nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Edward Armes <edward.ar...@gmail.com>
Subject Re: OIDC Redirect loop
Date Mon, 27 Apr 2020 10:02:36 GMT
Hi Ami,

Biased on the error you've got in the user log it looks like you've got 
a local trust issue. If you could tell us what you've already tried, 
someone might be able to help you a bit more.

Edward

On 27/04/2020 05:36, Ami Goldenberg wrote:
> Hi,
>
> We are trying to deploy NiFi on kubernetes after successfully using it 
> for a while.
> The issue we are having is that every time we enter our nifi URL it 
> will redirect us to Google and once we sign in we just get 
> redirected again.
>
> _The error I see on users.log is:_
> o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT 
> token>) GET https://XXX.XXX.XXXX/nifi-api/flow/current-user (source 
> ip: 172.32.34.99)
> 2020-04-25T19:48:06.256605759Z 2020-04-25 19:48:05,983 ERROR [NiFi 
> Web Server-16] o.a.nifi.web.security.jwt.JwtService There was an error 
> validating the JWT
> 2020-04-25T19:48:06.256610178Z 2020-04-25 19:48:05,983 ERROR [NiFi Web 
> Server-16] o.a.nifi.web.security.jwt.JwtService Unable to validate 
> the access token.
> 2020-04-25T19:48:06.256613727Z Caused by: JWT signature does not 
> match locally computed signature. JWT validity cannot be asserted and 
> should not be trusted.
> 2020-04-25T19:48:06.256617124Z 2020-04-25 19:48:05,984 WARN [NiFi Web 
> Server-16] o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web 
> api:Unable to validate the access token.
>
> _We're trying to follow practices from blogs and pvillard's repo:_
>
>   * https://github.com/pvillard31/nifi-gcp-terraform/tree/master/gcp-cluster-secured-nifi-oidc
>   * https://bryanbende.com/development/2017/10/03/apache-nifi-openid-connect
>   * https://medium.com/swlh/operationalising-nifi-on-kubernetes-1a8e0ae16a6c
>
> _Our set up is as such:_
>
>   * OIDC provider is Google
>   * TLS-toolkit running in server mode inside k8s
>   * StatefulSet of 3 replicas
>   * Zookeeper in K8s
>   * Ingress that is set up to create a load balancer in AWS - with
>     sticky sessions (based on cookie)
>   * Service that is set up with sessionAffinity: ClientIP
>
>
> Any idea which direction I should be checking next?anks!



Mime
View raw message