Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

NiFi API OAuth authentication issue

Labels:
avatar
author-rank RaoNEY
New Contributor

Created ‎03-19-2025 02:51 PM

We need help to get token to execute Apache NiFi API which is running on Linux and OAuth authentication.

 

                The below two steps we have taken.

  1. Get token from Microsoft OAuth API call which gives us the token. <Success>
  2. Using the token above and we are trying to get token from NiFi Api call which is not success

 

 

Example:

                Step 1:

                               

                Token from Azure:

 

curl -X POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token \

  -H "Content-Type: application/x-www-form-urlencoded" \

  -d "grant_type=client_credentials" \

  -d "client_id={CliendID}" \

  -d "client_secret={ClientSecret}" \

  -d "scope={CliendID}/.default"

 

 

Result: Generated successful "{token}"

 

 

 

 

                Step 2:

 

curl -X POST https://NIFIDnsName:9444/nifi-api/access/oidc/exchange \

     -H "Authorization: Bearer {token}"

 

Error:

Unauthorized error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: Signed JWT rejected: Another algorithm exp

 

 

nifi.properties file:

nifi.security.user.oidc.discovery.url=https://login.microsoftonline.com/{tanent}/v2.0/.well-known/openid-configuration

nifi.security.user.oidc.connect.timeout=5 secs

nifi.security.user.oidc.read.timeout=5 secs

nifi.security.user.oidc.client.id=*********************

nifi.security.user.oidc.client.secret=**********************

nifi.security.user.oidc.preferred.jwsalgorithm=RS256

nifi.security.user.oidc.additional.scopes=offline_access

nifi.security.user.oidc.claim.identifying.user=email

nifi.security.user.oidc.fallback.claims.identifying.user=

nifi.security.user.oidc.claim.groups=groups

nifi.security.user.oidc.truststore.strategy=JDK

nifi.security.user.oidc.token.refresh.window=60 secs

nifi.security.user.oidc.pkce.enabled=true

nifi.security.user.oidc.jwt.algorithm=RS256

 

 

 

 

 

Can you help us steps to execute simple NiFi API call which is running OAuth authentication.

 

 

 

66 Views
0 Kudos
0
2 REPLIES 2

avatar
author-rank DianaTorres author-rank
Community Manager

Created ‎03-19-2025 04:38 PM

@RaoNEY Welcome to the Cloudera Community!

To help you get the best possible solution, I have tagged our NiFi experts @mburgess @MattWho @Shelton  who may be able to assist you further.

Please keep us updated on your post, and we hope you find a satisfactory solution to your query.

Regards,

Diana Torres,
Community Moderator

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:
53 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created on ‎03-20-2025 01:47 PM - edited ‎03-20-2025 01:48 PM

@RaoNEY 

The error message suggests that there's a JWT token algorithm mismatch: "An error occurred while attempting to decode the Jwt: Signed JWT rejected: Another algorithm exp"

This typically happens when:

  1. The token you're receiving from Azure in Step 1 uses a signing algorithm that doesn't match what NiFi is expecting
  2. NiFi is configured to use RS256 algorithm (as shown in your nifi.properties), but the Azure token might be using a different algorithm

Verify token algorithm
First, check what algorithm your Azure token is using. You can decode your JWT token using tools like jwt.io to see the header which contains the algorithm (look for the "alg" field).

Modify your Azure token request
Azure AD OAuth tokens typically use RS256, but you may need to specify this explicitly in your Azure app registration settings.

Ensure correct token type
For NiFi OAuth/OIDC authentication, you need an ID token, not an access token. In your Step 1, you're requesting a client credentials grant which returns an access token. Instead, you need to:

Spoiler
# Modified Step 1 - Use authorization code flow to get ID token
curl -X POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=authorization_code" \
-d "client_id={ClientID}" \
-d "client_secret={ClientSecret}" \
-d "code={AuthorizationCode}" \
-d "redirect_uri={RedirectURI}" \
-d "scope=openid email profile

Update NiFi properties: Ensure these settings match your Azure configuration:

Spoiler
# Make sure these settings are correct
nifi.security.user.oidc.jwt.algorithm=RS256
nifi.security.user.oidc.preferred.jwsalgorithm=RS256
Check Azure app registration
In your Azure portal, verify:
  • Redirect URI is properly set to your NiFi callback URL
  • The app has appropriate API permissions
  • Token configuration includes ID tokens

Complete Authentication Flow

For NiFi OAuth with Azure AD, the proper flow should be:

1. Initiate login via NiFi UI or using

Spoiler
GET https://NIFIDnsName:9444/nifi-api/access/oidc/request

2. This redirects to Microsoft login page, where user authenticates

3. After successful authentication, Azure redirects back to NiFi with an authorization code

4. NiFi exchanges this code for tokens automatically

5. If you're doing this programmatically, use the authorization code flow, not client credentials
The direct token exchange you're attempting in Step 2 might not be supported or requires specific configuration. NiFi typically handles the OIDC token exchange internally after receiving the authorization code.
The direct token exchange you're attempting in Step 2 might not be supported or requires specific configuration. NiFi typically handles the OIDC token exchange internally after receiving the authorization code.

happy hadooping

24 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements