search

konpyutaika / nifikop

The NiFiKop NiFi Kubernetes operator makes it easy to run Apache NiFi on Kubernetes. Apache NiFI is a free, open-source solution that support powerful and scalable directed graphs of data routing, transformation, and system mediation logic.
https://konpyutaika.github.io/nifikop/
Apache License 2.0
125 stars 42 forks source link

[LDAP] Jwt: Signed JWT rejected: Another algorithm expected, or no matching key(s) found #271

Closed pashtet04 closed 1 year ago

pashtet04 commented 1 year ago

What steps will reproduce the bug?

  1. NiFi Operator Image 
    image:
repository: ghcr.io/konpyutaika/docker-images/nifikop
tag: latest

  2. NiFi Cluster values

    ldapConfiguration:
enabled: true
url: ldaps://ad:636
searchBase: OU=<OU>,DC=<MYDOMAIN>,DC=com
searchFilter: sAMAccountName={0}
authenticationStrategy: SIMPLE
managerDn: CN=admin,OU=<OU>,DC=<MYDOMAIN>,DC=com
managerPassword: <PASSWORD>
identityStrategy: USE_USERNAME

nifiProperties:
overrideConfigs: |
  nifi.web.proxy.context.path=/nifi-cluster
  nifi.web.http.network.interface.default=eth0
  nifi.web.http.network.interface.lo=lo
  nifi.sensitive.props.key=thisIsABadSensitiveKeyPassword
  nifi.web.https.port=8443
  nifi.security.identity.mapping.pattern.dn=CN=([^,]*)(?:, (?:O|OU)=.*)?
  nifi.security.identity.mapping.value.dn=$1
  nifi.security.identity.mapping.transform.dn=NONE
  nifi.security.user.authorizer=managed-authorizer
  nifi.security.user.login.identity.provider=ldap-provider
  3. Try to login with my LDAP credentials

Screenshot 2023-07-11 at 13-48-17 NiFi Login

  1. Got strange error: Unauthorized error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: Signed JWT rejected: Another algorithm expected, or no matching key(s) found", error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"
XHRGET
https://nifi-ingress.url.com/nifi-cluster/nifi-api/access
[HTTP/2 401 Unauthorized 415ms]

GET
Status
401
Unauthorized
VersionHTTP/2
Transferred1.04 kB (247 B size)
Referrer Policystrict-origin-when-cross-origin

Some cookies are misusing the recommended “SameSite“ attribute 2

What is the expected behavior?

Login successful

What do you see instead?

Unauthorized error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: Signed JWT rejected: Another algorithm expected, or no matching key(s) found", error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"

Possible solution

No response

NiFiKop version

8d5f68f45188b43a687f66208f79401e9a3a4dd0

Golang version

1.20.5

Kubernetes version

Client Version: version.Info{Major:"1", Minor:"27", GitVersion:"v1.27.3", GitCommit:"25b4e43193bcda6c7328a6d147b1fb73a33f1598", GitTreeState:"archive", BuildDate:"2023-06-15T08:14:06Z", GoVersion:"go1.20.5", Compiler:"gc", Platform:"linux/amd64"} Kustomize Version: v5.0.1 Server Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.8", GitCommit:"fdc77503e954d1ee641c0e350481f7528e8d068b", GitTreeState:"clean", BuildDate:"2022-11-09T13:31:40Z", GoVersion:"go1.18.8", Compiler:"gc", Platform:"linux/amd64"}

NiFi version

1.19.0

Additional context

No response

pashtet04 commented 1 year ago

Tried to add to ingress rule:

  annotations:
    nginx.ingress.kubernetes.io/session-cookie-samesite: None
    nginx.ingress.kubernetes.io/session-cookie-conditional-samesite-none: "true"

and now, i am authorized without that error, but it redirects me back on login page

pashtet04 commented 1 year ago

This is a correct one annotations:

  annotations:
    nginx.ingress.kubernetes.io/session-cookie-samesite: None
    nginx.ingress.kubernetes.io/session-cookie-conditional-samesite-none: "false"

But now I've got an error Unknown user with identity ''. Contact the system administrator. which is not related to the topic.