@mbraunerde When you authenticate to NiFi, a client token is issued for your user. That token is then presented by your browser with all subsequent requests since every action performed in NiFi must be both authenticated and authorized. When the token expires, a new one must be obtained. While you have configured the OIDC properties to support authentication via an external AD, you are still using the Single-user-authorizer which allows full access to only the user created by the Single-user-provider. I suggest you modify your nifi.properties file to use: nifi.security.user.authorizer=managed-authorizer This provider will utilize the the file-access-policy-provider (authorizations.xml file) for user authorizations. With your configuration above it will set admin level authorizations for user: admin@login-domain.com This user would be then allowed to access the NiFi and manage additional user authorizations via the UI. As far as access to the NiFi rest-api, I'd recommend using a certificate instead of your AD. 1. No need to obtain a user token - Include the clientAuth certificate in all your rest-api calls. 2. Will work for as long as the client certificate is valid. Certificate can be configured with long validity dates (often 2 years or more) 3. Token are only valid for the NiFi node on which they were issued. meaning if you accessed a different NiFi node in a NiFi cluster or a different instance of NiFi, you would need to get a new token each time. 4. Using a token requires you then to store that token somewhere for reuse by your individual rest-api calls. If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more
