {
+this(identityProvider, 60, TimeUnit.SECONDS);
+}
+
+/**
+ * Creates a new OtpService.
+ *
+ * @param duration  The expiration duration
+ * @param units The expiration units
+ * @throws NullPointerException If units is null
+ * @throws IllegalArgumentException If duration is negative
+ */
+public OidcService(final OidcIdentityProvider identityProvider, final 
int duration, final TimeUnit units) {
+this.identityProvider = identityProvider;
+this.stateLookupForPendingRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+this.jwtLookupForCompletedRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+}
+
+/**
+ * Returns whether OpenId Connect is enabled.
+ *
+ * @return whether OpenId Connect is enabled
+ */
+public boolean isOidcEnabled() {
+return identityProvider.isOidcEnabled();
+}
+
+/**
+ * Returns the OpenId Connect authorization endpoint.
+ *
+ * @return the authorization endpoint
+ */
+public URI getAuthorizationEndpoint() {
+return identityProvider.getAuthorizationEndpoint();
+}
+
+/**
+ * Returns the OpenId Connect scope.
+ *
+ * @return scope
+ */
+public Scope getScope() {
+return identityProvider.getScope();
+}
+
+/**
+ * Returns the OpenId Connect client id.
+ *
+ * @return client id
+ */
+public String getClientId() {
+return identityProvider.getClientId().getValue();
+}
+
+/**
+ * Initiates an OpenId Connection authorization code flow using the 
specified request identifier to maintain state.
+ *
+ * @param oidcRequestIdentifier request identifier
+ * @return state
+ */
+public State createState(final String oidcRequestIdentifier) {
+if (!isOidcEnabled()) {
+ 

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16110010#comment-16110010
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130757944
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
 ---
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.nifi.web.security.util.CacheKey;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
+
+/**
+ * OidcService is a service for managing the OpenId Connect Authorization 
flow.
+ */
+public class OidcService {
+
+private OidcIdentityProvider identityProvider;
+private Cache stateLookupForPendingRequests; // 
identifier from cookie -> state value
+private Cache jwtLookupForCompletedRequests; // 
identifier from cookie -> jwt or identity (and generate jwt on retrieval)
+
+/**
+ * Creates a new OtpService with an expiration of 5 minutes.
+ */
+public OidcService(final OidcIdentityProvider identityProvider) {
+this(identityProvider, 60, TimeUnit.SECONDS);
+}
+
+/**
+ * Creates a new OtpService.
+ *
+ * @param duration  The expiration duration
+ * @param units The expiration units
+ * @throws NullPointerException If units is null
+ * @throws IllegalArgumentException If duration is negative
+ */
+public OidcService(final OidcIdentityProvider identityProvider, final 
int duration, final TimeUnit units) {
+this.identityProvider = identityProvider;
+this.stateLookupForPendingRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+this.jwtLookupForCompletedRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+}
+
+/**
+ * Returns whether OpenId Connect is enabled.
+ *
+ * @return whether OpenId Connect is enabled
+ */
+public boolean isOidcEnabled() {
+return identityProvider.isOidcEnabled();
+}
+
+/**
+ * Returns the OpenId Connect authorization endpoint.
+ *
+ * @return the authorization endpoint
+ */
+public URI getAuthorizationEndpoint() {
+return identityProvider.getAuthorizationEndpoint();
+}
+
+/**
+ * Returns the OpenId Connect scope.
+ *
+ * @return scope
+ */
+public Scope getScope() {
+return identityProvider.getScope();
+}
+
+/**
+ * Returns the OpenId Connect client id.
+ *
+ * @return client id
+ */
+public String getClientId() {
+return identityProvider.getClientId().getValue();
+}
+
+/**
+ * Initiates an OpenId Connection authorization code flow using the 
specified request identifier to maintain state.
+ *
+ * @param oidcRequestIdentifier request identifier
+ * @return state
+ */
+public State createState(final String oidcRequestIdentifier) {
+if (!isOidcEnabled()) {
+ 

