Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Connect Airflow to Nifi and access the Nifi-Api through an openId Keycloak connection token

avatar
Explorer

Hello,

I would like to connect my Airflow application with my Apache Nifi application though the Apache Nifi API. The aim is to let the Airflow orchestrate my entire flow.

My Apache Nifi authentication is made via the OpenId protocol on a Keycloak application so I first get a token via a call to the auth/realms/myrealms/protocol/openid-connect/token and then with the generated JWT, I call the nifi-api to catch some processors, passing the JWT as a bearer token, I have got the following error : 

Bearer error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: Signed JWT rejected: Another algorithm expected, or no matching key(s) found", error_uri="https://tools.ietf.org/html/rfc6750#section-3.1

I tried the same curl call to the processor, using the token I get when I connect with the UserInterface, and I get a success. 

I supposed it may be due to the internal user policy of Nifi who rejecte me so I added username and email of the first token to the Nifi policy, but it change nothing. 

Does someone may help me please? 

Thanks 

1 ACCEPTED SOLUTION

avatar
Super Mentor

@bmoisson @Sumit6620 
When you authenticate via NiFi, there is both a client JWT token generated and a server side key  generated on the node on which the authentication was performed.  That Client JWT token can then be used to perform calls to rest-api endpoints on that node only for which that client is authorized.  

When you are obtaining your JWT token from an external authentication endpoint, NiFi won't have the server side token need to validate that token and thus rejects that token.

You can find the various methods of authentication that can be configured in Apache NiFi here:
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#user_authentication

 

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

View solution in original post

3 REPLIES 3

avatar
New Contributor

I am also facing the same issue. Pls, help me.

avatar
Super Mentor

@bmoisson @Sumit6620 
When you authenticate via NiFi, there is both a client JWT token generated and a server side key  generated on the node on which the authentication was performed.  That Client JWT token can then be used to perform calls to rest-api endpoints on that node only for which that client is authorized.  

When you are obtaining your JWT token from an external authentication endpoint, NiFi won't have the server side token need to validate that token and thus rejects that token.

You can find the various methods of authentication that can be configured in Apache NiFi here:
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#user_authentication

 

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

avatar
New Contributor

i aslo face that problem can you provid code exmaple of the solution?