Hello Ryan,
Can you check the value of the State parameter ? you should see it in the
request and response.
The state attribute is stored in the session so if is not getting properly
passed we might have an issue there (KNOX-1190 is tracking this), the
current implementation of SessionStore for Pac4J is a bit limited.
Can you try adding the following to your knoxsso.xml topology with the
current Knox build (1.1.0, you will have to build it from source as this
will not work with the current 1.0.0 release)
<param>
<name>pac4j.session.store</name>
<value>J2ESessionStore</value>
</param>
I am hoping this should save the "state" variable in the in-memory session
store.
Let us know what you find !
Also, what ODIC are you trying to integrate to, just curious to know what
all works with Knox.
On Sun, Mar 4, 2018 at 11:47 AM, Ryan H <ryan.howell.developm...@gmail.com>
wrote:
> Hi Knox Users,
>
> I am rethreading this error I am getting as I mentioned it in a different
> thread that was about a different error (sorry to those active on the other
> email thread).
>
> I am running into an issue with KnoxSSO with the pac4j OIDC federation
> provider. When accessing the gateway, I am correctly redirected to my
> configured OpenID provider and upon successful authentication, redirected
> back to Knox but resulting in error. I am posting the relevant config files
> as well as the errors below. I have switched over to testBasicAuth just to
> confirm that I can connect to the NiFi app, which I can. I am not really
> sure where to go from here. I have sifted the internet and Knox
> documentation on this and haven't been able to find anything. I did find
> some info on this error with play and pac4j with the way the session was
> being handled and assumed that Knox would handle this (if not, it is not
> documented that I can find). Any help is appreciated!
>
> Cheers,
>
> Ryan
>
>
> *Error 1: *
> 2018-03-04 11:22:53,701 ERROR engine.DefaultCallbackLogic
> (DefaultCallbackLogic.java:renewSession(123)) - Unable to renew the
> session. The session store may not support this feature
>
> *Error 2:*
> 2018-03-04 10:07:05,578 ERROR knox.gateway
> (AbstractGatewayFilter.java:doFilter(69))
> - Failed to execute filter: org.pac4j.core.exception.TechnicalException:
> State parameter is different from the one sent in authentication request.
> Session expired or possible threat of cross-site request forgery
> 2018-03-04 10:07:05,578 ERROR knox.gateway (GatewayFilter.java:doFilter(177))
> - Gateway processing failed: javax.servlet.ServletException:
> org.pac4j.core.exception.TechnicalException: State parameter is different
> from the one sent in authentication request. Session expired or possible
> threat of cross-site request forgery
> javax.servlet.ServletException: org.pac4j.core.exception.TechnicalException:
> State parameter is different from the one sent in authentication request.
> Session expired or possible threat of cross-site request forgery
> at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(
> AbstractGatewayFilter.java:70)
> at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(
> GatewayFilter.java:377)
> at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(
> GatewayFilter.java:277)
> at org.apache.knox.gateway.webappsec.filter.XFrameOptionsFilter.doFilter(
> XFrameOptionsFilter.java:58)
> at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(
> GatewayFilter.java:377)
> at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(
> GatewayFilter.java:277)
> at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:171)
> at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:94)
> at org.apache.knox.gateway.GatewayServlet.service(GatewayServlet.java:141)
> at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
> at org.eclipse.jetty.servlet.ServletHandler.doHandle(
> ServletHandler.java:587)
> at org.eclipse.jetty.server.handler.ScopedHandler.handle(
> ScopedHandler.java:143)
> at org.eclipse.jetty.security.SecurityHandler.handle(
> SecurityHandler.java:577)
> at org.eclipse.jetty.server.session.SessionHandler.
> doHandle(SessionHandler.java:223)
> at org.eclipse.jetty.server.handler.ContextHandler.
> doHandle(ContextHandler.java:1127)
> at org.eclipse.jetty.servlet.ServletHandler.doScope(
> ServletHandler.java:515)
> at org.eclipse.jetty.server.session.SessionHandler.
> doScope(SessionHandler.java:185)
> at org.eclipse.jetty.server.handler.ContextHandler.
> doScope(ContextHandler.java:1061)
> at org.eclipse.jetty.server.handler.ScopedHandler.handle(
> ScopedHandler.java:141)
> at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(
> ContextHandlerCollection.java:215)
> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(
> HandlerWrapper.java:97)
> at org.apache.knox.gateway.trace.TraceHandler.handle(TraceHandler.java:51)
> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(
> HandlerWrapper.java:97)
> at org.apache.knox.gateway.filter.CorrelationHandler.
