Hello Dear NiFi users,
is there any up to date manual how to integrate Apache NiFi with Keycloak?
I'm struggling with this since few days without positive resultat.
My nifi.properties configuration:
nifi.security.user.authorizer=managed-authorizer
nifi.security.allow.anonymous.authentication=false
nifi.security.user.login.identity.provider=oidc-provider
nifi.security.user.jws.key.rotation.period=PT1H
nifi.security.ocsp.responder.url=""> nifi.security.ocsp.responder.certificate=
# OpenId Connect SSO Properties #
nifi.security.user.oidc.discovery.url=""> nifi.security.user.oidc.connect.timeout=5 secs
nifi.security.user.oidc.read.timeout=5 secs
nifi.security.user.oidc.client.id=nifi-client
nifi.security.user.oidc.client.secret=SomeKey
nifi.security.user.oidc.preferred.jwsalgorithm=RS256
nifi.security.user.oidc.claim.identifying.user=preferred_username
nifi.security.user.oidc.fallback.claims.identifying.user=
nifi.security.user.oidc.claim.groups=groups
nifi.security.user.oidc.token.refresh.window=60 secs
nifi.security.user.oidc.discovery.url=""> nifi.security.user.oidc.connect.timeout=5 secs
nifi.security.user.oidc.read.timeout=5 secs
nifi.security.user.oidc.client.id=nifi-client
nifi.security.user.oidc.client.secret=SomeKey
nifi.security.user.oidc.preferred.jwsalgorithm=RS256
nifi.security.user.oidc.claim.identifying.user=preferred_username
nifi.security.user.oidc.fallback.claims.identifying.user=
nifi.security.user.oidc.claim.groups=groups
nifi.security.user.oidc.token.refresh.window=60 secs
authorizers.xml:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>
<userGroupProvider>
<identifier>keycloak-user-group-provider</identifier>
<class>org.apache.nifi.authorization.KeycloakUserGroupProvider</class>
<property name="ServerUrl">http://localhost:8080/</property>
<property name="Realm">nifi-realm</property>
<property name="Username">admin</property>
<property name="Password">***</property>
<property name="ClientID">admin-cli</property>
</userGroupProvider>
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">keycloak-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">admin</property>
</accessPolicyProvider>
<authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy Provider">file-access-policy-provider</property>
</authorizer>
</authorizers>
login-identity-providers.xml:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<loginIdentityProviders>
<provider>
<identifier>oidc-provider</identifier>
<class>org.apache.nifi.authentication.single.oidc.OidcIdentityProvider</class>
<property name="Discovery URL">http://localhost:8080/realms/nifi-realm/.well-known/openid-configuration</property>
<property name="Client ID">nifi-client</property>
<property name="Client Secret">SomeKey</property>
<property name="Connect Timeout">5 secs</property>
<property name="Read Timeout">5 secs</property>
<property name="Preferred JWS Algorithm">RS256</property>
<property name="Claim Identifying User">preferred_username</property>
</provider>
</loginIdentityProviders>
What I'm doing wrong?
Regards
