- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Float this Question for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Nifi invalid access token rest api
- Labels:
-
Apache NiFi
Created ‎09-29-2022 12:32 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Everyone,
We are triggering our Nifi processors (version 1.16.2 , LDAP integrated ) through Curl within cron job. Curl is invoking the processor using access token (as we moved from http call to https)
Generating access token :
curl https://$hostip:$port/nifi-api/access/token -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' --data 'username="${ldapusername}"&password="${ldappassword}"' '--compressed --insecure
Curl invoking Nifi processor using acces token stored in variable $nifi_token :
curl -i -H 'Content-Type: application/json' -H 'Authorization:Bearer '$nifi_token -XPUT -d '{"id":"'${processorid }'","state":"STOPPED"}' https://$hostip:$port/nifi-api/flow/process-groups/$processorid '--insecure'
But it is failing for token expiration :
WWW-Authenticate: Bearer error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: Expired JWT", error_uri="https://tools.ietf.org/html/rfc6750#section Server: Jetty(9.4.46.v20220331)
How can we set this access token to not expire ?
Or can we not used access token and using LDAP credentials within curl script to invoke the Nifi processors.
We tried modifying "nifi.security.user.jws.key.rotation.period" property to set the expiration duration in nifi.properties following
https://exceptionfactory.com/posts/2021/10/23/improving-jwt-authentication-in-apache-nifi/
https://en.wikipedia.org/wiki/ISO_8601#Durations
https://nifi.apache.org/docs/nifi-docs/rest-api/index.html
but still it fails and the curl is unable to trigger the Nifi processor.
Thank you in advance !
Created ‎09-30-2022 02:31 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@KD9 How long the NiFi server will validate a clients token is configured within the login-identity-providers.xml file via the following property:
Authentication Expiration
When setting up an automated process, using client tokens is not the best method. A better option would be to authenticate your client via a client certificate. With a client certificate, there is not need to obtain a token. That Client certificate will continue to work for the life of the certificate (certificates do have a valid until date set when you generate the certificate). So instead of passing a bearer token in your curl command, you would use your client pem key. The owner DN from the client certificate would be used as the user identity that you would then need to authorize in NiFi for the rest-api endpoint(s) needed for your automation.
If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.
Thank you,
Matt