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109958#comment-16109958
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130750100
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
 ---
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.nifi.web.security.util.CacheKey;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
+
+/**
+ * OidcService is a service for managing the OpenId Connect Authorization 
flow.
+ */
+public class OidcService {
+
+private OidcIdentityProvider identityProvider;
+private Cache stateLookupForPendingRequests; // 
identifier from cookie -> state value
+private Cache jwtLookupForCompletedRequests; // 
identifier from cookie -> jwt or identity (and generate jwt on retrieval)
+
+/**
+ * Creates a new OtpService with an expiration of 5 minutes.
+ */
+public OidcService(final OidcIdentityProvider identityProvider) {
+this(identityProvider, 60, TimeUnit.SECONDS);
+}
+
+/**
+ * Creates a new OtpService.
+ *
+ * @param duration  The expiration duration
+ * @param units The expiration units
+ * @throws NullPointerException If units is null
+ * @throws IllegalArgumentException If duration is negative
+ */
+public OidcService(final OidcIdentityProvider identityProvider, final 
int duration, final TimeUnit units) {
+this.identityProvider = identityProvider;
+this.stateLookupForPendingRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+this.jwtLookupForCompletedRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+}
+
+/**
+ * Returns whether OpenId Connect is enabled.
+ *
+ * @return whether OpenId Connect is enabled
+ */
+public boolean isOidcEnabled() {
+return identityProvider.isOidcEnabled();
+}
+
+/**
+ * Returns the OpenId Connect authorization endpoint.
+ *
+ * @return the authorization endpoint
+ */
+public URI getAuthorizationEndpoint() {
+return identityProvider.getAuthorizationEndpoint();
+}
+
+/**
+ * Returns the OpenId Connect scope.
+ *
+ * @return scope
+ */
+public Scope getScope() {
+return identityProvider.getScope();
+}
+
+/**
+ * Returns the OpenId Connect client id.
+ *
+ * @return client id
+ */
+public String getClientId() {
+return identityProvider.getClientId().getValue();
+}
+
+/**
+ * Initiates an OpenId Connection authorization code flow using the 
specified request identifier to maintain state.
+ *
+ * @param oidcRequestIdentifier request identifier
+ * @return state
+ */
+public State createState(final String oidcRequestIdentifier) {
+if (!isOidcEnabled()) {
+ 

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109941#comment-16109941
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130748733
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
 ---
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.nifi.web.security.util.CacheKey;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
+
+/**
+ * OidcService is a service for managing the OpenId Connect Authorization 
flow.
+ */
+public class OidcService {
+
+private OidcIdentityProvider identityProvider;
+private Cache stateLookupForPendingRequests; // 
identifier from cookie -> state value
+private Cache jwtLookupForCompletedRequests; // 
identifier from cookie -> jwt or identity (and generate jwt on retrieval)
+
+/**
+ * Creates a new OtpService with an expiration of 5 minutes.
+ */
+public OidcService(final OidcIdentityProvider identityProvider) {
+this(identityProvider, 60, TimeUnit.SECONDS);
+}
+
+/**
+ * Creates a new OtpService.
+ *
+ * @param duration  The expiration duration
+ * @param units The expiration units
+ * @throws NullPointerException If units is null
+ * @throws IllegalArgumentException If duration is negative
+ */
+public OidcService(final OidcIdentityProvider identityProvider, final 
int duration, final TimeUnit units) {
+this.identityProvider = identityProvider;
+this.stateLookupForPendingRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+this.jwtLookupForCompletedRequests = 
CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
+}
+
+/**
+ * Returns whether OpenId Connect is enabled.
+ *
+ * @return whether OpenId Connect is enabled
+ */
+public boolean isOidcEnabled() {
+return identityProvider.isOidcEnabled();
--- End diff --

This can throw an NPE if the identity provider isn't defined. 


> Add OpenId Connect support for authenticating users
> ---
>
> Key: NIFI-4210
> URL: https://issues.apache.org/jira/browse/NIFI-4210
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core Framework, Core UI
>Reporter: Matt Gilman
>Assignee: Matt Gilman
>
> Add support for authenticating users with the OpenId Connection 
> specification. Evaluate whether a new extension point is necessary to allow 
> for a given provider to supply custom code for instance to implement custom 
> token validation.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109940#comment-16109940
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130748639
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
 ---
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.nifi.web.security.util.CacheKey;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
+
+/**
+ * OidcService is a service for managing the OpenId Connect Authorization 
flow.
+ */
+public class OidcService {
+
+private OidcIdentityProvider identityProvider;
+private Cache stateLookupForPendingRequests; // 
identifier from cookie -> state value
+private Cache jwtLookupForCompletedRequests; // 
identifier from cookie -> jwt or identity (and generate jwt on retrieval)
+
+/**
+ * Creates a new OtpService with an expiration of 5 minutes.
+ */
+public OidcService(final OidcIdentityProvider identityProvider) {
+this(identityProvider, 60, TimeUnit.SECONDS);
--- End diff --

The Javadoc says the expiration is 5 minutes, but it looks like this is 
hardcoded to 1 minute. 


