From 09dac855ff3a645591e41c99f85339111d72a33d Mon Sep 17 00:00:00 2001
From: Happy Code <evteev@happy-code.com>
Date: Tue, 8 Aug 2023 17:07:53 +0300
Subject: [PATCH] Add auth.oidc.preferredJwsalgorithm param (#306)

* Update nifi.properties - Add values - nifi.security.user.oidc.preferred.jwsalgorithm={{.Values.auth.oidc.preferredJwsalgorithm}}
* Update values.yaml - Add auth.oidc.preferredJwsalgorithm value
* Update README.md - Add info about nifi.security.user.oidc.preferred.jwsalgorithm
---
 README.md               | 1 +
 configs/nifi.properties | 2 +-
 values.yaml             | 1 +
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index da4287d4..e838050e 100644
--- a/README.md
+++ b/README.md
@@ -156,6 +156,7 @@ The following table lists the configurable parameters of the nifi chart and the
 | `auth.oidc.clientId`                                                        | oidc clientId                                                                                                      | `nil`                           |
 | `auth.oidc.clientSecret`                                                    | oidc clientSecret                                                                                                  | `nil`                           |
 | `auth.oidc.claimIdentifyingUser`                                            | oidc claimIdentifyingUser                                                                                          | `email`                         |
+| `auth.oidc.preferredJwsAlgorithm`                                            | The preferred algorithm for validating identity tokens. If this value is blank, it will default to RS256 which is required to be supported by the OpenID Connect Provider according to the specification. If this value is HS256, HS384, or HS512, NiFi will attempt to validate HMAC protected tokens using the specified client secret. If this value is none, NiFi will attempt to validate unsecured/plain tokens.                                                                                           | `nil`                         |
 | `auth.oidc.admin`                                                           | Default OIDC admin identity                                                                                        | `nifi@example.com`              |
 | Note that OIDC authentication to a multi-NiFi-node cluster requires Ingress sticky sessions | See [background](https://community.cloudera.com/t5/Support-Questions/OIDC-With-Azure-AD/m-p/232324#M194163)      | Also [how](https://kubernetes.github.io/ingress-nginx/examples/affinity/cookie/) |
 | **postStart**                                                               |
diff --git a/configs/nifi.properties b/configs/nifi.properties
index d4cfd899..06d74aec 100644
--- a/configs/nifi.properties
+++ b/configs/nifi.properties
@@ -197,7 +197,7 @@ nifi.security.user.oidc.connect.timeout=5 secs
 nifi.security.user.oidc.read.timeout=5 secs
 nifi.security.user.oidc.client.id={{.Values.auth.oidc.clientId}}
 nifi.security.user.oidc.client.secret={{.Values.auth.oidc.clientSecret}}
-nifi.security.user.oidc.preferred.jwsalgorithm=
+nifi.security.user.oidc.preferred.jwsalgorithm={{.Values.auth.oidc.preferredJwsAlgorithm}}
 nifi.security.user.oidc.claim.identifying.user={{.Values.auth.oidc.claimIdentifyingUser}}
 nifi.security.user.oidc.additional.scopes={{.Values.auth.oidc.additionalScopes}}
 {{end}}
diff --git a/values.yaml b/values.yaml
index a39199df..58b2e246 100644
--- a/values.yaml
+++ b/values.yaml
@@ -149,6 +149,7 @@ auth:
     clientSecret: #<client_secret_in_oidc_provider>
     claimIdentifyingUser: email
     admin: nifi@example.com
+    preferredJwsAlgorithm: 
     ## Request additional scopes, for example profile
     additionalScopes: