-
Processors
- AttributeRollingWindow
- AttributesToCSV
- AttributesToJSON
- CalculateRecordStats
- CaptureChangeMySQL
- CompressContent
- ConnectWebSocket
- ConsumeAMQP
- ConsumeAzureEventHub
- ConsumeBoxEnterpriseEvents
- ConsumeBoxEvents
- ConsumeElasticsearch
- ConsumeGCPubSub
- ConsumeIMAP
- ConsumeJMS
- ConsumeKafka
- ConsumeKinesisStream
- ConsumeMQTT
- ConsumePOP3
- ConsumeSlack
- ConsumeTwitter
- ConsumeWindowsEventLog
- ControlRate
- ConvertCharacterSet
- ConvertRecord
- CopyAzureBlobStorage_v12
- CopyS3Object
- CountText
- CreateBoxFileMetadataInstance
- CreateBoxMetadataTemplate
- CryptographicHashContent
- DebugFlow
- DecryptContentAge
- DecryptContentPGP
- DeduplicateRecord
- DeleteAzureBlobStorage_v12
- DeleteAzureDataLakeStorage
- DeleteBoxFileMetadataInstance
- DeleteByQueryElasticsearch
- DeleteDynamoDB
- DeleteFile
- DeleteGCSObject
- DeleteGridFS
- DeleteMongo
- DeleteS3Object
- DeleteSFTP
- DeleteSQS
- DetectDuplicate
- DistributeLoad
- DuplicateFlowFile
- EncodeContent
- EncryptContentAge
- EncryptContentPGP
- EnforceOrder
- EvaluateJsonPath
- EvaluateXPath
- EvaluateXQuery
- ExecuteGroovyScript
- ExecuteProcess
- ExecuteScript
- ExecuteSQL
- ExecuteSQLRecord
- ExecuteStreamCommand
- ExtractAvroMetadata
- ExtractEmailAttachments
- ExtractEmailHeaders
- ExtractGrok
- ExtractHL7Attributes
- ExtractRecordSchema
- ExtractStructuredBoxFileMetadata
- ExtractText
- FetchAzureBlobStorage_v12
- FetchAzureDataLakeStorage
- FetchBoxFile
- FetchBoxFileInfo
- FetchBoxFileMetadataInstance
- FetchBoxFileRepresentation
- FetchDistributedMapCache
- FetchDropbox
- FetchFile
- FetchFTP
- FetchGCSObject
- FetchGoogleDrive
- FetchGridFS
- FetchS3Object
- FetchSFTP
- FetchSmb
- FilterAttribute
- FlattenJson
- ForkEnrichment
- ForkRecord
- GenerateFlowFile
- GenerateRecord
- GenerateTableFetch
- GeoEnrichIP
- GeoEnrichIPRecord
- GeohashRecord
- GetAsanaObject
- GetAwsPollyJobStatus
- GetAwsTextractJobStatus
- GetAwsTranscribeJobStatus
- GetAwsTranslateJobStatus
- GetAzureEventHub
- GetAzureQueueStorage_v12
- GetBoxFileCollaborators
- GetBoxGroupMembers
- GetDynamoDB
- GetElasticsearch
- GetFile
- GetFileResource
- GetFTP
- GetGcpVisionAnnotateFilesOperationStatus
- GetGcpVisionAnnotateImagesOperationStatus
- GetHubSpot
- GetMongo
- GetMongoRecord
- GetS3ObjectMetadata
- GetS3ObjectTags
- GetSFTP
- GetShopify
- GetSmbFile
- GetSNMP
- GetSplunk
- GetSQS
- GetWorkdayReport
- GetZendesk
- HandleHttpRequest
- HandleHttpResponse
- IdentifyMimeType
- InvokeHTTP
- InvokeScriptedProcessor
- ISPEnrichIP
- JoinEnrichment
- JoltTransformJSON
- JoltTransformRecord
- JSLTTransformJSON
- JsonQueryElasticsearch
- ListAzureBlobStorage_v12
- ListAzureDataLakeStorage
- ListBoxFile
- ListBoxFileInfo
- ListBoxFileMetadataInstances
- ListBoxFileMetadataTemplates
- ListDatabaseTables
- ListDropbox
- ListenFTP
- ListenHTTP
- ListenOTLP
- ListenSlack
- ListenSyslog
- ListenTCP
- ListenTrapSNMP