> Add OpenId Connect support for authenticating users
> ---
>
> Key: NIFI-4210
> URL: https://issues.apache.org/jira/browse/NIFI-4210
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core Framework, Core UI
>Reporter: Matt Gilman
>Assignee: Matt Gilman
>
> Add support for authenticating users with the OpenId Connection 
> specification. Evaluate whether a new extension point is necessary to allow 
> for a given provider to supply custom code for instance to implement custom 
> token validation.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109938#comment-16109938
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130748605
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
 ---
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.oidc;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.nifi.web.security.util.CacheKey;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import static 
org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
+
+/**
+ * OidcService is a service for managing the OpenId Connect Authorization 
flow.
+ */
+public class OidcService {
+
+private OidcIdentityProvider identityProvider;
+private Cache stateLookupForPendingRequests; // 
identifier from cookie -> state value
+private Cache jwtLookupForCompletedRequests; // 
identifier from cookie -> jwt or identity (and generate jwt on retrieval)
+
+/**
+ * Creates a new OtpService with an expiration of 5 minutes.
+ */
+public OidcService(final OidcIdentityProvider identityProvider) {
+this(identityProvider, 60, TimeUnit.SECONDS);
+}
+
+/**
+ * Creates a new OtpService.
+ *
+ * @param duration  The expiration duration
--- End diff --

Looks like it is missing a Javadoc `param` for the identity provider. 


> Add OpenId Connect support for authenticating users
> ---
>
> Key: NIFI-4210
> URL: https://issues.apache.org/jira/browse/NIFI-4210
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core Framework, Core UI
>Reporter: Matt Gilman
>Assignee: Matt Gilman
>
> Add support for authenticating users with the OpenId Connection 
> specification. Evaluate whether a new extension point is necessary to allow 
> for a given provider to supply custom code for instance to implement custom 
> token validation.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109936#comment-16109936
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130748365
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
@@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
 return generateOkResponse(entity).build();
 }
 
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/request")
+@ApiOperation(
+value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
+)
+public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+// generate a cookie to associate this login sequence
+final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
+cookie.setPath("/");
+cookie.setHttpOnly(true);
+cookie.setMaxAge(60);
+cookie.setSecure(true);
+httpServletResponse.addCookie(cookie);
+
+// get the state for this request
+final State state = oidcService.createState(oidcRequestIdentifier);
+
+// build the authorization uri
+final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
+.queryParam("client_id", oidcService.getClientId())
+.queryParam("response_type", "code")
+.queryParam("scope", oidcService.getScope().toString())
+.queryParam("state", state.getValue())
+.queryParam("redirect_uri", getOidcCallback())
+.build();
+
+// generate the response
+httpServletResponse.sendRedirect(authorizationUri.toString());
+}
+
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/callback")
+@ApiOperation(
+value = "Redirect/callback URI for processing the result of 
the OpenId Connect login sequence."
+)
+public void oidcCallback(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = 
getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER);
+if (oidcRequestIdentifier == null) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"The login request identifier was not found in the request. Unable to 
continue.");
+return;
+}
+
+final com.nimbusds.openid.connect.sdk.AuthenticationResponse 
oidcResponse = AuthenticationResponseParser.parse(getRequestUri());
+if (oidcResponse.indicatesSuccess()) {
+final AuthenticationSuccessResponse successfulOidcResponse = 
(AuthenticationSuccessResponse) oidcResponse;
+
+// confirm state
+final State state = successfulOidcResponse.getState();
+if (!oidcService.isStateValid(oidcRequestIdentifier, state)) {
+logger.error("Purposed state does not match the stored 
state. Unable to continue login process.");
+
+// remove the oidc 

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109934#comment-16109934
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130748112
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
@@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
 return generateOkResponse(entity).build();
 }
 
