Can you verify the initial redirect to OIDC and the callback are going to the same node in NiFi? I see your LB configs are set to sticky sessions, but it may be that if the callback is originating from the OIDC IDP server rather than the actual client IP, the session affinity is not being applied. Regardless, the error appears to indicate that the JWT provided in the request to NiFi isn’t able to be validated, which indicates that the key used to sign it isn’t present on that node, which is likely due to the request being sent to a node other than the one that signed it.
Quick and easy way to validate this would be to change the stateful set # to 1 node and attempt the same sequence of operations. Andy LoPresto alopre...@apache.org alopresto.apa...@gmail.com He/Him PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > On Apr 27, 2020, at 8:12 AM, Ami Goldenberg <ami.g...@gmail.com> wrote: > > Hi Nathan, > Indeed, that's the case > > On Mon, Apr 27, 2020 at 5:57 PM Nathan Gough <thena...@gmail.com > <mailto:thena...@gmail.com>> wrote: > Hi Ami, > > Just to confirm, the OAuth Client ID redirect URL in OIDC is set to > "https://${nifi.hostname}:${nifi.port}/nifi-api/access/oidc/callback"; and the > NiFi property is set > "nifi.security.user.oidc.discovery.url=https://accounts.google.com/.well-known/openid-configu > <https://accounts.google.com/.well-known/openid-configu>ration". > > Nathan > > On Mon, Apr 27, 2020 at 12:37 AM Ami Goldenberg <ami.g...@gmail.com > <mailto:ami.g...@gmail.com>> wrote: > Hi, > > We are trying to deploy NiFi on kubernetes after successfully using it for a > while. > The issue we are having is that every time we enter our nifi URL it will > redirect us to Google and once we sign in we just get redirected again. > > The error I see on users.log is: > o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET > https://XXX.XXX.XXXX/nifi-api/flow/current-user > <https://xxx.xxx.xxxx/nifi-api/flow/current-user> (source ip: 172.32.34.99) > 2020-04-25T19:48:06.256605759Z 2020-04-25 19:48:05,983 ERROR [NiFi Web > Server-16] o.a.nifi.web.security.jwt.JwtService There was an error validating > the JWT > 2020-04-25T19:48:06.256610178Z 2020-04-25 19:48:05,983 ERROR [NiFi Web > Server-16] o.a.nifi.web.security.jwt.JwtService Unable to validate the access > token. > 2020-04-25T19:48:06.256613727Z Caused by: JWT signature does not match > locally computed signature. JWT validity cannot be asserted and should not be > trusted. > 2020-04-25T19:48:06.256617124Z 2020-04-25 19:48:05,984 WARN [NiFi Web > Server-16] o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web > api:Unable to validate the access token. > > We're trying to follow practices from blogs and pvillard's repo: > https://github.com/pvillard31/nifi-gcp-terraform/tree/master/gcp-cluster-secured-nifi-oidc > > <https://github.com/pvillard31/nifi-gcp-terraform/tree/master/gcp-cluster-secured-nifi-oidc> > https://bryanbende.com/development/2017/10/03/apache-nifi-openid-connect > <https://bryanbende.com/development/2017/10/03/apache-nifi-openid-connect> > https://medium.com/swlh/operationalising-nifi-on-kubernetes-1a8e0ae16a6c > <https://medium.com/swlh/operationalising-nifi-on-kubernetes-1a8e0ae16a6c>Our > set up is as such: > OIDC provider is Google > TLS-toolkit running in server mode inside k8s > StatefulSet of 3 replicas > Zookeeper in K8s > Ingress that is set up to create a load balancer in AWS - with sticky > sessions (based on cookie) > Service that is set up with sessionAffinity: ClientIP > > Any idea which direction I should be checking next?anks!
