OpenID Connect authentication
After you install NiFi, you can enable authentication through OpenID Connect.
With OpenID Connect authentication, when a user attempts to access NiFi, NiFi redirects the user to the corresponding identity provider to log in. After the user logs into the identity provider, the identity provider sends NiFi a response that contains the user's credentials. With knowledge of the user's identity, NiFi can now authenticate the user.
To enable authentication through OpenID Connect, set the following OpenID Connect related properties in the nifi.properties file. Then, restart NiFi for the changes in the nifi.properties file to take effect. If NiFi is clustered, configuration files must be the same on all nodes.
Property | Description |
---|---|
nifi.security.user.oidc.discovery.url |
The discovery URL for the desired OpenID Connect provider. See OpenID Connect Discovery 1.0. |
nifi.security.user.oidc.connect.timeout |
Connect timeout when communicating with the OpenID Connect provider. |
nifi.security.user.oidc.read.timeout |
Read timeout when communicating with the OpenID Connect provider. |
nifi.security.user.oidc.client.id |
The client id for NiFi after registration with the OpenID Connect provider. |
nifi.security.user.oidc.client.secret |
The client secret for NiFi after registration with the OpenID Connect provider. |
nifi.security.user.oidc.preferred.jwsalgorithm |
The preferred algorithm for validating identity tokens. If this value is blank, it
will default to If this value is
If this
value is Other values for this algorithm will attempt to parse as an RSA or EC algorithm to be used in conjunction with the JSON Web Key (JWK) provided through the jwks_uri in the metadata found at the discovery URL. |
nifi.security.user.oidc.additional.scopes |
Comma separated scopes that are sent to OpenID Connect provider in addition to
openid and email . |
nifi.security.user.oidc.claim.identifying.user |
Claim that identifies the user to be logged in; default is email . May
need to be requested through nifi.security.user.oidc.additional.scopes
before usage. |
nifi.security.user.oidc.fallback.claims.identifying.user |
Comma separated possible fallback claims used to identify the user in case
nifi.security.user.oidc.claim.identifying.user claim is not present for the
login user. |