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/request")
+@ApiOperation(
+value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
+)
+public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+// generate a cookie to associate this login sequence
+final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
+cookie.setPath("/");
+cookie.setHttpOnly(true);
+cookie.setMaxAge(60);
+cookie.setSecure(true);
+httpServletResponse.addCookie(cookie);
+
+// get the state for this request
+final State state = oidcService.createState(oidcRequestIdentifier);
+
+// build the authorization uri
+final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
+.queryParam("client_id", oidcService.getClientId())
+.queryParam("response_type", "code")
+.queryParam("scope", oidcService.getScope().toString())
+.queryParam("state", state.getValue())
+.queryParam("redirect_uri", getOidcCallback())
+.build();
+
+// generate the response
+httpServletResponse.sendRedirect(authorizationUri.toString());
+}
+
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/callback")
+@ApiOperation(
+value = "Redirect/callback URI for processing the result of 
the OpenId Connect login sequence."
+)
+public void oidcCallback(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = 
getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER);
+if (oidcRequestIdentifier == null) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"The login request identifier was not found in the request. Unable to 
continue.");
+return;
+}
+
+final com.nimbusds.openid.connect.sdk.AuthenticationResponse 
oidcResponse = AuthenticationResponseParser.parse(getRequestUri());
+if (oidcResponse.indicatesSuccess()) {
+final AuthenticationSuccessResponse successfulOidcResponse = 
(AuthenticationSuccessResponse) oidcResponse;
+
+// confirm state
+final State state = successfulOidcResponse.getState();
+if (!oidcService.isStateValid(oidcRequestIdentifier, state)) {
+logger.error("Purposed state does not match the stored 
state. Unable to continue login process.");
+
+// remove the oidc 

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109930#comment-16109930
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130747485
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
@@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
 return generateOkResponse(entity).build();
 }
 
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/request")
+@ApiOperation(
+value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
+)
+public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+// generate a cookie to associate this login sequence
+final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
+cookie.setPath("/");
+cookie.setHttpOnly(true);
+cookie.setMaxAge(60);
+cookie.setSecure(true);
+httpServletResponse.addCookie(cookie);
+
+// get the state for this request
+final State state = oidcService.createState(oidcRequestIdentifier);
+
+// build the authorization uri
+final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
+.queryParam("client_id", oidcService.getClientId())
+.queryParam("response_type", "code")
+.queryParam("scope", oidcService.getScope().toString())
+.queryParam("state", state.getValue())
+.queryParam("redirect_uri", getOidcCallback())
+.build();
+
+// generate the response
+httpServletResponse.sendRedirect(authorizationUri.toString());
+}
+
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/callback")
+@ApiOperation(
+value = "Redirect/callback URI for processing the result of 
the OpenId Connect login sequence."
+)
+public void oidcCallback(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = 
getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER);
+if (oidcRequestIdentifier == null) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"The login request identifier was not found in the request. Unable to 
continue.");
+return;
+}
+
+final com.nimbusds.openid.connect.sdk.AuthenticationResponse 
oidcResponse = AuthenticationResponseParser.parse(getRequestUri());
+if (oidcResponse.indicatesSuccess()) {
+final AuthenticationSuccessResponse successfulOidcResponse = 
(AuthenticationSuccessResponse) oidcResponse;
+
+// confirm state
+final State state = successfulOidcResponse.getState();
+if (!oidcService.isStateValid(oidcRequestIdentifier, state)) {
+logger.error("Purposed state does not match the stored 
state. Unable to continue login process.");
--- End diff --

I don't understand 

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109927#comment-16109927
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130747327
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
@@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
 return generateOkResponse(entity).build();
 }
 
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/request")
+@ApiOperation(
+value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
+)
+public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+// generate a cookie to associate this login sequence
+final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
+cookie.setPath("/");
+cookie.setHttpOnly(true);
+cookie.setMaxAge(60);
+cookie.setSecure(true);
+httpServletResponse.addCookie(cookie);
+
+// get the state for this request
+final State state = oidcService.createState(oidcRequestIdentifier);
+
+// build the authorization uri
+final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
+.queryParam("client_id", oidcService.getClientId())
+.queryParam("response_type", "code")
+.queryParam("scope", oidcService.getScope().toString())
+.queryParam("state", state.getValue())
+.queryParam("redirect_uri", getOidcCallback())
+.build();
+
+// generate the response
+httpServletResponse.sendRedirect(authorizationUri.toString());
+}
+
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/callback")
+@ApiOperation(
+value = "Redirect/callback URI for processing the result of 
the OpenId Connect login sequence."
+)
+public void oidcCallback(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = 
getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER);
+if (oidcRequestIdentifier == null) {
--- End diff --

Can this return value be an empty/blank String rather than `null`?


