I've installed and configured nifi and nifi-registry. Both are configured to use OIDC authentication and I can successfully access both after authenticating in my OIDC provider (a Keycloak server FWIW).
Problems arise when I want to start version control of a process group. I have configured the nifi-registry URL in nifi but I am unable to list the buckets available in nifi-registry.
And indeed when I look at the nifi-registry logs, I see this:
2021-10-21 09:36:27,487 DEBUG [NiFi Registry Web Server-17] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using X509IdentityProvider
2021-10-21 09:36:27,488 DEBUG [NiFi Registry Web Server-17] o.a.n.r.w.s.a.x.X509CertificateExtractor No client certificate found in request.
2021-10-21 09:36:27,488 DEBUG [NiFi Registry Web Server-17] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using JwtIdentityProvider
2021-10-21 09:36:27,488 DEBUG [NiFi Registry Web Server-17] o.a.n.r.s.a.BearerAuthIdentityProvider HTTP Bearer Auth credentials not present. Not attempting to extract credentials for authentication.
2021-10-21 09:36:27,488 DEBUG [NiFi Registry Web Server-17] o.a.n.r.w.s.a.AnonymousIdentityFilter Set SecurityContextHolder to anonymous SecurityContext
So it is seen as an anonymous request which explains why I can't see any buckets from nifi-registry.
I have not been able to find documentation explaining how security configuration should be done in this OIDC case. What am I missing here? How should user authentication be conveyed in this case?
I finally managed to get it working and it actually has nothing to do with OIDC.
Once the secure configuration between Nifi and Nifi Registry is correctly set up (add Nifi Registry SSL certificate in Nifi's truststore if needed, register Nifi user in Nifi Registry and give the Proxy User Requests right,...), it works fine and Nifi Registry has the knowledge of the current user doing the action.