Support Questions

RRosa · ‎03-09-2023

How to configure OIDC authentication in nifi-registry 1.19.1?
When configuring secure access ssl + oidc does not display the UI when trying to access. In the log I don't see errors just warnings, one of them is this:
o.s.l.core.support.AbstractContextSource Property 'userDn' not set - anonymous context will be used for read-write operations

Is it possible to access this version through OIDC?

MattWho · ‎03-09-2023

@RRosa

That particular exceptions seems to point an issue with the ldap-provider configuration in your nifi-registry possible related to the manager DN property not being set.
Would need to see your nifi-registry.properties and authorizers.xml to provide more context around the above exception.

Yes, OIDC is supported in NiFi-Registry 1.19.1. When access in a secured (TLS/SSL Enabled) NiFi-Registry, the UI is displayed as the "anonymous" user. Only "public" buckets will be visible. In order to login via OIDC, you would need to click on the login via OIDC link in the UI.

OIDC properties:
nifi.registry.security.user.oidc.discovery.url=
nifi.registry.security.user.oidc.connect.timeout=5 secs
nifi.registry.security.user.oidc.read.timeout=5 secs
nifi.registry.security.user.oidc.client.id=
nifi.registry.security.user.oidc.client.secret=
nifi.registry.security.user.oidc.preferred.jwsalgorithm=
nifi.registry.security.user.oidc.additional.scopes=
nifi.registry.security.user.oidc.claim.identifying.user=

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

View solution in original post

MattWho · ‎03-09-2023

@RRosa

That particular exceptions seems to point an issue with the ldap-provider configuration in your nifi-registry possible related to the manager DN property not being set.
Would need to see your nifi-registry.properties and authorizers.xml to provide more context around the above exception.

Yes, OIDC is supported in NiFi-Registry 1.19.1. When access in a secured (TLS/SSL Enabled) NiFi-Registry, the UI is displayed as the "anonymous" user. Only "public" buckets will be visible. In order to login via OIDC, you would need to click on the login via OIDC link in the UI.

OIDC properties:
nifi.registry.security.user.oidc.discovery.url=
nifi.registry.security.user.oidc.connect.timeout=5 secs
nifi.registry.security.user.oidc.read.timeout=5 secs
nifi.registry.security.user.oidc.client.id=
nifi.registry.security.user.oidc.client.secret=
nifi.registry.security.user.oidc.preferred.jwsalgorithm=
nifi.registry.security.user.oidc.additional.scopes=
nifi.registry.security.user.oidc.claim.identifying.user=

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

teriyatha · ‎12-12-2023

@MattWho
I managed to enable OIDC based authentication for Nifi - registry. However there are tow challenges post login.

1. After login via OIDC the user does have the necessary permissions. Getting the following message in the logs.
"Property 'userDn' not set - anonymous context will be used for read-write operations"

2. While trying to logout getting the following message in the browser:
"The 'post_logout_redirect_uri' parameter must be a Logout redirect URI in the client app settings:..."

Could you please let me know if there additional setting to address the above issues

Cloudera Community

Support Questions

Nifi-Registry OIDC