> Add OpenId Connect support for authenticating users
> ---
>
> Key: NIFI-4210
> URL: https://issues.apache.org/jira/browse/NIFI-4210
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core Framework, Core UI
>Reporter: Matt Gilman
>Assignee: Matt Gilman
>
> Add support for authenticating users with the OpenId Connection 
> specification. Evaluate whether a new extension point is necessary to allow 
> for a given provider to supply custom code for instance to implement custom 
> token validation.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109924#comment-16109924
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/2047#discussion_r130747016
  
--- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 ---
@@ -125,6 +142,160 @@ public Response getLoginConfig(@Context 
HttpServletRequest httpServletRequest) {
 return generateOkResponse(entity).build();
 }
 
+@GET
+@Consumes(MediaType.WILDCARD)
+@Produces(MediaType.WILDCARD)
+@Path("oidc/request")
+@ApiOperation(
+value = "Initiates a request to authenticate through the 
configured OpenId Connect provider."
+)
+public void oidcRequest(@Context HttpServletRequest 
httpServletRequest, @Context HttpServletResponse httpServletResponse) throws 
Exception {
+// only consider user specific access over https
+if (!httpServletRequest.isSecure()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"User authentication/authorization is only supported when running over HTTPS.");
+return;
+}
+
+// ensure oidc is enabled
+if (!oidcService.isOidcEnabled()) {
+forwardToMessagePage(httpServletRequest, httpServletResponse, 
"OpenId Connect is not configured.");
+return;
+}
+
+final String oidcRequestIdentifier = UUID.randomUUID().toString();
+
+// generate a cookie to associate this login sequence
+final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, 
oidcRequestIdentifier);
+cookie.setPath("/");
+cookie.setHttpOnly(true);
+cookie.setMaxAge(60);
+cookie.setSecure(true);
+httpServletResponse.addCookie(cookie);
+
+// get the state for this request
+final State state = oidcService.createState(oidcRequestIdentifier);
+
+// build the authorization uri
+final URI authorizationUri = 
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
--- End diff --

My initial understanding is that all of these parameters are required for 
the call to work -- can we validate that the values are present and valid 
before attempting the request?


> Add OpenId Connect support for authenticating users
> ---
>
> Key: NIFI-4210
> URL: https://issues.apache.org/jira/browse/NIFI-4210
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core Framework, Core UI
>Reporter: Matt Gilman
>Assignee: Matt Gilman
>
> Add support for authenticating users with the OpenId Connection 
> specification. Evaluate whether a new extension point is necessary to allow 
> for a given provider to supply custom code for instance to implement custom 
> token validation.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109915#comment-16109915
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

Github user alopresto commented on the issue:

https://github.com/apache/nifi/pull/2047
  
Reviewing...


> Add OpenId Connect support for authenticating users
> ---
>
> Key: NIFI-4210
> URL: https://issues.apache.org/jira/browse/NIFI-4210
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core Framework, Core UI
>Reporter: Matt Gilman
>Assignee: Matt Gilman
>
> Add support for authenticating users with the OpenId Connection 
> specification. Evaluate whether a new extension point is necessary to allow 
> for a given provider to supply custom code for instance to implement custom 
> token validation.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109630#comment-16109630
 ] 

ASF GitHub Bot commented on NIFI-4210:
--

GitHub user mcgilman opened a pull request:

https://github.com/apache/nifi/pull/2047

NIFI-4210: Add support for OpenId Connect

NIFI-4210:
- Introducing support for OpenId Connect.
- Updating REST API and UI to support the authorization code flow.

You can merge this pull request into a Git repository by running:

$ git pull https://github.com/mcgilman/nifi NIFI-4210

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/nifi/pull/2047.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #2047


commit 4859baa29f42ff98e3747527cb0135e306baa7d2
Author: Matt Gilman 
Date:   2017-08-01T14:46:45Z

NIFI-4210:
- Introducing support for OpenId Connect.
- Updating REST API and UI to support the authorization code flow.




> Add OpenId Connect support for authenticating users
> ---
>
> Key: NIFI-4210
> URL: https://issues.apache.org/jira/browse/NIFI-4210
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core Framework, Core UI
>Reporter: Matt Gilman
>Assignee: Matt Gilman
>
> Add support for authenticating users with the OpenId Connection 
> specification. Evaluate whether a new extension point is necessary to allow 
> for a given provider to supply custom code for instance to implement custom 
> token validation.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)