- ListenUDP
- ListenUDPRecord
- ListenWebSocket
- ListFile
- ListFTP
- ListGCSBucket
- ListGoogleDrive
- ListS3
- ListSFTP
- ListSmb
- LogAttribute
- LogMessage
- LookupAttribute
- LookupRecord
- MergeContent
- MergeRecord
- ModifyBytes
- ModifyCompression
- MonitorActivity
- MoveAzureDataLakeStorage
- Notify
- PackageFlowFile
- PaginatedJsonQueryElasticsearch
- ParseEvtx
- ParseNetflowv5
- ParseSyslog
- ParseSyslog5424
- PartitionRecord
- PublishAMQP
- PublishGCPubSub
- PublishJMS
- PublishKafka
- PublishMQTT
- PublishSlack
- PutAzureBlobStorage_v12
- PutAzureCosmosDBRecord
- PutAzureDataExplorer
- PutAzureDataLakeStorage
- PutAzureEventHub
- PutAzureQueueStorage_v12
- PutBigQuery
- PutBoxFile
- PutCloudWatchMetric
- PutDatabaseRecord
- PutDistributedMapCache
- PutDropbox
- PutDynamoDB
- PutDynamoDBRecord
- PutElasticsearchJson
- PutElasticsearchRecord
- PutEmail
- PutFile
- PutFTP
- PutGCSObject
- PutGoogleDrive
- PutGridFS
- PutKinesisFirehose
- PutKinesisStream
- PutLambda
- PutMongo
- PutMongoBulkOperations
- PutMongoRecord
- PutRecord
- PutRedisHashRecord
- PutS3Object
- PutSalesforceObject
- PutSFTP
- PutSmbFile
- PutSNS
- PutSplunk
- PutSplunkHTTP
- PutSQL
- PutSQS
- PutSyslog
- PutTCP
- PutUDP
- PutWebSocket
- PutZendeskTicket
- QueryAirtableTable
- QueryAzureDataExplorer
- QueryDatabaseTable
- QueryDatabaseTableRecord
- QueryRecord
- QuerySalesforceObject
- QuerySplunkIndexingStatus
- RemoveRecordField
- RenameRecordField
- ReplaceText
- ReplaceTextWithMapping
- RetryFlowFile
- RouteHL7
- RouteOnAttribute
- RouteOnContent
- RouteText
- RunMongoAggregation
- SampleRecord
- ScanAttribute
- ScanContent
- ScriptedFilterRecord
- ScriptedPartitionRecord
- ScriptedTransformRecord
- ScriptedValidateRecord
- SearchElasticsearch
- SegmentContent
- SendTrapSNMP
- SetSNMP
- SignContentPGP
- SplitAvro
- SplitContent
- SplitExcel
- SplitJson
- SplitPCAP
- SplitRecord
- SplitText
- SplitXml
- StartAwsPollyJob
- StartAwsTextractJob
- StartAwsTranscribeJob
- StartAwsTranslateJob
- StartGcpVisionAnnotateFilesOperation
- StartGcpVisionAnnotateImagesOperation
- TagS3Object
- TailFile
- TransformXml
- UnpackContent
- UpdateAttribute
- UpdateBoxFileMetadataInstance
- UpdateByQueryElasticsearch
- UpdateCounter
- UpdateDatabaseTable
- UpdateRecord
- ValidateCsv
- ValidateJson
- ValidateRecord
- ValidateXml
- VerifyContentMAC
- VerifyContentPGP
- Wait
-
Controller Services
- ADLSCredentialsControllerService
- ADLSCredentialsControllerServiceLookup
- AmazonGlueSchemaRegistry
- AmazonMSKConnectionService
- ApicurioSchemaRegistry
- AvroReader
- AvroRecordSetWriter
- AvroSchemaRegistry
- AWSCredentialsProviderControllerService
- AzureBlobStorageFileResourceService
- AzureCosmosDBClientService
- AzureDataLakeStorageFileResourceService
- AzureEventHubRecordSink
- AzureStorageCredentialsControllerService_v12
- AzureStorageCredentialsControllerServiceLookup_v12
- CEFReader
