Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

trying to authenticate nifi with openID using google oAuth and getting an error.

avatar
Explorer

Caused by: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://accounts.google.com/.well-known/openid-configuration": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target;

this is error which im getting

my nifi.properties file is as follows :-

 

nifi.security.autoreload.enabled=false
nifi.security.autoreload.interval=10 secs
nifi.security.keystore=./conf/keystore.jks
nifi.security.keystoreType=jks
nifi.security.keystorePasswd=tyiImfLpqM5/qX1l0VsjK7sxhQx5YZFOZgstogGz8Ek
nifi.security.keyPasswd=tyiImfLpqM5/qX1l0VsjK7sxhQx5YZFOZgstogGz8Ek
nifi.security.truststore=./conf/truststore.jks
nifi.security.truststoreType=jks
nifi.security.truststorePasswd=vFF0nH+45S5ESohcQsH37s/bqJ/Kmy5RiHpL+ZWo2VU
nifi.security.user.authorizer=managed-authorizer
nifi.security.allow.anonymous.authentication=false
nifi.security.user.login.identity.provider=
nifi.security.user.jws.key.rotation.period=PT1H
nifi.security.ocsp.responder.url=
nifi.security.ocsp.responder.certificate=

# OpenId Connect SSO Properties #
nifi.security.user.oidc.connect.timeout=5 secs
nifi.security.user.oidc.read.timeout=5 secs
nifi.security.user.oidc.client.id=/*my generated client id*/
nifi.security.user.oidc.client.secret=/*my generated client secret*/
nifi.security.user.oidc.preferred.jwsalgorithm=
nifi.security.user.oidc.additional.scopes=offline_access
nifi.security.user.oidc.claim.identifying.user=
nifi.security.user.oidc.fallback.claims.identifying.user=
nifi.security.user.oidc.claim.groups=groups
nifi.security.user.oidc.truststore.strategy=JDK
nifi.security.user.oidc.token.refresh.window=60 secs
 
authorizers.xml is as follows:-
 
<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Legacy Authorized Users File"></property>
<property name="Initial User Identity 1">myemailID@gmail.c</property>
</userGroupProvider>
 
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">file-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">myemailID@gmail.com</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1"></property>
<property name="Node Group"></property>
</accessPolicyProvider>
 
<authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy Provider">file-access-policy-provider</property>
</authorizer>
 
Screenshot 2023-10-31 at 4.31.07 PM.pngScreenshot 2023-10-31 at 4.31.15 PM.png
 
i also added cerficate for accounts.google.com in /conf/truststore.jks and cacerts in JRE and i'm still getting the same error.
 
this is google api console setup as of now
Screenshot 2023-10-31 at 4.34.21 PM.png
 
 please help me in fixing this issue. Thanks and Regards.
1 ACCEPTED SOLUTION

avatar
Master Mentor

@jai1gupta 

What makes you think your NiFi is not secured over https?
You did not share your nifi.properties web  properties.
If you have set the following properties:

 

nifi.web.https.host=<hostname>
nifi.web.https.port=<port>

 

and have configured the NiFi keystore and truststore properties (which you did share), the your NiFi would have started at logged url being available over HTTPS://<hostname>:<port>/nifi

My guess is your issue probably extends from the use of "localhost" instead of an actual resolvable hostname.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

View solution in original post

4 REPLIES 4

avatar
Explorer

avatar
Master Mentor

@jai1gupta 

The exception:

 

 

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 

 

This indicates a trust chain issue in your TLS exchange with accounts.google.com.  A complete trust chain requires all know public certs between certificate that signed for accounts.google.com --> intermediate CA(s) --> rootCA (owner and issuer same DN).

Your configuration shows that the oidc authentication client configuration is set to:

 

 

nifi.security.user.oidc.truststore.strategy=JDK

 

 

HTTPS Certificate Trust Store Strategy defines the source of certificate authorities that NiFi uses when communicating with the OpenID Connect Provider. The value of JDK uses the Java platform default configuration stored in cacerts under the Java Home directory. The value of NIFI enables using the trust store configured in the nifi.security.truststore property. The default value is JDK

This means that the Java version you have installed that NiFi is using is missing some trustedCertEntries from the trust chain for accounts.google.com.

Google makes all its public root and intermediate certificates available for download here:
https://pki.goog/repository/#:~:text=Download%20CA%20certificates

You'll want to download all these (pem files) and add any that are missing from your Java's cacerts truststore file. While you can use the following openssl command to get all the public certs in the chain,  you may find at times you get redirected to a different accounts.google.com server with a different trust chain.  So I recommend downloading all instead of just those returned by the openssl command:

 

openssl s_client -connect accounts.google.com:443 -showcerts

 


Restart your NiFi and this trust issue should be gone.

I am confused why your google console setup is using http instead of https urls for your NiFi?  NiFi will not support authentication and authorization unless it is secured over https.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

avatar
Explorer

@MattWho 

after changing the nifi.security.user.oidc.truststore.strategy to NIFI my error got resolved. now when i access the nifi on browser i get this error

Screenshot 2023-11-02 at 4.18.10 PM.png

 

Screenshot 2023-11-02 at 4.22.51 PM.png

i think this error is because my nifi is not secured over https.

i've already ran this command

Screenshot 2023-11-02 at 4.14.54 PM.png

please tell me what can i do next to make it secured. Thanks

avatar
Master Mentor

@jai1gupta 

What makes you think your NiFi is not secured over https?
You did not share your nifi.properties web  properties.
If you have set the following properties:

 

nifi.web.https.host=<hostname>
nifi.web.https.port=<port>

 

and have configured the NiFi keystore and truststore properties (which you did share), the your NiFi would have started at logged url being available over HTTPS://<hostname>:<port>/nifi

My guess is your issue probably extends from the use of "localhost" instead of an actual resolvable hostname.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt