Support Questions

ravi_tadepally · ‎05-16-2023

Hi Team,

We are currently facing an issue in NIFI with OIDC as an authentication mechanism. Below is what we are seeing when NIFI URL redirects to OIDC(keycloak) url.

OIDC works perfectly well with 1.20.0 version but when upgraded to 1.21.0 we are getting below error.

ERROR:

Unauthorized error="invalid_scope", error_description="Invalid scopes: openid address email web-origins profile user phone microprofile-jwt roles groups offline_access"

Please suggest if there is any significant change made from 1.20.0 to 1.21.0 nifi oidc configuration which might have caused the issue.

Appreciate your help in advance.

Bryce · ‎06-04-2023

Hi. I had the same problem upgrading from 1.19.2. Investigation shows that if you add all "Default Client Scopes" and "Optional Client Scopes" to the Keycloak Client-ID configuration as specified in the nifi.security.user.oidc.client.id then the error will be bypassed. It appears NIFI is retrieving a list of all available client scopes for the client id, and expects them all to be assigned. I tested this against Keycloak 18.0.2 and 20.0.5 and the behaviour is the same. I suggest that this is a NIFI bug as we shouldn't be forced to assign all available client scopes to the client id

Bryce · ‎06-05-2023

Fixed in [NIFI-11438] OIDC requests all available scopes - ASF JIRA (apache.org)

ravi_tadepally · ‎06-07-2023

Thank you Bryce. Appreciate your help in looking into this.

Cloudera Community

Support Questions

NIFI - Invalid scopes while connecting through OIDC