nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ami Goldenberg <ami.g...@gmail.com>
Subject Re: OIDC Redirect loop
Date Mon, 27 Apr 2020 15:12:41 GMT
Hi Nathan,
Indeed, that's the case

On Mon, Apr 27, 2020 at 5:57 PM Nathan Gough <thenatog@gmail.com> wrote:

> Hi Ami,
>
> Just to confirm, the OAuth Client ID redirect URL in OIDC is set to "
> https://${nifi.hostname}:${nifi.port}/nifi-api/access/oidc/callback" and
> the NiFi property is set "nifi.security.user.oidc.discovery.url=
> https://accounts.google.com/.well-known/openid-configuration".
>
> Nathan
>
> On Mon, Apr 27, 2020 at 12:37 AM Ami Goldenberg <ami.gold@gmail.com>
> wrote:
>
>> Hi,
>>
>> We are trying to deploy NiFi on kubernetes after successfully using it
>> for a while.
>> The issue we are having is that every time we enter our nifi URL it will
>> redirect us to Google and once we sign in we just get redirected again.
>>
>> *The error I see on users.log is:*
>> o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>)
>> GET https://XXX.XXX.XXXX/nifi-api/flow/current-user (source ip:
>> 172.32.34.99)
>> 2020-04-25T19:48:06.256605759Z 2020-04-25 19:48:05,983 ERROR [NiFi
>> Web Server-16] o.a.nifi.web.security.jwt.JwtService There was an error
>> validating the JWT
>> 2020-04-25T19:48:06.256610178Z 2020-04-25 19:48:05,983 ERROR [NiFi Web
>> Server-16] o.a.nifi.web.security.jwt.JwtService Unable to validate
>> the access token.
>> 2020-04-25T19:48:06.256613727Z Caused by: JWT signature does not
>> match locally computed signature. JWT validity cannot be asserted and
>> should not be trusted.
>> 2020-04-25T19:48:06.256617124Z 2020-04-25 19:48:05,984 WARN [NiFi Web
>> Server-16] o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web
>> api:Unable to validate the access token.
>>
>> *We're trying to follow practices from blogs and pvillard's repo:*
>>
>>    -
>>    https://github.com/pvillard31/nifi-gcp-terraform/tree/master/gcp-cluster-secured-nifi-oidc
>>    -
>>    https://bryanbende.com/development/2017/10/03/apache-nifi-openid-connect
>>    -
>>    https://medium.com/swlh/operationalising-nifi-on-kubernetes-1a8e0ae16a6c
>>
>> *Our set up is as such:*
>>
>>    - OIDC provider is Google
>>    - TLS-toolkit running in server mode inside k8s
>>    - StatefulSet of 3 replicas
>>    - Zookeeper in K8s
>>    - Ingress that is set up to create a load balancer in AWS - with
>>    sticky sessions (based on cookie)
>>    - Service that is set up with sessionAffinity: ClientIP
>>
>>
>> Any idea which direction I should be checking next?anks!
>>
>

Mime
View raw message