Skip to content

NIFI-15211 Updated NiFi Registry JWT Key ID Resolution #10525

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

NIFI-15211 Updated NiFi Registry JWT Key ID Resolution #10525

wants to merge 1 commit into from
+20 −43

Conversation

@exceptionfactory
Copy link
Contributor

@exceptionfactory exceptionfactory commented Nov 13, 2025

Summary

NIFI-15211 Updates the NiFi Registry JSON Web Token Key Identifier resolution strategy, building on changes in #10521 and moving the kid claim location to work with the KeyLocator interface.

The SigningKeyResolverAdapter is deprecated, and previously provided the ability to retrieve the Key Identifier from a claim in the JWT payload. The KeyLocator limits access to the parsed JWT header, which did not contain the kid in the initial implementation. Changes now include setting the Key Identifier in the JWT header for subsequent resolution using the KeyLocator implementation.

Additional changes include adding nifi-registry-web-api to set the set paths changed that trigger execution of the integration-tests workflow. Integration tests for NiFi Registry exercise JWT generation and verification, validating these changes. The change also removes two unused methods from the JwtService class.

Tracking

Please complete the following tracking steps prior to pull request creation.

Issue Tracking

Pull Request Tracking

  • Pull Request title starts with Apache NiFi Jira issue number, such as NIFI-00000
  • Pull Request commit message starts with Apache NiFi Jira issue number, as such NIFI-00000

Pull Request Formatting

  • Pull Request based on current revision of the main branch
  • Pull Request refers to a feature branch with one commit containing changes

Verification

Please indicate the verification steps performed prior to pull request creation.

Build

  • Build completed using ./mvnw clean install -P contrib-check
    • JDK 21
    • JDK 25

Licensing

  • New dependencies are compatible with the Apache License 2.0 according to the License Policy
  • New dependencies are documented in applicable LICENSE and NOTICE files

Documentation

  • Documentation formatting appears as expected in rendered files

@joewitt
Copy link
Contributor

joewitt commented Nov 13, 2025

Ran into this with the integration tests so maybe I got further?

`[INFO] Running org.apache.nifi.runtime.manifest.RuntimeManifestIT
[ERROR] Tests run: 1, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 0.168 s <<< FAILURE! -- in org.apache.nifi.runtime.manifest.RuntimeManifestIT
[ERROR] org.apache.nifi.runtime.manifest.RuntimeManifestIT.testRuntimeManifest -- Time elapsed: 0.160 s <<< FAILURE!
org.opentest4j.AssertionFailedError: expected: but was:
at org.junit.jupiter.api.AssertionFailureBuilder.build(AssertionFailureBuilder.java:158)
at org.junit.jupiter.api.AssertionFailureBuilder.buildAndThrow(AssertionFailureBuilder.java:139)
at org.junit.jupiter.api.AssertEquals.failNotEqual(AssertEquals.java:201)
at org.junit.jupiter.api.AssertEquals.assertEquals(AssertEquals.java:184)
at org.junit.jupiter.api.AssertEquals.assertEquals(AssertEquals.java:179)
at org.junit.jupiter.api.Assertions.assertEquals(Assertions.java:1188)
at org.apache.nifi.runtime.manifest.RuntimeManifestIT.testRuntimeManifest(RuntimeManifestIT.java:105)

[INFO]
[INFO] Results:
[INFO]
[ERROR] Failures:
[ERROR] RuntimeManifestIT.testRuntimeManifest:105 expected: but was:
[INFO]`

@joewitt
Copy link
Contributor

joewitt commented Nov 13, 2025

Broken in NIFI-15164

@exceptionfactory @dan-s1
NIFI-15211 Updated NiFi Registry JWT Key ID Resolution
2f2a85f 
- Replaced deprecated SigningKeyResolverAdapter to KeyLocator
- Changed Key Identifier location from payload to header to work with KeyLocator
- Added nifi-registry-web-api to integration tests workflow paths

Co-authored-by: dan-s1 <[email protected]>
@exceptionfactory
Copy link
Contributor Author

exceptionfactory commented Nov 13, 2025

Thanks for evaluating these changes @joewitt, and for fixing the RuntimeManifestIT in #10527. I rebased and force-pushed the changes to this branch.

@joewitt
Copy link
Contributor

joewitt commented Nov 13, 2025

Thanks. I had built with the commit and the full integration suite and it all worked. Merging now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@exceptionfactory @joewitt