Support Questions

Find answers, ask questions, and share your expertise

OIDC With Azure AD

avatar
New Contributor

I've deployed a secured NiFi cluster on Kubernetes in Azure, and am attempting to configure OIDC against Azure AD for auth. I've created an app registration in AAD and configured the OIDC settings in nifi.properties as follows:

nifi.security.user.oidc.discovery.url=https://login.microsoftonline.com/dvn.onmicrosoft.com/.well-known/openid-configuration
nifi.security.user.oidc.connect.timeout=5 secs
nifi.security.user.oidc.read.timeout=5 secs
nifi.security.user.oidc.client.id=a8d7d98f-588a-4e30-b93c-1730de5512b1
nifi.security.user.oidc.client.secret=*********************************
nifi.security.user.oidc.preferred.jwsalgorithm=

However, the login sequence always fails with:

 Purposed state does not match the stored state. Unable to continue login process.

Can anyone shed some light on what I might be doing wrong? Thanks

1 ACCEPTED SOLUTION

avatar
New Contributor

Turns out I'd misconfigured the proxy settings on the nginx ingress. The bearer token, and all state values for the OIDC login statemachine, are not replicated to the other cluster members. This means one must configure sticky sessions on the ingress.

View solution in original post

1 REPLY 1

avatar
New Contributor

Turns out I'd misconfigured the proxy settings on the nginx ingress. The bearer token, and all state values for the OIDC login statemachine, are not replicated to the other cluster members. This means one must configure sticky sessions on the ingress.