Configuring OIDC authentication

NiFi and NiFi Registry support user authentication with Open ID Connect (OIDC) providers such as Keycloak.

To configure authentication with an OIDC Provider, you need to know the Discovery URL, clientId, and clientSecret of the authenticating server.

An example of a Discovery URL from Keycloak is:

https://keycloak.cfmoperator.net/realms/master/.well-known/openid-configuration

The clientID and clientSecret fields are provided to NiFi in a Kubernetes Secret. Create that secret with the following command:

kubectl create secret generic oidc-client-secret --from-literal=clientID=[***YOUR CLIENT ID***] --from-literal=clientSecret=[***YOUR CLIENT SECRET***]

The Discovery URL and client credentials Secret are provided to NiFi with the below spec:

spec:
  security:
    openIDAuth:
      discoveryURL: [***YOUR DISCOVERY URL***]
      clientSecretName: oidc-client-secret

OpenIDAuth also provides additional options:

connectTimeout

Specify the connection timeout when communicating with the OpenID Connect Provider.

readTimeout

Specify the read timeout when communicating with the OpenID Connect Provider.

JWSAlgorithm

JWSAlgorithm is the preferred algorithm for validating identity tokens. If this value is blank, it will default to RS256 which is required to be supported by the OpenId Connect Provider according to the specification. If this value is HS256, HS384, or HS512, NiFi will attempt to validate HMAC protected tokens using the specified client secret. If this value is none, NiFi will attempt to validate unsecured/plain tokens. Other values for this algorithm will attempt to parse as an RSA or EC algorithm to be used in conjunction with the JSON Web Key (JWK) provided through the jwks_uri in the metadata found at the discovery URL.