https://community.cloudera.com/t5/Support-Questions/NIFI-Invalid-scopes-while-connecting-through-OIDC/m-p/372099#M241153 <P>Hi.&nbsp; I had the same problem upgrading from 1.19.2.&nbsp; Investigation shows that if you add all "Default Client Scopes" and "Optional Client Scopes" to the Keycloak Client-ID configuration as specified in the nifi.security.user.oidc.client.id then the error will be bypassed.&nbsp; It appears NIFI is retrieving a list of all available client scopes for the client id, and expects them all to be assigned.&nbsp; I tested this against Keycloak 18.0.2 and 20.0.5 and the behaviour is the same.&nbsp; I suggest that this is a NIFI bug as we shouldn't be forced to assign all available client scopes to the client id</P> Mon, 05 Jun 2023 02:08:44 GMT Bryce 2023-06-05T02:08:44Z https://community.cloudera.com/t5/Support-Questions/NIFI-Invalid-scopes-while-connecting-through-OIDC/m-p/370919#M240851 <P>Hi Team,</P><P>&nbsp;</P><P>We are currently facing an issue in NIFI with OIDC as an authentication mechanism. Below is what we are seeing when NIFI URL redirects to OIDC(keycloak) url.</P><P>&nbsp;</P><P>OIDC works perfectly well with 1.20.0 version but when upgraded to 1.21.0 we are getting below error.</P><P>&nbsp;</P><P>ERROR:&nbsp;</P><PRE>Unauthorized error="invalid_scope", error_description="Invalid scopes: openid address email web-origins profile user phone microprofile-jwt roles groups offline_access"</PRE><P>&nbsp;Please suggest if there is any significant change made from 1.20.0 to 1.21.0 nifi oidc configuration which might have caused the issue.</P><P>&nbsp;</P><P>Appreciate your help in advance.</P> Tue, 16 May 2023 22:59:59 GMT https://community.cloudera.com/t5/Support-Questions/NIFI-Invalid-scopes-while-connecting-through-OIDC/m-p/370919#M240851 ravi_tadepally 2023-05-16T22:59:59Z https://community.cloudera.com/t5/Support-Questions/NIFI-Invalid-scopes-while-connecting-through-OIDC/m-p/372099#M241153 <P>Hi.&nbsp; I had the same problem upgrading from 1.19.2.&nbsp; Investigation shows that if you add all "Default Client Scopes" and "Optional Client Scopes" to the Keycloak Client-ID configuration as specified in the nifi.security.user.oidc.client.id then the error will be bypassed.&nbsp; It appears NIFI is retrieving a list of all available client scopes for the client id, and expects them all to be assigned.&nbsp; I tested this against Keycloak 18.0.2 and 20.0.5 and the behaviour is the same.&nbsp; I suggest that this is a NIFI bug as we shouldn't be forced to assign all available client scopes to the client id</P> Mon, 05 Jun 2023 02:08:44 GMT https://community.cloudera.com/t5/Support-Questions/NIFI-Invalid-scopes-while-connecting-through-OIDC/m-p/372099#M241153 Bryce 2023-06-05T02:08:44Z https://community.cloudera.com/t5/Support-Questions/NIFI-Invalid-scopes-while-connecting-through-OIDC/m-p/372109#M241155 <P>Fixed in&nbsp;<A href="https://issues.apache.org/jira/browse/NIFI-11438" target="_blank">[NIFI-11438] OIDC requests all available scopes - ASF JIRA (apache.org)</A></P> Mon, 05 Jun 2023 07:25:04 GMT https://community.cloudera.com/t5/Support-Questions/NIFI-Invalid-scopes-while-connecting-through-OIDC/m-p/372109#M241155 Bryce 2023-06-05T07:25:04Z https://community.cloudera.com/t5/Support-Questions/NIFI-Invalid-scopes-while-connecting-through-OIDC/m-p/372283#M241204 <P>Thank you Bryce. Appreciate your help in looking into this.</P><P>&nbsp;</P> Wed, 07 Jun 2023 23:08:07 GMT https://community.cloudera.com/t5/Support-Questions/NIFI-Invalid-scopes-while-connecting-through-OIDC/m-p/372283#M241204 ravi_tadepally 2023-06-07T23:08:07Z