Support Questions
Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Check out our newest addition to the community, the Cloudera Innovation Accelerator group hub.

KNOX OpenID with Pac4j to Azure AD

Labels:
nisha_menon16
Explorer

Created ‎02-15-2018 12:53 PM

I have setup KNOX to connect with Azure AD using pac4j. (I will be putting up a blog on the complete setup soon)

However, after the authentication at Azure login page, it gets into an infinite loop and does not give back the original REST call response.

Details:

1. I try to access the original URL eg: https://x.x.2.3:8442/gateway/mycluster/webhdfs/v1/user?op=LISTSTATUS

2. It redirects to https://login.microsoftonline.com and asks for credentials.

3. After successful login at Azure login page, it redirects to http://x.x.2.3:8442/gateway/knoxsso/api/v1/websso with code, session and state variables passed as below:

https://x.x.2.3:8442/gateway/knoxsso/api/v1/websso?code=AQABAAIAAABHh4k***********************LFFm7C...

2. Following this call, it again calls the login.microsoftonline.com like below:

https://login.microsoftonline.com/f82969ba-b***********c1d0557a/oauth2/authorize?response_type=code&...

Following this, step 1 and 2 alternate several times and finally lands up in "ERR_TOO_MANY_REDIRECTS"!!!

This is my knoxsso.xml: 

<topology>
          <gateway>
              <provider>
                  <role>webappsec</role>
                  <name>WebAppSec</name>
                  <enabled>true</enabled>
                  <param><name>xframe.options.enabled</name><value>true</value></param>
              </provider>
              <provider>
                  <role>federation</role>
                  <name>pac4j</name>
                  <enabled>true</enabled>
                  <param>
                    <name>pac4j.callbackUrl</name>
                    <value>https://x.x.2.3:8442/gateway/knoxsso/api/v1/websso</value>
                  </param>
                  <param>
                    <name>clientName</name>
                    <value>OidcClient</value>
                  </param>
                  <param>
                    <name>oidc.id</name>
                    <value>385c2bc*****************2695eaa34</value>
                  </param>
                  <param>
                    <name>oidc.secret</name>
                    <value>Y30wOwM88BY************vYmPp8KMyDY2W+o=</value>
                  </param>
                  <param>
                    <name>oidc.discoveryUri</name>
                    <value>https://login.microsoftonline.com/f82969***********1d0557a/.well-known/openid-configuration</value>
                  </param>
              </provider>
              <provider>
                  <role>identity-assertion</role>
                  <name>Default</name>
                  <enabled>true</enabled>
              </provider>
          </gateway>
          <application>
            <name>knoxauth</name>
          </application>
          <service>
              <role>KNOXSSO</role>
              <param>
                  <name>knoxsso.cookie.secure.only</name>
                  <value>false</value>
              </param>
              <param>
                  <name>knoxsso.token.ttl</name>
                  <value>30000</value>
              </param>
              <param>
                 <name>knoxsso.redirect.whitelist.regex</name>
                 <value>^https?:\/\/(dap-e0|x\.x\.2\.3|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$/value>
              </param>
          </service>
      </topology>

I tried using response_type "id_token", enabling nonces, knoxsso.secure to true, preferredJwsAlgorithm as RS256 etc. Nothing helps.

gateway-audit.log when redirection error starts:

18/02/15 12:38:02 ||7a66725e-6d9d-4ef5-9017-2b52d7d15ccf|audit|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso?code=AQABAAIAAABHh4kmS_a**********************_WuZRkgVKneLpp83HnSlcntEbAmAgAA&state=0n7h1Y2LTz_**************99P92pZonRN-c&session_state=f0ac55a1-4***********-53e3e126b40e|success|Response status: 302

It clearly shows Response status as "302" and not "200". This leads to redirection!

What could I be missing here? Any pointers will be greatly appreciated.

1,329 Views
0 Kudos
2 REPLIES 2

lmccay
Contributor

Created ‎05-31-2018 01:02 PM

While we still do not have a solution for this, the following discussion on the Apache Knox user@ list may be of interest:

http://mail-archives.apache.org/mod_mbox/knox-user/201802.mbox/%3cCAMvr1bgHTmeT2C0PyC_NUj_TZvBcGXBEq...

912 Views
0 Kudos

aokhotnikov
New Contributor

Created ‎11-28-2019 08:02 AM

Is there a way to update pac4j or Apache Knox in the existing installation? I'm using HDP 3.1.4 and it has Apache Knox 1.0.0 and pac4j 2.1.0.

805 Views
0 Kudos
Don't have an account?
Register
Announcements
Product Announcements
CDP Public Cloud Release Summary: April 2022
What's New @ Cloudera
Unifying Analytics in Cloudera Data Warehouse
What's New @ Cloudera
Cloudera Logging is now available in CDP Private Cloud Base 7.1.7 SP1
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector 2.6.27 for Impala Released
Product Announcements
[ANNOUNCE] Cloudera JDBC Driver 2.6.19 for Apache Hive Released
View More Announcements