- ConfluentEncodedSchemaReferenceReader
- ConfluentEncodedSchemaReferenceWriter
- ConfluentSchemaRegistry
- CSVReader
- CSVRecordLookupService
- CSVRecordSetWriter
- DatabaseRecordLookupService
- DatabaseRecordSink
- DatabaseTableSchemaRegistry
- DBCPConnectionPool
- DBCPConnectionPoolLookup
- DeveloperBoxClientService
- DistributedMapCacheLookupService
- ElasticSearchClientServiceImpl
- ElasticSearchLookupService
- ElasticSearchStringLookupService
- EmailRecordSink
- EmbeddedHazelcastCacheManager
- ExcelReader
- ExternalHazelcastCacheManager
- FreeFormTextRecordSetWriter
- GCPCredentialsControllerService
- GCSFileResourceService
- GrokReader
- HazelcastMapCacheClient
- HikariCPConnectionPool
- HttpRecordSink
- IPLookupService
- JettyWebSocketClient
- JettyWebSocketServer
- JMSConnectionFactoryProvider
- JndiJmsConnectionFactoryProvider
- JsonConfigBasedBoxClientService
- JsonPathReader
- JsonRecordSetWriter
- JsonTreeReader
- JWTBearerOAuth2AccessTokenProvider
- Kafka3ConnectionService
- KerberosKeytabUserService
- KerberosPasswordUserService
- KerberosTicketCacheUserService
- LoggingRecordSink
- MapCacheClientService
- MapCacheServer
- MongoDBControllerService
- MongoDBLookupService
- PEMEncodedSSLContextProvider
- PropertiesFileLookupService
- ProtobufReader
- ReaderLookup
- RecordSetWriterLookup
- RecordSinkServiceLookup
- RedisConnectionPoolService
- RedisDistributedMapCacheClientService
- RestLookupService
- S3FileResourceService
- ScriptedLookupService
- ScriptedReader
- ScriptedRecordSetWriter
- ScriptedRecordSink
- SetCacheClientService
- SetCacheServer
- SimpleCsvFileLookupService
- SimpleDatabaseLookupService
- SimpleKeyValueLookupService
- SimpleRedisDistributedMapCacheClientService
- SimpleScriptedLookupService
- SiteToSiteReportingRecordSink
- SlackRecordSink
- SmbjClientProviderService
- StandardAsanaClientProviderService
- StandardAzureCredentialsControllerService
- StandardDatabaseDialectService
- StandardDropboxCredentialService
- StandardFileResourceService
- StandardHashiCorpVaultClientService
- StandardHttpContextMap
- StandardJsonSchemaRegistry
- StandardKustoIngestService
- StandardKustoQueryService
- StandardOauth2AccessTokenProvider
- StandardPGPPrivateKeyService
- StandardPGPPublicKeyService
- StandardPrivateKeyService
- StandardProxyConfigurationService
- StandardRestrictedSSLContextService
- StandardS3EncryptionService
- StandardSSLContextService
- StandardWebClientServiceProvider
- Syslog5424Reader
- SyslogReader
- UDPEventRecordSink
- VolatileSchemaCache
- WindowsEventLogReader
- XMLFileLookupService
- XMLReader
- XMLRecordSetWriter
- YamlTreeReader
- ZendeskRecordSink
JWTBearerOAuth2AccessTokenProvider 2.4.0
- Bundle
- org.apache.nifi | nifi-oauth2-provider-nar
- Description
- Provides OAuth 2.0 access tokens that can be used as Bearer authorization header in HTTP requests. This controller service is for implementing the OAuth 2.0 JWT Bearer Flow.
