question Re: NiFi API OAuth authentication issue in Support Questions

NiFi API OAuth authentication issue

RaoNEY — Wed, 19 Mar 2025 21:51:49 GMT

We need help to get token to execute Apache NiFi API which is running on Linux and OAuth authentication.

The below two steps we have taken.

Get token from Microsoft OAuth API call which gives us the token. <Success>
Using the token above and we are trying to get token from NiFi Api call which is not success

Example:

Step 1:

Token from Azure:

curl -X POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token \

-H "Content-Type: application/x-www-form-urlencoded" \

-d "grant_type=client_credentials" \

-d "client_id={CliendID}" \

-d "client_secret={ClientSecret}" \

-d "scope={CliendID}/.default"

Result: Generated successful "{token}"

Step 2:

curl -X POST https://NIFIDnsName:9444/nifi-api/access/oidc/exchange \

-H "Authorization: Bearer {token}"

Error:

Unauthorized error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: Signed JWT rejected: Another algorithm exp

nifi.properties file:

nifi.security.user.oidc.discovery.url=https://login.microsoftonline.com/{tanent}/v2.0/.well-known/openid-configuration

nifi.security.user.oidc.connect.timeout=5 secs

nifi.security.user.oidc.read.timeout=5 secs

nifi.security.user.oidc.client.id=*********************

nifi.security.user.oidc.client.secret=**********************

nifi.security.user.oidc.preferred.jwsalgorithm=RS256

nifi.security.user.oidc.additional.scopes=offline_access

nifi.security.user.oidc.claim.identifying.user=email

nifi.security.user.oidc.fallback.claims.identifying.user=

nifi.security.user.oidc.claim.groups=groups

nifi.security.user.oidc.truststore.strategy=JDK

nifi.security.user.oidc.token.refresh.window=60 secs

nifi.security.user.oidc.pkce.enabled=true

nifi.security.user.oidc.jwt.algorithm=RS256

Can you help us steps to execute simple NiFi API call which is running OAuth authentication.

Re: NiFi API OAuth authentication issue

DianaTorres — Wed, 19 Mar 2025 23:38:38 GMT

@RaoNEY Welcome to the Cloudera Community!

To help you get the best possible solution, I have tagged our NiFi experts @mburgess @MattWho @Shelton who may be able to assist you further.

Please keep us updated on your post, and we hope you find a satisfactory solution to your query.

Re: NiFi API OAuth authentication issue

Shelton — Thu, 20 Mar 2025 20:48:21 GMT

@RaoNEY

The error message suggests that there's a JWT token algorithm mismatch: "An error occurred while attempting to decode the Jwt: Signed JWT rejected: Another algorithm exp"

This typically happens when:

The token you're receiving from Azure in Step 1 uses a signing algorithm that doesn't match what NiFi is expecting
NiFi is configured to use RS256 algorithm (as shown in your nifi.properties), but the Azure token might be using a different algorithm

Verify token algorithm
First, check what algorithm your Azure token is using. You can decode your JWT token using tools like jwt.io to see the header which contains the algorithm (look for the "alg" field).

Modify your Azure token request
Azure AD OAuth tokens typically use RS256, but you may need to specify this explicitly in your Azure app registration settings.

Ensure correct token type
For NiFi OAuth/OIDC authentication, you need an ID token, not an access token. In your Step 1, you're requesting a client credentials grant which returns an access token. Instead, you need to:

# Modified Step 1 - Use authorization code flow to get ID token
curl -X POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=authorization_code" \
-d "client_id={ClientID}" \
-d "client_secret={ClientSecret}" \
-d "code={AuthorizationCode}" \
-d "redirect_uri={RedirectURI}" \
-d "scope=openid email profile

Update NiFi properties: Ensure these settings match your Azure configuration:

# Make sure these settings are correct
nifi.security.user.oidc.jwt.algorithm=RS256
nifi.security.user.oidc.preferred.jwsalgorithm=RS256

Check Azure app registration
In your Azure portal, verify:

Redirect URI is properly set to your NiFi callback URL
The app has appropriate API permissions
Token configuration includes ID tokens

Complete Authentication Flow

For NiFi OAuth with Azure AD, the proper flow should be:

1. Initiate login via NiFi UI or using

GET https://NIFIDnsName:9444/nifi-api/access/oidc/request

2. This redirects to Microsoft login page, where user authenticates

3. After successful authentication, Azure redirects back to NiFi with an authorization code

4. NiFi exchanges this code for tokens automatically

5. If you're doing this programmatically, use the authorization code flow, not client credentials
The direct token exchange you're attempting in Step 2 might not be supported or requires specific configuration. NiFi typically handles the OIDC token exchange internally after receiving the authorization code.
The direct token exchange you're attempting in Step 2 might not be supported or requires specific configuration. NiFi typically handles the OIDC token exchange internally after receiving the authorization code.

happy hadooping

Re: NiFi API OAuth authentication issue

DianaTorres — Tue, 01 Apr 2025 15:47:18 GMT

@RaoNEY Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future. Thanks.

Re: NiFi API OAuth authentication issue

RaoNEY — Tue, 15 Apr 2025 21:59:59 GMT

How do we get AuthorizationCode for step one. Can you please provide curl commands to get token to use Nifi api calls

Re: NiFi API OAuth authentication issue

VVPeter — Wed, 06 Aug 2025 15:16:57 GMT

Hello,

We're in the same situation and wanted to add that, based on this ticket: https://issues.apache.org/jira/browse/NIFI-5302, support for the Client Credentials Flow with OIDC access tokens should be available. However, it's unclear how this is supposed to be implemented, and we’re not sure which endpoint the Azure token should be sent to.

Similarly, for the Authorization Code Flow, it's also not clear which endpoint should be accessed after obtaining the token from Azure.

Could we please get some clear, step-by-step guidance on how to configure and use these flows?

Thank you!
@DianaTorres @Shelton

Re: NiFi API OAuth authentication issue

DianaTorres — Fri, 08 Aug 2025 23:06:10 GMT

@MattWho @mburgess Hi! Do you have any insights here? Thanks!