nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy LoPresto <alopre...@apache.org>
Subject Re: OIDC Redirect loop
Date Mon, 27 Apr 2020 18:25:26 GMT
Can you verify the initial redirect to OIDC and the callback are going to the same node in
NiFi? I see your LB configs are set to sticky sessions, but it may be that if the callback
is originating from the OIDC IDP server rather than the actual client IP, the session affinity
is not being applied. Regardless, the error appears to indicate that the JWT provided in the
request to NiFi isn’t able to be validated, which indicates that the key used to sign it
isn’t present on that node, which is likely due to the request being sent to a node other
than the one that signed it. 

Quick and easy way to validate this would be to change the stateful set # to 1 node and attempt
the same sequence of operations. 


Andy LoPresto
alopresto@apache.org
alopresto.apache@gmail.com
He/Him
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Apr 27, 2020, at 8:12 AM, Ami Goldenberg <ami.gold@gmail.com> wrote:
> 
> Hi Nathan,
> Indeed, that's the case
> 
> On Mon, Apr 27, 2020 at 5:57 PM Nathan Gough <thenatog@gmail.com <mailto:thenatog@gmail.com>>
wrote:
> Hi Ami,
> 
> Just to confirm, the OAuth Client ID redirect URL in OIDC is set to "https://${nifi.hostname}:${nifi.port}/nifi-api/access/oidc/callback"
and the NiFi property is set "nifi.security.user.oidc.discovery.url=https://accounts.google.com/.well-known/openid-configu
<https://accounts.google.com/.well-known/openid-configu>ration".
> 
> Nathan
> 
> On Mon, Apr 27, 2020 at 12:37 AM Ami Goldenberg <ami.gold@gmail.com <mailto:ami.gold@gmail.com>>
wrote:
> Hi,
> 
> We are trying to deploy NiFi on kubernetes after successfully using it for a while.
> The issue we are having is that every time we enter our nifi URL it will redirect us
to Google and once we sign in we just get redirected again.
> 
> The error I see on users.log is:
> o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://XXX.XXX.XXXX/nifi-api/flow/current-user
<https://xxx.xxx.xxxx/nifi-api/flow/current-user> (source ip: 172.32.34.99) 
> 2020-04-25T19:48:06.256605759Z 2020-04-25 19:48:05,983 ERROR [NiFi Web Server-16] o.a.nifi.web.security.jwt.JwtService
There was an error validating the JWT
> 2020-04-25T19:48:06.256610178Z 2020-04-25 19:48:05,983 ERROR [NiFi Web Server-16] o.a.nifi.web.security.jwt.JwtService
Unable to validate the access token.
> 2020-04-25T19:48:06.256613727Z Caused by: JWT signature does not match locally computed
signature. JWT validity cannot be asserted and should not be trusted.
> 2020-04-25T19:48:06.256617124Z 2020-04-25 19:48:05,984 WARN [NiFi Web Server-16] o.a.n.w.s.NiFiAuthenticationFilter
Rejecting access to web api:Unable to validate the access token.
> 
> We're trying to follow practices from blogs and pvillard's repo:
> https://github.com/pvillard31/nifi-gcp-terraform/tree/master/gcp-cluster-secured-nifi-oidc
<https://github.com/pvillard31/nifi-gcp-terraform/tree/master/gcp-cluster-secured-nifi-oidc>
> https://bryanbende.com/development/2017/10/03/apache-nifi-openid-connect <https://bryanbende.com/development/2017/10/03/apache-nifi-openid-connect>
> https://medium.com/swlh/operationalising-nifi-on-kubernetes-1a8e0ae16a6c <https://medium.com/swlh/operationalising-nifi-on-kubernetes-1a8e0ae16a6c>Our
set up is as such:
> OIDC provider is Google
> TLS-toolkit running in server mode inside k8s
> StatefulSet of 3 replicas
> Zookeeper in K8s
> Ingress that is set up to create a load balancer in AWS - with sticky sessions (based
on cookie)
> Service that is set up with sessionAffinity: ClientIP
> 
> Any idea which direction I should be checking next?anks!


Mime
View raw message