- Tags
- access token, authorization, hjwt, oauth2, provider
- Input Requirement
- Supports Sensitive Dynamic Properties
- true
-
Additional Details for JWTBearerOAuth2AccessTokenProvider 2.4.0
JWT Bearer OAuth 2.0 Access Token Provider
Description
The
JWTBearerOAuth2AccessTokenProvider
provides an implementation of theOAuth2AccessTokenProvider
in order to support the JWT Bearer Flow.Configuration Details
Every service exposing APIs where the OAuth 2.0 JWT Bearer Flow is used for authentication may have some nuances in terms of configuration and requirements for the private key used to sign the JWT. For this reason, this controller service supports sensitive dynamic properties providing a way to specify custom JWT claims (using dynamic properties with a key prefixed by
CLAIM.
) as well as custom form parameters for the request against the access token API (using dynamic properties with a key prefixed byFORM.
).Below are some configuration examples for some well known SaaS solutions.
Google Identity (source)
Property name/key Property value Token Endpoint https://oauth2.googleapis.com/token
Signing Algorithm RS256
Issuer The email address of the service account Subject (optional) The email address of the user for which the application is requesting delegated access Audience https://oauth2.googleapis.com/token
Scope A space-delimited list of the permissions that the application requests JWT ID not set Set JWT Header x5t false
Key ID The key ID of the service account key Grant Type urn:ietf:params:oauth:grant-type:jwt-bearer
Assertion Parameter Name assertion
Salesforce (source)
Property name/key Property value Token Endpoint https://my-instance.develop.my.salesforce.com/services/oauth2/token
Signing Algorithm RS256
Issuer The issuer must contain the OAuth client_id
(Consumer Key) of the connected app for which you registered the certificateSubject (optional) If you’re implementing this flow for an Experience Cloud site, the subject must contain the user’s username Audience The audience identifies the authorization server as an intended audience. It can be https://login.salesforce.com
orhttps://test.salesforce.com
for sandboxesScope not set JWT ID not set Set JWT Header x5t false
Key ID not set Grant Type urn:ietf:params:oauth:grant-type:jwt-bearer
Assertion Parameter Name assertion
Microsoft (source)
Property name/key Property value Token Endpoint https://login.microsoftonline.com/<tenantId>/oauth2/v2.0/token
Signing Algorithm PS256
Issuer Use the GUID application ID Subject Use the same value as issuer Audience https://login.microsoftonline.com/<tenantId>/oauth2/v2.0/token
Scope not set JWT ID ${UUID()}
Set JWT Header x5t true
SSL Context Service SSL Context Service to provide the public certificate in order to have its thumbprint in the JWT header Key ID not set Grant Type client_credentials
Assertion Parameter Name client_assertion
FORM.client_id
The application ID that’s assigned to your app FORM.tenant
The directory tenant the application plans to operate against, in GUID or domain-name format FORM.scope
The value passed for the scope parameter in this request should be the resource identifier (application ID URI) of the resource you want, suffixed with .default
. All scopes included must be for a single resource. Including scopes for multiple resources will result in an error. For the Microsoft Graph example, the value ishttps://graph.microsoft.com/.default
FORM.client_assertion_type
urn:ietf:params:oauth:client-assertion-type:jwt-bearer
Box (source)
Property name/key Property value Token Endpoint https://api.box.com/oauth2/token
Signing Algorithm RS256
,RS384
, orRS512
Issuer The Box Application’s OAuth client ID Subject The Box Enterprise ID if this app is to act on behalf of the Service Account of that application, or the User ID if this app wants to act on behalf of another user. Audience https://api.box.com/oauth2/token
Scope not set JWT ID ${UUID()}
Set JWT Header x5t false
Key ID The ID of the public key used to sign the JWT. Not required, though essential when multiple key pairs are defined for an application. Grant Type urn:ietf:params:oauth:grant-type:jwt-bearer
Assertion Parameter Name assertion
JWT Expiration Time 1 minute
(cannot be more than 60 seconds)CLAIM.box_sub_type
enterprise
oruser
depending on the type of token being requested in thesub
claimFORM.client_id
Client ID FORM.client_secret
Client Secret
Properties
-
Assertion Parameter Name
Name of the parameter to use for the JWT assertion in the request to the token endpoint.
