Created 02-15-2018 12:53 PM
I have setup KNOX to connect with Azure AD using pac4j. (I will be putting up a blog on the complete setup soon)
However, after the authentication at Azure login page, it gets into an infinite loop and does not give back the original REST call response.
Details:
1. I try to access the original URL eg: https://x.x.2.3:8442/gateway/mycluster/webhdfs/v1/user?op=LISTSTATUS
2. It redirects to https://login.microsoftonline.com and asks for credentials.
3. After successful login at Azure login page, it redirects to http://x.x.2.3:8442/gateway/knoxsso/api/v1/websso with code, session and state variables passed as below:
2. Following this call, it again calls the login.microsoftonline.com like below:
Following this, step 1 and 2 alternate several times and finally lands up in "ERR_TOO_MANY_REDIRECTS"!!!
This is my knoxsso.xml:
<topology> <gateway> <provider> <role>webappsec</role> <name>WebAppSec</name> <enabled>true</enabled> <param><name>xframe.options.enabled</name><value>true</value></param> </provider> <provider> <role>federation</role> <name>pac4j</name> <enabled>true</enabled> <param> <name>pac4j.callbackUrl</name> <value>https://x.x.2.3:8442/gateway/knoxsso/api/v1/websso</value> </param> <param> <name>clientName</name> <value>OidcClient</value> </param> <param> <name>oidc.id</name> <value>385c2bc*****************2695eaa34</value> </param> <param> <name>oidc.secret</name> <value>Y30wOwM88BY************vYmPp8KMyDY2W+o=</value> </param> <param> <name>oidc.discoveryUri</name> <value>https://login.microsoftonline.com/f82969***********1d0557a/.well-known/openid-configuration</value> </param> </provider> <provider> <role>identity-assertion</role> <name>Default</name> <enabled>true</enabled> </provider> </gateway> <application> <name>knoxauth</name> </application> <service> <role>KNOXSSO</role> <param> <name>knoxsso.cookie.secure.only</name> <value>false</value> </param> <param> <name>knoxsso.token.ttl</name> <value>30000</value> </param> <param> <name>knoxsso.redirect.whitelist.regex</name> <value>^https?:\/\/(dap-e0|x\.x\.2\.3|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$/value> </param> </service> </topology>
I tried using response_type "id_token", enabling nonces, knoxsso.secure to true, preferredJwsAlgorithm as RS256 etc. Nothing helps.
gateway-audit.log when redirection error starts:
18/02/15 12:38:02 ||7a66725e-6d9d-4ef5-9017-2b52d7d15ccf|audit|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso?code=AQABAAIAAABHh4kmS_a**********************_WuZRkgVKneLpp83HnSlcntEbAmAgAA&state=0n7h1Y2LTz_**************99P92pZonRN-c&session_state=f0ac55a1-4***********-53e3e126b40e|success|Response status: 302
It clearly shows Response status as "302" and not "200". This leads to redirection!
What could I be missing here? Any pointers will be greatly appreciated.
Created 05-31-2018 01:02 PM
While we still do not have a solution for this, the following discussion on the Apache Knox user@ list may be of interest:
Created 11-28-2019 08:02 AM
Is there a way to update pac4j or Apache Knox in the existing installation? I'm using HDP 3.1.4 and it has Apache Knox 1.0.0 and pac4j 2.1.0.