NIFI-7332 Added method to log available claim names from the ID provi…

…der response when the OIDC Identifying User claim is not found. Revised log message to print available claims. Added new StandardOidcIdentityProviderGroovyTest file. Updated deprecated methods in StandardOidcIdentityProvider. Changed log output to print all available claim names from JWTClaimsSet. Added unit test. Added comments in getAvailableClaims() method. Fixed typos in NiFi Docs Admin Guide. Added license to Groovy test. Fixed a checkstyle error. Refactor exchangeAuthorizationCode method. Added unit tests. Verified all unit tests added so far are passing. Refactored code. Added unit tests. Refactored OIDC provider to decouple constructor & network-dependent initialization. Added unit tests. Added unit tests. Refactored OIDC provider to separately authorize the client. Added unit tests. Added unit tests. NIFI-7332 Refactored exchangeAuthorizationCode method to separately retrieve the NiFi JWT. Signed-off-by: Nathan Gough <[email protected]> This closes apache#4344.
NorthropGrumman · Jul 7, 2020 · aa741cc · aa741cc
1 parent c396927
commit aa741cc
Show file tree

Hide file tree

Showing 5 changed files with 847 additions and 156 deletions.
diff --git a/nifi-docs/src/main/asciidoc/administration-guide.adoc b/nifi-docs/src/main/asciidoc/administration-guide.adoc
@@ -367,10 +367,9 @@ To enable authentication via OpenId Connect the following properties must be con
 |`nifi.security.user.oidc.read.timeout` | Read timeout when communicating with the OpenId Connect Provider.
 |`nifi.security.user.oidc.client.id` | The client id for NiFi after registration with the OpenId Connect Provider.
 |`nifi.security.user.oidc.client.secret` | The client secret for NiFi after registration with the OpenId Connect Provider.
-|`nifi.security.user.oidc.preferred.jwsalgorithm` | The preferred algorithm for for validating identity tokens. If this value is blank, it will default to `RS256` which is required to be supported
+|`nifi.security.user.oidc.preferred.jwsalgorithm` | The preferred algorithm for validating identity tokens. If this value is blank, it will default to `RS256` which is required to be supported
 |`nifi.security.user.oidc.additional.scopes` | Comma separated scopes that are sent to OpenId Connect Provider in addition to `openid` and `email`.
-|`nifi.security.user.oidc.claim.identifying.user` | Claim that identifies the user to be logged in; default is `email`. May need to be requested via the `nifi.security.user.oidc.additional.scopes` before usage.
-by the OpenId Connect Provider according to the specification. If this value is `HS256`, `HS384`, or `HS512`, NiFi will attempt to validate HMAC protected tokens using the specified client secret.
+|`nifi.security.user.oidc.claim.identifying.user` | Claim that identifies the user to be logged in; default is `email`. May need to be requested via the `nifi.security.user.oidc.additional.scopes` before usage by the OpenId Connect Provider according to the specification. If this value is `HS256`, `HS384`, or `HS512`, NiFi will attempt to validate HMAC protected tokens using the specified client secret.
 If this value is `none`, NiFi will attempt to validate unsecured/plain tokens. Other values for this algorithm will attempt to parse as an RSA or EC algorithm to be used in conjunction with the
 JSON Web Key (JWK) provided through the jwks_uri in the metadata found at the discovery URL.
 |==================================================================================================================================================

diff --git a/...fi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcIdentityProvider.java b/...fi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcIdentityProvider.java
@@ -20,14 +20,18 @@
 import com.nimbusds.oauth2.sdk.AuthorizationGrant;
 import com.nimbusds.oauth2.sdk.Scope;
 import com.nimbusds.oauth2.sdk.id.ClientID;
-
 import java.io.IOException;
 import java.net.URI;
 
 public interface OidcIdentityProvider {
 
     String OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED = "OpenId Connect support is not configured";
 
+    /**
+     * Initializes the provider.
+     */
+    void initializeProvider();
+
     /**
      * Returns whether OIDC support is enabled.
      *

diff --git a/...fi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java b/...fi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
@@ -21,8 +21,6 @@
 import com.nimbusds.oauth2.sdk.AuthorizationGrant;
 import com.nimbusds.oauth2.sdk.Scope;
 import com.nimbusds.oauth2.sdk.id.State;
-import org.apache.nifi.web.security.util.CacheKey;
-
 import java.io.IOException;
 import java.math.BigInteger;
 import java.net.URI;
@@ -31,6 +29,7 @@
 import java.security.SecureRandom;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.TimeUnit;
+import org.apache.nifi.web.security.util.CacheKey;
 
 import static org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED;
 
@@ -66,6 +65,7 @@ public OidcService(final OidcIdentityProvider identityProvider, final int durati
             throw new RuntimeException("The OidcIdentityProvider must be specified.");
         }
 
+        identityProvider.initializeProvider();
         this.identityProvider = identityProvider;
         this.stateLookupForPendingRequests = CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
         this.jwtLookupForCompletedRequests = CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
@@ -198,7 +198,7 @@ public void exchangeAuthorizationCode(final String oidcRequestIdentifier, final
         }
 
         final CacheKey oidcRequestIdentifierKey = new CacheKey(oidcRequestIdentifier);
-        final String nifiJwt = identityProvider.exchangeAuthorizationCode(authorizationGrant);
+        final String nifiJwt = retrieveNifiJwt(authorizationGrant);
 
         try {
             // cache the jwt for later retrieval
@@ -213,6 +213,17 @@ public void exchangeAuthorizationCode(final String oidcRequestIdentifier, final
         }
     }
 
+    /**
+     * Exchange the authorization code to retrieve a NiFi JWT.
+     *
+     * @param authorizationGrant authorization grant
+     * @return NiFi JWT
+     * @throws IOException exceptional case for communication error with the OpenId Connect provider
+     */
+    public String retrieveNifiJwt(final AuthorizationGrant authorizationGrant) throws IOException {
+        return identityProvider.exchangeAuthorizationCode(authorizationGrant);
+    }
+
     /**
      * Returns the resulting JWT for the given request identifier. Will return null if the request
      * identifier is not associated with a JWT or if the login sequence was not completed before