- Display Name
- Assertion Parameter Name
- Description
- Name of the parameter to use for the JWT assertion in the request to the token endpoint.
- API Name
- Assertion Parameter Name
- Default Value
- assertion
- Expression Language Scope
- Environment variables defined at JVM level and system properties
- Sensitive
- false
- Required
- true
-
Audience
The audience claim (aud) for the JWT. Space-separated list of audiences if multiple are expected.
- Display Name
- Audience
- Description
- The audience claim (aud) for the JWT. Space-separated list of audiences if multiple are expected.
- API Name
- Audience
- Expression Language Scope
- Environment variables defined at JVM level and system properties
- Sensitive
- false
- Required
- false
-
Grant Type
Value to set for the grant_type parameter in the request to the token endpoint.
- Display Name
- Grant Type
- Description
- Value to set for the grant_type parameter in the request to the token endpoint.
- API Name
- Grant Type
- Default Value
- urn:ietf:params:oauth:grant-type:jwt-bearer
- Expression Language Scope
- Environment variables defined at JVM level and system properties
- Sensitive
- false
- Required
- true
-
Issuer
The issuer claim (iss) for the JWT.
- Display Name
- Issuer
- Description
- The issuer claim (iss) for the JWT.
- API Name
- Issuer
- Expression Language Scope
- Environment variables defined at JVM level and system properties
- Sensitive
- false
- Required
- false
-
JWT Expiration Time
Expiration time used to set the corresponding claim of the JWT. In case the returned access token does not include an expiration time, this will be used with the refresh window to re-acquire a new access token.
- Display Name
- JWT Expiration Time
- Description
- Expiration time used to set the corresponding claim of the JWT. In case the returned access token does not include an expiration time, this will be used with the refresh window to re-acquire a new access token.
- API Name
- JWT Expiration Time
- Default Value
- 1 hour
- Expression Language Scope
- Not Supported
- Sensitive
- false
- Required
- true
-
JWT ID
The "jti" (JWT ID) claim provides a unique identifier for the JWT. The identifier value must be assigned in a manner that ensures that there's a negligible probability that the same value will be accidentally assigned to a different data object; if the application uses multiple issuers, collisions MUST be prevented among values produced by different issuers as well. The "jti" value is a case-sensitive string. If set, it is recommended to set this value to ${UUID()}.
- Display Name
- JWT ID
- Description
- The "jti" (JWT ID) claim provides a unique identifier for the JWT. The identifier value must be assigned in a manner that ensures that there's a negligible probability that the same value will be accidentally assigned to a different data object; if the application uses multiple issuers, collisions MUST be prevented among values produced by different issuers as well. The "jti" value is a case-sensitive string. If set, it is recommended to set this value to ${UUID()}.
- API Name
- JWT ID
- Expression Language Scope
- Environment variables defined at JVM level and system properties
- Sensitive
- false
- Required
- false
-
Key ID
The ID of the public key used to sign the JWT. It'll be used as the kid header in the JWT.
- Display Name
- Key ID
- Description
- The ID of the public key used to sign the JWT. It'll be used as the kid header in the JWT.
- API Name
- Key ID
- Expression Language Scope
- Environment variables defined at JVM level and system properties
- Sensitive
- false
- Required
- false
-
Private Key Service
The private key service to use for signing JWTs.
- Display Name
- Private Key Service
- Description
- The private key service to use for signing JWTs.
- API Name
- Private Key Service
- Service Interface
- org.apache.nifi.key.service.api.PrivateKeyService
- Service Implementations
- Expression Language Scope
- Not Supported
- Sensitive
- false
- Required
- true
-
Refresh Window
The service will attempt to refresh tokens expiring within the refresh window, subtracting the configured duration from the token expiration.
