Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

NIFI - Invalid scopes while connecting through OIDC

avatar
Contributor

Hi Team,

 

We are currently facing an issue in NIFI with OIDC as an authentication mechanism. Below is what we are seeing when NIFI URL redirects to OIDC(keycloak) url.

 

OIDC works perfectly well with 1.20.0 version but when upgraded to 1.21.0 we are getting below error.

 

ERROR: 

Unauthorized error="invalid_scope", error_description="Invalid scopes: openid address email web-origins profile user phone microprofile-jwt roles groups offline_access"

 Please suggest if there is any significant change made from 1.20.0 to 1.21.0 nifi oidc configuration which might have caused the issue.

 

Appreciate your help in advance.

3 REPLIES 3

avatar
New Contributor

Hi.  I had the same problem upgrading from 1.19.2.  Investigation shows that if you add all "Default Client Scopes" and "Optional Client Scopes" to the Keycloak Client-ID configuration as specified in the nifi.security.user.oidc.client.id then the error will be bypassed.  It appears NIFI is retrieving a list of all available client scopes for the client id, and expects them all to be assigned.  I tested this against Keycloak 18.0.2 and 20.0.5 and the behaviour is the same.  I suggest that this is a NIFI bug as we shouldn't be forced to assign all available client scopes to the client id

avatar
New Contributor

avatar
Contributor

Thank you Bryce. Appreciate your help in looking into this.