Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

KNOX OpenID with Pac4j to Azure AD

KNOX OpenID with Pac4j to Azure AD

I have setup KNOX to connect with Azure AD using pac4j. (I will be putting up a blog on the complete setup soon)

However, after the authentication at Azure login page, it gets into an infinite loop and does not give back the original REST call response.

Details:

1. I try to access the original URL eg: https://x.x.2.3:8442/gateway/mycluster/webhdfs/v1/user?op=LISTSTATUS

2. It redirects to https://login.microsoftonline.com and asks for credentials.

3. After successful login at Azure login page, it redirects to http://x.x.2.3:8442/gateway/knoxsso/api/v1/websso with code, session and state variables passed as below:

https://x.x.2.3:8442/gateway/knoxsso/api/v1/websso?code=AQABAAIAAABHh4k***********************LFFm7C...

2. Following this call, it again calls the login.microsoftonline.com like below:

https://login.microsoftonline.com/f82969ba-b***********c1d0557a/oauth2/authorize?response_type=code&...

Following this, step 1 and 2 alternate several times and finally lands up in "ERR_TOO_MANY_REDIRECTS"!!!

This is my knoxsso.xml:

<topology>
          <gateway>
              <provider>
                  <role>webappsec</role>
                  <name>WebAppSec</name>
                  <enabled>true</enabled>
                  <param><name>xframe.options.enabled</name><value>true</value></param>
              </provider>
              <provider>
                  <role>federation</role>
                  <name>pac4j</name>
                  <enabled>true</enabled>
                  <param>
                    <name>pac4j.callbackUrl</name>
                    <value>https://x.x.2.3:8442/gateway/knoxsso/api/v1/websso</value>
                  </param>
                  <param>
                    <name>clientName</name>
                    <value>OidcClient</value>
                  </param>
                  <param>
                    <name>oidc.id</name>
                    <value>385c2bc*****************2695eaa34</value>
                  </param>
                  <param>
                    <name>oidc.secret</name>
                    <value>Y30wOwM88BY************vYmPp8KMyDY2W+o=</value>
                  </param>
                  <param>
                    <name>oidc.discoveryUri</name>
                    <value>https://login.microsoftonline.com/f82969***********1d0557a/.well-known/openid-configuration</value>
                  </param>
              </provider>
              <provider>
                  <role>identity-assertion</role>
                  <name>Default</name>
                  <enabled>true</enabled>
              </provider>
          </gateway>
          <application>
            <name>knoxauth</name>
          </application>
          <service>
              <role>KNOXSSO</role>
              <param>
                  <name>knoxsso.cookie.secure.only</name>
                  <value>false</value>
              </param>
              <param>
                  <name>knoxsso.token.ttl</name>
                  <value>30000</value>
              </param>
              <param>
                 <name>knoxsso.redirect.whitelist.regex</name>
                 <value>^https?:\/\/(dap-e0|x\.x\.2\.3|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$/value>
              </param>
          </service>
      </topology>

I tried using response_type "id_token", enabling nonces, knoxsso.secure to true, preferredJwsAlgorithm as RS256 etc. Nothing helps.

gateway-audit.log when redirection error starts:

18/02/15 12:38:02 ||7a66725e-6d9d-4ef5-9017-2b52d7d15ccf|audit|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso?code=AQABAAIAAABHh4kmS_a**********************_WuZRkgVKneLpp83HnSlcntEbAmAgAA&state=0n7h1Y2LTz_**************99P92pZonRN-c&session_state=f0ac55a1-4***********-53e3e126b40e|success|Response status: 302

It clearly shows Response status as "302" and not "200". This leads to redirection!

What could I be missing here? Any pointers will be greatly appreciated.

2 REPLIES 2
Highlighted

Re: KNOX OpenID with Pac4j to Azure AD

Contributor

While we still do not have a solution for this, the following discussion on the Apache Knox user@ list may be of interest:

http://mail-archives.apache.org/mod_mbox/knox-user/201802.mbox/%3cCAMvr1bgHTmeT2C0PyC_NUj_TZvBcGXBEq...

Highlighted

Re: KNOX OpenID with Pac4j to Azure AD

New Contributor

Is there a way to update pac4j or Apache Knox in the existing installation? I'm using HDP 3.1.4 and it has Apache Knox 1.0.0 and pac4j 2.1.0.

Don't have an account?
Coming from Hortonworks? Activate your account here