Configuring OIDC authentication
NiFi supports user authentication with Open ID Connect (OIDC) providers such as Keycloak.
To configure authentication with an Open ID Connect (OIDC) provider, you need to know the Discovery URL, clientId, and clientSecret of the authenticating server.
An example of a Discovery URL from Keycloak is:
https://keycloak.cfmoperator.net/realms/master/.well-known/openid-configuration
The clientID
and clientSecret
fields are provided to NiFi in a Kubernetes secret. Create that secret with the following
command:
kubectl create secret generic oidc-client-secret --from-literal=clientID=[***YOUR CLIENT ID***] --from-literal=clientSecret=[***YOUR CLIENT SECRET***]
The Discovery URL and client credentials secret are provided to NiFi with the below spec:
spec:
security:
openIDAuth:
discoveryURL: [***YOUR DISCOVERY URL***]
clientSecretName: [***OIDC CLIENT SECRET***]
OpenIDAuth also provides additional options:
- connectTimeout
-
Specify the connection timeout when communicating with the OIDC provider.
- readTimeout
-
Specify the read timeout when communicating with the OIDC provider.
- JWSAlgorithm
-
JWSAlgorithm is the preferred algorithm for validating identity tokens. If this value is blank, it defaults to RS256 which is required to be supported by the OIDC provider according to the specification. If this value is HS256, HS384, or HS512, NiFi attempts to validate HMAC protected tokens using the specified client secret. If this value is none, NiFi attempts to validate unsecured/plain tokens. Other values for this algorithm attempt to parse as an RSA or EC algorithm to be used in conjunction with the JSON Web Key (JWK) provided through the
jwks_uri
in the metadata found at the discovery URL.