OIDC With Azure AD

tyler_gregory — Fri, 16 Sep 2022 13:38:24 GMT

I've deployed a secured NiFi cluster on Kubernetes in Azure, and am attempting to configure OIDC against Azure AD for auth. I've created an app registration in AAD and configured the OIDC settings in nifi.properties as follows:

nifi.security.user.oidc.discovery.url=https://login.microsoftonline.com/dvn.onmicrosoft.com/.well-known/openid-configuration
nifi.security.user.oidc.connect.timeout=5 secs
nifi.security.user.oidc.read.timeout=5 secs
nifi.security.user.oidc.client.id=a8d7d98f-588a-4e30-b93c-1730de5512b1
nifi.security.user.oidc.client.secret=*********************************
nifi.security.user.oidc.preferred.jwsalgorithm=

However, the login sequence always fails with:

 Purposed state does not match the stored state. Unable to continue login process.

Can anyone shed some light on what I might be doing wrong? Thanks

Re: OIDC With Azure AD

tyler_gregory — Tue, 28 Aug 2018 20:25:11 GMT

Turns out I'd misconfigured the proxy settings on the nginx ingress. The bearer token, and all state values for the OIDC login statemachine, are not replicated to the other cluster members. This means one must configure sticky sessions on the ingress.

question Re: OIDC With Azure AD in Archives of Support Questions (Read Only)

OIDC With Azure AD

Re: OIDC With Azure AD