> handle(CorrelationHandler.java:39)
> at org.eclipse.jetty.servlets.gzip.GzipHandler.handle(
> GzipHandler.java:479)
> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(
> HandlerWrapper.java:97)
> at org.apache.knox.gateway.filter.PortMappingHelperHandler.handle(
> PortMappingHelperHandler.java:152)
> at org.eclipse.jetty.server.handler.HandlerCollection.
> handle(HandlerCollection.java:110)
> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(
> HandlerWrapper.java:97)
> at org.eclipse.jetty.server.Server.handle(Server.java:499)
> at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
> at org.eclipse.jetty.server.HttpConnection.onFillable(
> HttpConnection.java:257)
> at org.eclipse.jetty.io.AbstractConnection$2.run(
> AbstractConnection.java:544)
> at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(
> QueuedThreadPool.java:635)
> at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(
> QueuedThreadPool.java:555)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: org.pac4j.core.exception.TechnicalException: State parameter
> is different from the one sent in authentication request. Session expired
> or possible threat of cross-site request forgery
> at org.pac4j.oidc.credentials.extractor.OidcExtractor.
> extract(OidcExtractor.java:80)
> at org.pac4j.oidc.credentials.extractor.OidcExtractor.
> extract(OidcExtractor.java:31)
> at org.pac4j.core.client.BaseClient.retrieveCredentials(
> BaseClient.java:61)
> at org.pac4j.core.client.IndirectClient.getCredentials(
> IndirectClient.java:125)
> at org.pac4j.core.engine.DefaultCallbackLogic.perform(
> DefaultCallbackLogic.java:79)
> at org.pac4j.j2e.filter.CallbackFilter.internalFilter(
> CallbackFilter.java:77)
> at org.pac4j.j2e.filter.AbstractConfigFilter.doFilter(
> AbstractConfigFilter.java:81)
> at org.apache.knox.gateway.pac4j.filter.Pac4jDispatcherFilter.doFilter(
> Pac4jDispatcherFilter.java:205)
> at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(
> GatewayFilter.java:377)
> at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(
> GatewayFilter.java:277)
> at org.apache.knox.gateway.filter.XForwardedHeaderFilter.doFilter(
> XForwardedHeaderFilter.java:30)
> at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(
> AbstractGatewayFilter.java:61)
> ... 35 more
>
>
> *knoxsso.xml:*
> <gateway>
> <provider>
> <role>webappsec</role>
> <name>WebAppSec</name>
> <enabled>true</enabled>
> <param><name>xframe.options.enabled</name><value>true</
> value></param>
> </provider>
> <provider>
> <role>federation</role>
> <name>pac4j</name>
> <enabled>true</enabled>
> <param>
> <name>pac4j.callbackUrl</name>
> <value>https://localhost:8443/gateway/knoxsso/api/v1/websso<
> /value>
> </param>
> <param>
> <name>clientName</name>
> <value>OidcClient</value>
> </param>
> <param>
> <name>oidc.id</name>
> <value>my_client_id</value>
> </param>
> <param>
> <name>oidc.secret</name>
> <value>my_client_secret</value>
> </param>
> <param>
> <name>oidc.discoveryUri</name>
> <value>https://<my-openid-provider-url>/.well-known/
> openid-configuration</value>
> </param>
> <param>
> <name>oidc.preferredJwsAlgorithm</name>
> <value>RS256</value>
> </param>
> </provider>
> </gateway>
>
> <application>
> <name>knoxauth</name>
> </application>
>
> <service>
> <role>KNOXSSO</role>
> <param>
> <name>knoxsso.cookie.secure.only</name>
> <value>false</value>
> </param>
> <param>
> <name>knoxsso.cookie.max.age</name>
> <value>session</value>
> </param>
> <param>
> <name>knoxsso.token.ttl</name>
> <value>30000</value>
> </param>
> <param>
> <name>knoxsso.redirect.whitelist.regex</name>
> <value>^https?:\/\/(localhost|127\.0\.0\.1|0:0:0:
> 0:0:0:0:1|::1):[0-9].*$</value>
> </param>
> </service>
>
>
>
> *sandbox.xml:*
> <gateway>
> <provider>
> <role>federation</role>
> <name>SSOCookieProvider</name>
> <enabled>true</enabled>
> <param>
> <name>sso.authentication.provider.url</name>
> <value>https://localhost:8443/gateway/knoxsso/api/v1/websso<
> /value>
> </param>
> </provider>
>
> <provider>
> <role>identity-assertion</role>
> <name>Default</name>
> <enabled>true</enabled>
> </provider>
> </gateway>
>
> <service>
> <role>NIFI</role>
> <url>http://localhost:8080</url>
> </service>
> <application>
> <role>admin-ui</role>
> </application>
> <service>
> <role>KNOX</role>
> </service>
>
>
