SecurityPDF version

OpenID Connect authentication

After you install NiFi, you can enable authentication through OpenID Connect.

With OpenID Connect authentication, when a user attempts to access NiFi, NiFi redirects the user to the corresponding identity provider to log in. After the user logs into the identity provider, the identity provider sends NiFi a response that contains the user's credentials. With knowledge of the user's identity, NiFi can now authenticate the user.

To enable authentication through OpenID Connect, set the following OpenID Connect related properties in the nifi.properties file. Then, restart NiFi for the changes in the nifi.properties file to take effect. If NiFi is clustered, configuration files must be the same on all nodes.

Property Description
nifi.security.user.oidc.discovery.url The discovery URL for the desired OpenID Connect provider. See OpenID Connect Discovery 1.0.
nifi.security.user.oidc.connect.timeout Connect timeout when communicating with the OpenID Connect provider.
nifi.security.user.oidc.read.timeout Read timeout when communicating with the OpenID Connect provider.
nifi.security.user.oidc.client.id The client id for NiFi after registration with the OpenID Connect provider.
nifi.security.user.oidc.client.secret The client secret for NiFi after registration with the OpenID Connect provider.
nifi.security.user.oidc.preferred.jwsalgorithm The preferred algorithm for validating identity tokens.

If this value is blank, it will default to RS256 which is required to be supported by the OpenID Connect provider according to the specification.

If this value is HS256, HS384, or HS512, NiFi will attempt to validate HMAC protected tokens using the specified client secret.

If this value is none, NiFi will attempt to validate unsecured/plain tokens.

Other values for this algorithm will attempt to parse as an RSA or EC algorithm to be used in conjunction with the JSON Web Key (JWK) provided through the jwks_uri in the metadata found at the discovery URL.

nifi.security.user.oidc.additional.scopes Comma separated scopes that are sent to OpenID Connect provider in addition to openid and email.
nifi.security.user.oidc.claim.identifying.user Claim that identifies the user to be logged in; default is email. May need to be requested through nifi.security.user.oidc.additional.scopes before usage.
nifi.security.user.oidc.fallback.claims.identifying.user Comma separated possible fallback claims used to identify the user in case nifi.security.user.oidc.claim.identifying.user claim is not present for the login user.