Support Questions

Find answers, ask questions, and share your expertise

NiFi API OAuth authentication issue

avatar
New Contributor

We need help to get token to execute Apache NiFi API which is running on Linux and OAuth authentication.

 

                The below two steps we have taken.

  1. Get token from Microsoft OAuth API call which gives us the token. <Success>
  2. Using the token above and we are trying to get token from NiFi Api call which is not success

 

 

Example:

                Step 1:

                               

                Token from Azure:

 

curl -X POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token \

  -H "Content-Type: application/x-www-form-urlencoded" \

  -d "grant_type=client_credentials" \

  -d "client_id={CliendID}" \

  -d "client_secret={ClientSecret}" \

  -d "scope={CliendID}/.default"

 

 

Result: Generated successful "{token}"

 

 

 

 

                Step 2:

 

curl -X POST https://NIFIDnsName:9444/nifi-api/access/oidc/exchange \

     -H "Authorization: Bearer {token}"

 

Error:

Unauthorized error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: Signed JWT rejected: Another algorithm exp

 

 

nifi.properties file:

nifi.security.user.oidc.discovery.url=https://login.microsoftonline.com/{tanent}/v2.0/.well-known/openid-configuration

nifi.security.user.oidc.connect.timeout=5 secs

nifi.security.user.oidc.read.timeout=5 secs

nifi.security.user.oidc.client.id=*********************

nifi.security.user.oidc.client.secret=**********************

nifi.security.user.oidc.preferred.jwsalgorithm=RS256

nifi.security.user.oidc.additional.scopes=offline_access

nifi.security.user.oidc.claim.identifying.user=email

nifi.security.user.oidc.fallback.claims.identifying.user=

nifi.security.user.oidc.claim.groups=groups

nifi.security.user.oidc.truststore.strategy=JDK

nifi.security.user.oidc.token.refresh.window=60 secs

nifi.security.user.oidc.pkce.enabled=true

nifi.security.user.oidc.jwt.algorithm=RS256

 

 

 

 

 

Can you help us steps to execute simple NiFi API call which is running OAuth authentication.

 

 

 

2 REPLIES 2

avatar
Community Manager

@RaoNEY Welcome to the Cloudera Community!

To help you get the best possible solution, I have tagged our NiFi experts @mburgess @MattWho @Shelton  who may be able to assist you further.

Please keep us updated on your post, and we hope you find a satisfactory solution to your query.


Regards,

Diana Torres,
Community Moderator


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:

avatar
Master Mentor

@RaoNEY 

The error message suggests that there's a JWT token algorithm mismatch: "An error occurred while attempting to decode the Jwt: Signed JWT rejected: Another algorithm exp"

This typically happens when:

  1. The token you're receiving from Azure in Step 1 uses a signing algorithm that doesn't match what NiFi is expecting
  2. NiFi is configured to use RS256 algorithm (as shown in your nifi.properties), but the Azure token might be using a different algorithm

Verify token algorithm
First, check what algorithm your Azure token is using. You can decode your JWT token using tools like jwt.io to see the header which contains the algorithm (look for the "alg" field).

Modify your Azure token request
Azure AD OAuth tokens typically use RS256, but you may need to specify this explicitly in your Azure app registration settings.

Ensure correct token type
For NiFi OAuth/OIDC authentication, you need an ID token, not an access token. In your Step 1, you're requesting a client credentials grant which returns an access token. Instead, you need to:

Spoiler
# Modified Step 1 - Use authorization code flow to get ID token
curl -X POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=authorization_code" \
-d "client_id={ClientID}" \
-d "client_secret={ClientSecret}" \
-d "code={AuthorizationCode}" \
-d "redirect_uri={RedirectURI}" \
-d "scope=openid email profile

Update NiFi properties: Ensure these settings match your Azure configuration:

Spoiler
# Make sure these settings are correct
nifi.security.user.oidc.jwt.algorithm=RS256
nifi.security.user.oidc.preferred.jwsalgorithm=RS256
Check Azure app registration
In your Azure portal, verify:
  • Redirect URI is properly set to your NiFi callback URL
  • The app has appropriate API permissions
  • Token configuration includes ID tokens

Complete Authentication Flow

For NiFi OAuth with Azure AD, the proper flow should be:

1. Initiate login via NiFi UI or using

Spoiler

2. This redirects to Microsoft login page, where user authenticates

3. After successful authentication, Azure redirects back to NiFi with an authorization code

4. NiFi exchanges this code for tokens automatically

5. If you're doing this programmatically, use the authorization code flow, not client credentials
The direct token exchange you're attempting in Step 2 might not be supported or requires specific configuration. NiFi typically handles the OIDC token exchange internally after receiving the authorization code.
The direct token exchange you're attempting in Step 2 might not be supported or requires specific configuration. NiFi typically handles the OIDC token exchange internally after receiving the authorization code.

happy hadooping