OpenId Connect

To enable authentication via OpenId Connect the following properties must be configured in nifi.properties.


Property Name	Description
`nifi.security.user.oidc.discovery.url`	The discovery URL for the desired OpenId Connect Provider (http://openid.net/specs/openid-connect-discovery-1_0.html).
`nifi.security.user.oidc.connect.timeout`	Connect timeout when communicating with the OpenId Connect Provider.
`nifi.security.user.oidc.read.timeout`	Read timeout when communicating with the OpenId Connect Provider.
`nifi.security.user.oidc.client.id`	The client id for NiFi after registration with the OpenId Connect Provider.
`nifi.security.user.oidc.client.secret`	The client secret for NiFi after registration with the OpenId Connect Provider.
`nifi.security.user.oidc.preferred.jwsalgorithm`	The preferred algorithm for validating identity tokens. If this value is blank, it will default to `RS256` which is required to be supported by the OpenId Connect Provider according to the specification. If this value is `HS256`, `HS384`, or `HS512`, NiFi will attempt to validate HMAC protected tokens using the specified client secret. If this value is `none`, NiFi will attempt to validate unsecured/plain tokens. Other values for this algorithm will attempt to parse as an RSA or EC algorithm to be used in conjunction with the JSON Web Key (JWK) provided through the jwks_uri in the metadata found at the discovery URL.
`nifi.security.user.oidc.additional.scopes`	Comma separated scopes that are sent to OpenId Connect Provider in addition to `openid` and `email`.
`nifi.security.user.oidc.claim.identifying.user`	Claim that identifies the user to be logged in; default is `email`. May need to be requested via the `nifi.security.user.oidc.additional.scopes` before usage.
`nifi.security.user.oidc.fallback.claims.identifying.user`	Comma separated possible fallback claims used to identify the user in case `nifi.security.user.oidc.claim.identifying.user` claim is not present for the login user.