but I want to know how to do it for some provider other than Keycloak. I have an internal provider. Also when I read this article I saw some terms like Discovery url and "The clientID and clientSecret fields are provided to NiFi in a Kubernetes secret. Create that secret with the following command:
I am quite new to these terms and wanted to know how to do it in NiFi. Is kubernetes required? I have installed both NiFi 1.23 and NiFi 2.8 on a simple machine.
OpenID Connect (OIDC) is a standard login protocol. Instead of NiFi managing its own passwords, it redirects users to your internal Identity Provider (IdP) to log in. Your IdP says "yes, this is a valid user" and sends NiFi a token. NiFi trusts that and lets the user in.
Every OIDC-compatible provider publishes a public JSON file describing itself its endpoints, what it supports, etc. This URL always ends with /.well-known/openid-configuration. NiFi fetches this URL at startup to learn how to talk to your provider. Example:
When you register NiFi as an "application" in your internal IdP, the IdP gives you two credentials a Client ID (like a username for the app) and a Client Secret (like a password for the app). NiFi uses these to prove to the IdP that it is a legitimate registered application. Is Kubernetes required? The Cloudera/Kubernetes article you read uses kubectl create secret only because it runs NiFi inside Kubernetes, where secrets are managed that way. On a plain machine, you just put the Client ID and Secret directly into nifi.properties as plain text, or use NiFi's built-in encrypt-config tool for security.
Step-by-Step: Configure OIDC on Standalone NiFi (1.23 or 2.8)
Step 1 Register NiFi in your internal Identity Provider
Ask your IdP administrator to register a new OIDC client/application with:
# --- OIDC Authentication --- nifi.security.user.oidc.discovery.url=https://your-internal-idp.company.com/.well-known/openid-configurationnifi.security.user.oidc.client.id=nifi-client-prodnifi.security.user.oidc.client.secret=your-client-secret-herenifi.security.user.oidc.connect.timeout=5 secsnifi.security.user.oidc.read.timeout=5 secs# The claim in the OIDC token that identifies the user (usually email or preferred_username)nifi.security.user.oidc.claim.identifying.user=email# Scope - 'openid email profile' covers most providersnifi.security.user.oidc.additional.scopes=email profile# Leave blank unless your provider requires a specific algorithmnifi.security.user.oidc.preferred.jwsalgorithm=
The nifi.security.user.oidc.discovery.url should be set to your provider's issuer endpoint with /.well-known/openid-configuration
The nifi.security.user.oidc.claim.identifying.user value depends on your provider ask your IdP admin which claim carries the unique username. Common values are email, preferred_username, or sub.
Step 4 Configure the Initial Admin in conf/authorizers.xml
NiFi needs to know which user gets admin rights on first startup. Open conf/authorizers.xml and find the <property name="Initial Admin Identity"> line inside the FileAccessPolicyProvider block:
This value must exactly match the identity claim that NiFi will receive from your OIDC provider after login so if your provider sends email, put your email address here. If it sends preferred_username, put your username. Step 5 Restart NiFi
When a user attempts to access NiFi, NiFi will redirect them to your identity provider to log in. After logging in, the provider sends NiFi a response containing the user's credentials, and NiFi authenticates the user. Navigate to https://<your-nifi-host>:8443/nifi you should be redirected to your internal IdP login page instead of the NiFi login form.
Step 7 (Optional) Encrypt the Client Secret
Leaving a plain-text secret in nifi.properties is acceptable for testing but not ideal for production. NiFi ships with an encrypt-config tool
