I have setup KNOX to connect with Azure AD using pac4j. (I will be putting up a blog on the complete setup soon)

However, after the authentication at Azure login page, it gets into an infinite loop and does not give back the original REST call response.

Details:

1. I try to access the original URL eg: https://x.x.2.3:8442/gateway/mycluster/webhdfs/v1/user?op=LISTSTATUS

2. It redirects to https://login.microsoftonline.com and asks for credentials.

3. After successful login at Azure login page, it redirects to http://x.x.2.3:8442/gateway/knoxsso/api/v1/websso with code, session and state variables passed as below:

https://x.x.2.3:8442/gateway/knoxsso/api/v1/websso?code=AQABAAIAAABHh4k***********************LFFm7C...

2. Following this call, it again calls the login.microsoftonline.com like below:

https://login.microsoftonline.com/f82969ba-b***********c1d0557a/oauth2/authorize?response_type=code&...

Following this, step 1 and 2 alternate several times and finally lands up in "ERR_TOO_MANY_REDIRECTS"!!!

This is my knoxsso.xml:

<topology>
          <gateway>
              <provider>
                  <role>webappsec</role>
                  <name>WebAppSec</name>
                  <enabled>true</enabled>
                  <param><name>xframe.options.enabled</name><value>true</value></param>
              </provider>
              <provider>
                  <role>federation</role>
                  <name>pac4j</name>
                  <enabled>true</enabled>
                  <param>
                    <name>pac4j.callbackUrl</name>
                    <value>https://x.x.2.3:8442/gateway/knoxsso/api/v1/websso</value>
                  </param>
                  <param>
                    <name>clientName</name>
                    <value>OidcClient</value>
                  </param>
                  <param>
                    <name>oidc.id</name>
                    <value>385c2bc*****************2695eaa34</value>
                  </param>
                  <param>
                    <name>oidc.secret</name>
                    <value>Y30wOwM88BY************vYmPp8KMyDY2W+o=</value>
                  </param>
                  <param>
                    <name>oidc.discoveryUri</name>
                    <value>https://login.microsoftonline.com/f82969***********1d0557a/.well-known/openid-configuration</value>
                  </param>
              </provider>
              <provider>
                  <role>identity-assertion</role>
                  <name>Default</name>
                  <enabled>true</enabled>
              </provider>
          </gateway>
          <application>
            <name>knoxauth</name>
          </application>
          <service>
              <role>KNOXSSO</role>
              <param>
                  <name>knoxsso.cookie.secure.only</name>
                  <value>false</value>
              </param>
              <param>
                  <name>knoxsso.token.ttl</name>
                  <value>30000</value>
              </param>
              <param>
                 <name>knoxsso.redirect.whitelist.regex</name>
                 <value>^https?:\/\/(dap-e0|x\.x\.2\.3|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$/value>
              </param>
          </service>
      </topology>

I tried using response_type "id_token", enabling nonces, knoxsso.secure to true, preferredJwsAlgorithm as RS256 etc. Nothing helps.

gateway-audit.log when redirection error starts:

18/02/15 12:38:02 ||7a66725e-6d9d-4ef5-9017-2b52d7d15ccf|audit|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso?code=AQABAAIAAABHh4kmS_a**********************_WuZRkgVKneLpp83HnSlcntEbAmAgAA&state=0n7h1Y2LTz_**************99P92pZonRN-c&session_state=f0ac55a1-4***********-53e3e126b40e|success|Response status: 302

It clearly shows Response status as "302" and not "200". This leads to redirection!

What could I be missing here? Any pointers will be greatly appreciated.