Fix: Use a common JWT issuer across the whole NiFi 2 cluster

[Maleware]

Part of #809.

Caution

Depends on #810.

Technically it could be done, but it is likely to be rejected upstream as it appears to have been done to avoid connecting to the wrong server.

Current state

In NiFi2, JWT tokens are issued for specific nodes, and the current recommendation is to use sticky-sessions on load balancers.

NIFI-7246
The uniqueness of JWT-generating keys to individual nodes (and thus the lack of transitivity of tokens between nodes) is by design. The solution is to enable sticky sessions in the load balancer.

This is rather unusual when dealing with a "cluster" where any healthy member should be able to service requests with the same answer as any other, and using the same authentication token.

JWT tokens are by design stateless, they contain everything they need to be validated without sticky-sessions or server-side shared session stores.

Example claim showing the issuer for a specific cluster member.

{
  "aud": "https://simple-nifi-node-default-0.simple-nifi-node-default.default.svc.cluster.local:8443",
  "exp": 1747013821,
  "groups": [],
  "iat": 1746985021,
  "iss": "https://simple-nifi-node-default-0.simple-nifi-node-default.default.svc.cluster.local:8443",
  "jti": "ad20e97e-5f60-4404-87a5-bcd8b3093746",
  "nbf": 1746985021,
  "preferred_username": "admin",
  "sub": "admin"
}

Future state

• There should be a common issuer for the cluster so that a JWT token can be used on any cluster node.
• Any healthy cluster member should accept a valid JWT token in the same way any other cluster member would.

Unknowns

• How is the issuer currently generated? Does it persist across restarts?

[NickLarsenNZ]

I also believe the audience needs to be the same, but I'm not 100% sure.

We could test it if we could make all nodes use the same issuer, but still have different audiences. Or just check the code that checks the aud field.