https://community.cloudera.com/t5/Support-Questions/Nifi-invalid-access-token-rest-api/m-p/353785#M236796 <P><a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/100789">@KD9</a>&nbsp; &nbsp;How long the NiFi server will validate a clients token is configured within the login-identity-providers.xml file via the following property:</P><PRE>Authentication Expiration</PRE><P>When setting up an automated process, using client tokens is not the best method.&nbsp; A better option would be to authenticate your client via a client certificate.&nbsp; &nbsp;With a client certificate, there is not need to obtain a token.&nbsp; That Client certificate will continue to work for the life of the certificate (certificates do have a valid until date set when you generate the certificate).&nbsp; &nbsp;So instead of passing a bearer token in your curl command, you would use your client pem key.&nbsp; &nbsp;The owner DN from the client certificate would be used as the user identity that you would then need to authorize in NiFi for the rest-api endpoint(s) needed for your automation.<BR /><BR /></P><P><FONT face="batang,apple gothic">If you found that the provided solution(s) assisted you with your query, please take a moment to login and click</FONT>&nbsp;<FONT face="arial black,avant garde" color="#FF0000">Accept as Solution&nbsp;</FONT><FONT face="batang,apple gothic" color="#000000">below each response that helped.<BR /><BR />Thank you,</FONT></P><P><FONT face="batang,apple gothic" color="#000000">Matt</FONT></P><P><BR /><BR /></P> Fri, 30 Sep 2022 21:31:29 GMT MattWho 2022-09-30T21:31:29Z https://community.cloudera.com/t5/Support-Questions/Nifi-invalid-access-token-rest-api/m-p/353697#M236771 <P>Hello Everyone,</P><P>&nbsp;</P><P>We are triggering our Nifi processors (version 1.16.2 , LDAP integrated ) through Curl within cron job. Curl is invoking the processor using access token (as we moved from http call to https)</P><P>&nbsp;</P><P>Generating access token :</P><P>&nbsp;</P><P><EM>curl https://$hostip:$port/nifi-api/access/token -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' --data 'username="${ldapusername}"&amp;password="${ldappassword}"' '--compressed --insecure </EM></P><P>&nbsp;</P><P>&nbsp;</P><P>Curl invoking Nifi processor using acces token stored in variable <EM>$nifi_token</EM> :</P><P>&nbsp;</P><P><EM>curl -i -H 'Content-Type: application/json' -H 'Authorization:Bearer '$nifi_token -XPUT -d '{"id":"'${processorid }'","state":"STOPPED"}' https://$hostip:$port/nifi-api/flow/process-groups/$processorid '--insecure'</EM></P><P>&nbsp;</P><P>But it is failing for token expiration :</P><P>&nbsp;</P><P><EM>WWW-Authenticate: Bearer error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: Expired JWT", error_uri="<A title="https://tools.ietf.org/html/rfc6750#section" href="https://tools.ietf.org/html/rfc6750#section" target="_blank" rel="noopener noreferrer">https://tools.ietf.org/html/rfc6750#section</A>&nbsp;Server: Jetty(9.4.46.v20220331)</EM></P><P>&nbsp;</P><P>How can we set this access token to not expire ?</P><P>Or can we not used access token and using LDAP credentials within curl script to invoke the Nifi processors.</P><P>&nbsp;</P><P>We tried modifying "nifi.security.user.jws.key.rotation.period" property to set the expiration duration in nifi.properties following&nbsp;</P><P><A href="https://exceptionfactory.com/posts/2021/10/23/improving-jwt-authentication-in-apache-nifi/" target="_blank" rel="noopener">https://exceptionfactory.com/posts/2021/10/23/improving-jwt-authentication-in-apache-nifi/</A><BR /><A href="https://en.wikipedia.org/wiki/ISO_8601#Durations" target="_blank" rel="noopener">https://en.wikipedia.org/wiki/ISO_8601#Durations</A><BR /><A href="https://nifi.apache.org/docs/nifi-docs/rest-api/index.html" target="_blank" rel="noopener">https://nifi.apache.org/docs/nifi-docs/rest-api/index.html</A></P><P>but still it fails and the curl is unable to trigger the Nifi processor.</P><P>&nbsp;</P><P>Thank you in advance !</P> Thu, 29 Sep 2022 19:32:55 GMT https://community.cloudera.com/t5/Support-Questions/Nifi-invalid-access-token-rest-api/m-p/353697#M236771 KD9 2022-09-29T19:32:55Z https://community.cloudera.com/t5/Support-Questions/Nifi-invalid-access-token-rest-api/m-p/353785#M236796 <P><a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/100789">@KD9</a>&nbsp; &nbsp;How long the NiFi server will validate a clients token is configured within the login-identity-providers.xml file via the following property:</P><PRE>Authentication Expiration</PRE><P>When setting up an automated process, using client tokens is not the best method.&nbsp; A better option would be to authenticate your client via a client certificate.&nbsp; &nbsp;With a client certificate, there is not need to obtain a token.&nbsp; That Client certificate will continue to work for the life of the certificate (certificates do have a valid until date set when you generate the certificate).&nbsp; &nbsp;So instead of passing a bearer token in your curl command, you would use your client pem key.&nbsp; &nbsp;The owner DN from the client certificate would be used as the user identity that you would then need to authorize in NiFi for the rest-api endpoint(s) needed for your automation.<BR /><BR /></P><P><FONT face="batang,apple gothic">If you found that the provided solution(s) assisted you with your query, please take a moment to login and click</FONT>&nbsp;<FONT face="arial black,avant garde" color="#FF0000">Accept as Solution&nbsp;</FONT><FONT face="batang,apple gothic" color="#000000">below each response that helped.<BR /><BR />Thank you,</FONT></P><P><FONT face="batang,apple gothic" color="#000000">Matt</FONT></P><P><BR /><BR /></P> Fri, 30 Sep 2022 21:31:29 GMT https://community.cloudera.com/t5/Support-Questions/Nifi-invalid-access-token-rest-api/m-p/353785#M236796 MattWho 2022-09-30T21:31:29Z