How to configure oidc based login mechanism for NiFi

AlokKumar — Mon, 11 May 2026 15:36:08 GMT

Hello I need help to setup oidc based login mechanism for NiFi. I came across this article https://docs.cloudera.com/cfm-operator/2.10.0/configure-nifi-cr/topics/cfm-op-configure-nifi-cr-oidc-auth.html

but I want to know how to do it for some provider other than Keycloak. I have an internal provider. Also when I read this article I saw some terms like Discovery url and "The clientID and clientSecret fields are provided to NiFi in a Kubernetes secret. Create that secret with the following command:

kubectl create secret generic oidc-client-secret --from-literal=clientID=[***YOUR CLIENT ID***] --from-literal=clientSecret=[***YOUR CLIENT SECRET***]

I am quite new to these terms and wanted to know how to do it in NiFi. Is kubernetes required? I have installed both NiFi 1.23 and NiFi 2.8 on a simple machine.

Re: How to configure oidc based login mechanism for NiFi

Shelton — Mon, 11 May 2026 20:22:15 GMT

@AlokKumar

OpenID Connect (OIDC) is a standard login protocol. Instead of NiFi managing its own passwords, it redirects users to your internal Identity Provider (IdP) to log in. Your IdP says "yes, this is a valid user" and sends NiFi a token. NiFi trusts that and lets the user in.

Every OIDC-compatible provider publishes a public JSON file describing itself its endpoints, what it supports, etc. This URL always ends with /.well-known/openid-configuration. NiFi fetches this URL at startup to learn how to talk to your provider. Example:

https://your-internal-idp.company.com/.well-known/openid-configuration

When you register NiFi as an "application" in your internal IdP, the IdP gives you two credentials a Client ID (like a username for the app) and a Client Secret (like a password for the app). NiFi uses these to prove to the IdP that it is a legitimate registered application.
Is Kubernetes required? The Cloudera/Kubernetes article you read uses kubectl create secret only because it runs NiFi inside Kubernetes, where secrets are managed that way. On a plain machine, you just put the Client ID and Secret directly into nifi.properties as plain text, or use NiFi's built-in encrypt-config tool for security.

Step-by-Step: Configure OIDC on Standalone NiFi (1.23 or 2.8)

Step 1 Register NiFi in your internal Identity Provider

Ask your IdP administrator to register a new OIDC client/application with:

Name: Apache NiFi (or anything descriptive)
Redirect URIs (these are mandatory)
https://<your-nifi-host>:<port>/nifi-api/access/oidc/callback
https://<your-nifi-host>:<port>/nifi-api/access/oidc/logout/callback
- Grant type: Authorization Code
Once registered, your IdP admin will give you:
- A Client ID (e.g nifi-client-prod)
- A Client Secret (a long random string)
- The Discovery URL (e.g. https://idp.company.com/.well-known/openid-configuration)
Verify the Discovery URL works by opening it in a browser you should see a JSON document.
Step 2 Ensure NiFi is running with TLS (HTTPS)
OIDC requires NiFi to run over HTTPS. It will not work on plain HTTP. Check your nifi.properties:
nifi.web.https.host=0.0.0.0
nifi.web.https.port=8443
nifi.security.keystore=/path/to/keystore.jks
nifi.security.keystoreType=JKS
nifi.security.keystorePasswd=your_keystore_password
nifi.security.truststore=/path/to/truststore.jks
nifi.security.truststoreType=JKS
nifi.security.truststorePasswd=your_truststore_password
If you don't have a keystore/truststore yet, NiFi ships with a tls-toolkit.sh (in the bin/ directory) that can generate them for testing.
Step 3 Edit conf/nifi.properties
Open <nifi-install-dir>/conf/nifi.properties in a text editor and set these properties:
# --- OIDC Authentication ---
nifi.security.user.oidc.discovery.url=https://your-internal-idp.company.com/.well-known/openid-configuration nifi.security.user.oidc.client.id=nifi-client-prod nifi.security.user.oidc.client.secret=your-client-secret-here nifi.security.user.oidc.connect.timeout=5 secs nifi.security.user.oidc.read.timeout=5 secs # The claim in the OIDC token that identifies the user (usually email or preferred_username) nifi.security.user.oidc.claim.identifying.user=email # Scope - 'openid email profile' covers most providers nifi.security.user.oidc.additional.scopes=email profile # Leave blank unless your provider requires a specific algorithm nifi.security.user.oidc.preferred.jwsalgorithm=
The nifi.security.user.oidc.discovery.url should be set to your provider's issuer endpoint with /.well-known/openid-configuration
The nifi.security.user.oidc.claim.identifying.user value depends on your provider ask your IdP admin which claim carries the unique username. Common values are email, preferred_username, or sub.
Step 4 Configure the Initial Admin in conf/authorizers.xml
NiFi needs to know which user gets admin rights on first startup. Open conf/authorizers.xml and find the <property name="Initial Admin Identity"> line inside the FileAccessPolicyProvider block:
<property name="Initial Admin Identity">your.email@company.com</property>
This value must exactly match the identity claim that NiFi will receive from your OIDC provider after login so if your provider sends email, put your email address here. If it sends preferred_username, put your username.
Step 5 Restart NiFi
cd /opt/nifi/nifi-current
./bin/nifi.sh restart
Watch the logs for errors:
tail -f logs/nifi-app.log
Step 6 Test the Login
When a user attempts to access NiFi, NiFi will redirect them to your identity provider to log in. After logging in, the provider sends NiFi a response containing the user's credentials, and NiFi authenticates the user.
Navigate to https://<your-nifi-host>:8443/nifi you should be redirected to your internal IdP login page instead of the NiFi login form.
Step 7 (Optional) Encrypt the Client Secret
Leaving a plain-text secret in nifi.properties is acceptable for testing but not ideal for production. NiFi ships with an encrypt-config tool

./bin/encrypt-config.sh \
-n conf/nifi.properties \
-o conf/nifi.properties \
-p your_master_password
This encrypts sensitive values in the file so they are not readable in plain text. Share your feedback

Happy Hadooping

question Re: How to configure oidc based login mechanism for NiFi in Support Questions

How to configure oidc based login mechanism for NiFi

Re: How to configure oidc based login mechanism for NiFi

Step-by-Step: Configure OIDC on Standalone NiFi (1.23 or 2.8)

Step 1 Register NiFi in your internal Identity Provider

Step 2 Ensure NiFi is running with TLS (HTTPS)

Step 3 Edit conf/nifi.properties

Step 4 Configure the Initial Admin in conf/authorizers.xml

Step 6 Test the Login

Step 7 (Optional) Encrypt the Client Secret