Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Nifi cannot auth using OIDC keycloak with proxy server

Labels:
avatar
author-rank aaaver
Visitor

Created on ‎10-19-2025 07:03 AM - edited ‎10-19-2025 07:05 AM

I launch nifi server using docker with connection to external Keycloak:

nifi:
  hostname: <IP>
  image: apache/nifi:latest
  environment:
    AUTH: oidc
    NIFI_SECURITY_USER_OIDC_DISCOVERY_URL: https://<keycloak_url>/realms/<realm>/.well-known/openid-configuration
    NIFI_SECURITY_USER_OIDC_CLIENT_ID: <client_id>
    NIFI_SECURITY_USER_OIDC_CLIENT_SECRET: <client_secret>
    NIFI_SECURITY_USER_OIDC_ADDITIONAL_SCOPES: email
    NIFI_SECURITY_USER_OIDC_CLAIM_IDENTIFYING_USER: preferred_username
    NIFI_SECURITY_USER_OIDC_TRUSTSTORE_STRATEGY: NIFI
    NIFI_CLUSTER_NODE_PROTOCOL_PORT: 6007
    NIFI_SENSITIVE_PROPS_KEY: <key>
    SINGLE_USER_CREDENTIALS_USERNAME: admin
    SINGLE_USER_CREDENTIALS_PASSWORD: <pass>
    NIFI_WEB_HTTPS_HOST: <IP>
    NIFI_WEB_PROXY_HOST: <domain>
    NIFI_WEB_HTTPS_PORT: 8443
    KEYSTORE_PATH: /opt/certs/keystore.p12
    KEYSTORE_TYPE: PKCS12
    KEYSTORE_PASSWORD: <pass>
    TRUSTSTORE_PATH: /opt/certs/truststore.p12
    TRUSTSTORE_TYPE: PKCS12
    TRUSTSTORE_PASSWORD: <pass>
    NIFI_SECURITY_USER_AUTHORIZER: single-user-authorizer
    NIFI_SECURITY_USER_LOGIN_IDENTITY_PROVIDER: single-user-provider
    NIFI_CLUSTER_IS_NODE: true
    NIFI_CLUSTER_MANAGER_ADDRESS: zookeeper
    NIFI_CLUSTER_MANAGER_PORT: 2181
    NIFI_ZK_CONNECT_STRING: "localhost:2181"
    NIFI_ELECTION_MAX_CANDIDATES: 1
    NIFI_ELECTION_MAX_TIMEOUT: "10 sec"
  volumes:
    - nifi_conf:/opt/nifi/nifi-current/conf
    - nifi_content_repository:/opt/nifi/nifi-current/content_repository
    - nifi_flowfile_repository:/opt/nifi/nifi-current/flowfile_repository
    - nifi_provenance_repository:/opt/nifi/nifi-current/provenance_repository
    - nifi_database_repository:/opt/nifi/nifi-current/database_repository
    - nifi_logs:/opt/nifi/nifi-current/logs
    - ./certs/keystore.p12:/opt/certs/keystore.p12
    - ./certs/truststore.p12:/opt/certs/truststore.p12
  network_mode: host
nginx:
  image: nginx
  container_name: nginx
  volumes:
    - ./nginx/nginx.conf:/etc/nginx/nginx.conf
    - ./nginx/certs:/keys
  network_mode: host
  restart: unless-stopped

With using proxy server nginx:

http {
  server {
    listen 443 ssl;
    server_name <domain>;
    ssl_certificate /keys/certificate.pem;
    ssl_certificate_key /keys/certificate.key;
    proxy_ssl_certificate /keys/nifi.pem;
    proxy_ssl_certificate_key /keys/nifi.key;
    proxy_ssl_trusted_certificate /keys/nifi.pem;

    location / {
      proxy_set_header Host $http_host;
      proxy_set_header X-ProxyScheme "https";
      proxy_set_header X-ProxyHost $host;
      proxy_set_header X-ProxyPort 8443;
      proxy_set_header X-ProxyContextPath "/";
      proxy_pass https://<IP>:8443;
    }
  }
}

 From my local machine if I try to access via IP address, nifi redirect me to keycloak and auth working with my keycloak user. 

If I try to access via domain, I already auth in nifi with tls (with using cert from proxy server, account "CN=<IP>, Ou=...") without redirect to keycloak.

Can you explain me in Nifi auth process and what can I do so that I could auth in nifi server via domain with oidc Keycloak?

38 Views
0 Kudos
0 REPLIES 0
Announcements
Community Announcements
September 2025 Community Highlights
What's New @ Cloudera
Upgrade Your Spark Experience: Introducing CDS 3.5 for Cloud...
Community Announcements
August 2025 Community Highlights
Community Announcements
July 2025 Community Highlights
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
View More Announcements