Support Questions

Environment:
NiFi Registry: [2.4.0]
Deployment: Kubernetes, Helm, Zarf
Authentication: OIDC via Keycloak
Client: Golang automation job running in the cluster

Goal: I am running a Golang job in Kubernetes to perform initial configuration of the NiFi Registry (creating buckets/flows). The job fetches an Access Token from Keycloak  and sends it in the Authorization: Bearer header to the Registry API endpoint: GET /nifi-registry-api/access.

Issue: The request fails with a 401, and the NiFi Registry logs show an IllegalArgumentException indicating an algorithm mismatch in the JWT signature validation

The logs related to this request are attached.Analysis of these logs

The Access Token issued by Keycloak is signed using RS256 (asymmetric RSA), which requires a public key to verify. However, the stack trace explicitly shows an IllegalArgumentException stating that the validation logic cannot handle asymmetric algorithms. It seems that the Registry's JwtIdentityProvider is attempting to validate the incoming token using HMAC.

We don't see this mismatch with NiFi itself, only the NiFi registry. We are able to do configuration and setup on the NiFi application, but when trying to access NiFi Registry with a token from keycloak, we see this token error. 

Is there a way to configure the registry to accept RS256 tokens? Is there an alternative approach to making requests against the NiFi Registry using some sort of service account? We need to have the NiFi Registry configured with keycloak, but we also need this configuration job to run at deployment time to do setup. We won't have users created through the UI yet that we can leverage. 

I can also post the decoded token contents if that helps, but it seems like it's an issue with the actual token signing algorithms and not the content of the token. At least that's my assumption.