- Display Name
- Refresh Window
- Description
- The service will attempt to refresh tokens expiring within the refresh window, subtracting the configured duration from the token expiration.
- API Name
- Refresh Window
- Default Value
- 5 minutes
- Expression Language Scope
- Not Supported
- Sensitive
- false
- Required
- true
-
Scope
The scope claim (scope) for the JWT.
- Display Name
- Scope
- Description
- The scope claim (scope) for the JWT.
- API Name
- Scope
- Expression Language Scope
- Environment variables defined at JVM level and system properties
- Sensitive
- false
- Required
- false
-
Set JWT Header X.509 Cert Thumbprint
If true, will set the JWT header x5t field with the base64url-encoded SHA-256 thumbprint of the X.509 certificate's DER encoding. If set to true, an instance of SSLContextProvider must be configured with a certificate using RSA algorithm.
- Display Name
- Set JWT Header X.509 Cert Thumbprint
- Description
- If true, will set the JWT header x5t field with the base64url-encoded SHA-256 thumbprint of the X.509 certificate's DER encoding. If set to true, an instance of SSLContextProvider must be configured with a certificate using RSA algorithm.
- API Name
- Set JWT Header X.509 Cert Thumbprint
- Default Value
- false
- Allowable Values
-
- true
- false
- Expression Language Scope
- Not Supported
- Sensitive
- false
- Required
- true
-
Signing Algorithm
The algorithm to use for signing the JWT.
- Display Name
- Signing Algorithm
- Description
- The algorithm to use for signing the JWT.
- API Name
- Signing Algorithm
- Default Value
- PS256
- Allowable Values
-
- RS256
- RS384
- RS512
- PS256
- PS384
- PS512
- ES256
- ES384
- ES512
- Ed25519
- Expression Language Scope
- Not Supported
- Sensitive
- false
- Required
- true
-
SSL Context Service
An instance of SSLContextProvider configured with a certificate that will be used to set the x5t header. Must be using RSA algorithm.
- Display Name
- SSL Context Service
- Description
- An instance of SSLContextProvider configured with a certificate that will be used to set the x5t header. Must be using RSA algorithm.
- API Name
- SSL Context Service
- Service Interface
- org.apache.nifi.ssl.SSLContextProvider
- Service Implementations
- Expression Language Scope
- Not Supported
- Sensitive
- false
- Required
- true
- Dependencies
-
- Set JWT Header X.509 Cert Thumbprint is set to any of [true]
-
Subject
The subject claim (sub) for the JWT.
- Display Name
- Subject
- Description
- The subject claim (sub) for the JWT.
- API Name
- Subject
- Expression Language Scope
- Environment variables defined at JVM level and system properties
- Sensitive
- false
- Required
- false
-
Token Endpoint URL
The URL of the OAuth2 token endpoint.
- Display Name
- Token Endpoint URL
- Description
- The URL of the OAuth2 token endpoint.
- API Name
- Token Endpoint URL
- Expression Language Scope
- Not Supported
- Sensitive
- false
- Required
- true
-
Web Client Service
The Web Client Service to use for calling the token endpoint.
- Display Name
- Web Client Service
- Description
- The Web Client Service to use for calling the token endpoint.
- API Name
- Web Client Service
- Service Interface
- org.apache.nifi.web.client.provider.api.WebClientServiceProvider
- Service Implementations
- Expression Language Scope
- Not Supported
- Sensitive
- false
- Required
- true
Dynamic Properties
-
CLAIM.JWT claim name
Custom claims that should be added to the JWT.
- Name
- CLAIM.JWT claim name
- Description
- Custom claims that should be added to the JWT.
- Value
- JWT claim value
- Expression Language Scope
- ENVIRONMENT
-
FORM.Request parameter name
Custom parameters that should be added to the body of the request against the token endpoint.
- Name
- FORM.Request parameter name
- Description
- Custom parameters that should be added to the body of the request against the token endpoint.
- Value
- Request parameter value
- Expression Language Scope
- ENVIRONMENT