Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Azure AD based authentication for Nifi rest API

Labels:
avatar
author-rank theKiteRunner
New Contributor

Created ‎07-24-2023 02:50 AM

Hi,

 

I was trying to enable Azure AD based OIDC Authentication for Apache Nifi rest API when accessing from a daemon service. I registered the App in Azure AD and  generated a bearer token   and tried passing it to the nifi rest API, but got the following error

 

"Unauthorized error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: Signed JWT rejected: Another algorithm expected, or no matching key(s) found", error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"

 

The token was generated with the grant type as "client_credentials". Does NIFI OIDC implementation support this flow ? If yes why am I getting the error and how can I solve it? Thanks

1,043 Views
0 Kudos
2 REPLIES 2

avatar
author-rank VidyaSargur author-rank
Community Manager

Created ‎07-24-2023 10:55 PM

@theKiteRunner, Welcome to our community! To help you get the best possible answer, I have tagged in our NiFi experts @cotopaul @SAMSAL @steven-matison who may be able to assist you further.

Please feel free to provide any additional information or details about your query, and we hope that you will find a satisfactory solution to your question.

 


Regards,

Vidya Sargur,
Community Manager

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:
1,005 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎07-25-2023 01:37 PM

@theKiteRunner 
NiFi token based OIDC authentication generates a token that is only valid for the NiFi instance on which the token was obtained. There are really tow tokens in play here, the client token issued for the authenticating user stored with the browser and a corresponding server side token stored in NiFi. 
If you have a NiFi cluster setup with a load balancer in front of your cluster'sNiFi nodes, you'll need to make sure you have sticky sessions (also known as session persistence) setup in your load balancer.  So when you authenticate with NiFi node A and get a Client Token, the sticky sessions will make sure all follow-on request continue to route to node A instead of other nodes in the NiFi cluster.

It sounds like you obtained a user token directly from Azure AD without going through NiFi's URL or you don't have sticky sessions setup resulting in the subsequent request post Azure AD auth routing to a different NiFi node. This would result in the "no matching key(s) found" exception when client JWT token is sent to a NiFi node that does not have the corresponding server token. 
If the OIDC properties are configured correctly in NiFi, when you try to access the NiFi URL without a client token, it should redirect you to the the configured OIDC discovery URL. Once you authenticate, your browser obtains a client token and the NiFi node that redirected to your Azure AD OIDC URL will store the corresponding server side token.

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

990 Views
Announcements
What's New @ Cloudera
Updates to the HDFS clusters on AWS environments to add supp...
What's New @ Cloudera
Enhancements to the create-database command
Community Announcements
September 2024 Community Highlights
What's New @ Cloudera
Cloudera Streams Messaging Operator 1.1
What's New @ Cloudera
From Silos to Synergy: Unifying Data Warehousing and AI
View More Announcements