[
https://issues.apache.org/jira/browse/KNOX-2565?focusedWorklogId=577654&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-577654
]
ASF GitHub Bot logged work on KNOX-2565:
----------------------------------------
Author: ASF GitHub Bot
Created on: 06/Apr/21 14:48
Start Date: 06/Apr/21 14:48
Worklog Time Spent: 10m
Work Description: cdmikechen opened a new pull request #428:
URL: https://github.com/apache/knox/pull/428
(It is very **important** that you created an Apache Knox JIRA for this
change and that the PR title/commit message includes the Apache Knox JIRA ID!)
## What changes were proposed in this pull request?
Fix JIRA issue https://issues.apache.org/jira/browse/KNOX-2565
## How was this patch tested?
Have tested login with keycloak (10.0.2) oidc.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 577654)
Remaining Estimate: 0h
Time Spent: 10m
> KNOX 1.5.0 can not login sso with oidc (pac4j 4.0.3)
> ----------------------------------------------------
>
> Key: KNOX-2565
> URL: https://issues.apache.org/jira/browse/KNOX-2565
> Project: Apache Knox
> Issue Type: Bug
> Components: KnoxSSO
> Affects Versions: 1.5.0
> Reporter: cdmikechen
> Priority: Blocker
> Time Spent: 10m
> Remaining Estimate: 0h
>
> When I upgrade KNOX from 1.4.0 to 1.5.0. I found that I can not login KNOX by
> oidc. this is error log:
> {code}
> 2021-03-31 18:52:45,094 DEBUG
> org.apache.knox.gateway.pac4j.session.KnoxSessionStore
> (KnoxSessionStore.java:get(109)) - Get from session:
> OidcClient$attemptedAuthentication = null
> 2021-03-31 18:52:45,095 DEBUG
> org.apache.knox.gateway.pac4j.session.KnoxSessionStore
> (KnoxSessionStore.java:set(149)) - Save in session:
> OidcClient$stateSessionParameter = 2a265d500f
> 2021-03-31 18:52:45,321 DEBUG
> org.apache.knox.gateway.pac4j.session.KnoxSessionStore
> (KnoxSessionStore.java:set(149)) - Save in session:
> OidcClient$nonceSessionParameter = mKp7Ax_dBk1_RAFHqkF6kSrLkrzlCW_sbV2R6t50psg
> 2021-03-31 18:52:45,449 DEBUG
> org.apache.knox.gateway.pac4j.session.KnoxSessionStore
> (KnoxSessionStore.java:set(149)) - Save in session:
> OidcClient$codeVerifierSessionParameter =
> com.nimbusds.oauth2.sdk.pkce.CodeVerifier@8dcb5aae
> 2021-03-31 18:52:45,450 ERROR org.apache.knox.gateway
> (AbstractGatewayFilter.java:doFilter(63)) - Failed to execute filter:
> java.lang.ClassCastException: class com.nimbusds.oauth2.sdk.pkce.CodeVerifier
> cannot be cast to class java.io.Serializable
> (com.nimbusds.oauth2.sdk.pkce.CodeVerifier is in unnamed module of loader
> java.net.URLClassLoader @70177ecd; java.io.Serializable is in module
> java.base of loader 'bootstrap')
> java.lang.ClassCastException: class com.nimbusds.oauth2.sdk.pkce.CodeVerifier
> cannot be cast to class java.io.Serializable
> (com.nimbusds.oauth2.sdk.pkce.CodeVerifier is in unnamed module of loader
> java.net.URLClassLoader @70177ecd; java.io.Serializable is in module
> java.base of loader 'bootstrap')
> at
> org.apache.knox.gateway.pac4j.session.KnoxSessionStore.compressEncryptBase64(KnoxSessionStore.java:118)
> at
> org.apache.knox.gateway.pac4j.session.KnoxSessionStore.set(KnoxSessionStore.java:151)
> at
> org.pac4j.oidc.redirect.OidcRedirectionActionBuilder.addStateAndNonceParameters(OidcRedirectionActionBuilder.java:112)
> at
> org.pac4j.oidc.redirect.OidcRedirectionActionBuilder.getRedirectionAction(OidcRedirectionActionBuilder.java:77)
> at
> org.pac4j.core.client.IndirectClient.getRedirectionAction(IndirectClient.java:110)
> at
> org.pac4j.core.engine.DefaultSecurityLogic.redirectToIdentityProvider(DefaultSecurityLogic.java:224)
> at
> org.pac4j.core.engine.DefaultSecurityLogic.perform(DefaultSecurityLogic.java:157)
> at
> org.pac4j.jee.filter.SecurityFilter.internalFilter(SecurityFilter.java:83)
> at
> org.pac4j.jee.filter.AbstractConfigFilter.doFilter(AbstractConfigFilter.java:70)
> at
> org.apache.knox.gateway.pac4j.filter.Pac4jDispatcherFilter.doFilter(Pac4jDispatcherFilter.java:267)
> at
> org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:363)
> at
> org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:262)
> at
> org.apache.knox.gateway.filter.XForwardedHeaderFilter.doFilter(XForwardedHeaderFilter.java:50)
> at
> org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:58)
> at
> org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:363)
> at
> org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:262)
> at
> org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:166)
> at
> org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:93)
> at
> org.apache.knox.gateway.GatewayServlet.service(GatewayServlet.java:135)
> at
> org.eclipse.jetty.servlet.ServletHolder$NotAsync.service(ServletHolder.java:1443)
> at
> org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:791)
> at
> org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1626)
> at
> org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:228)
> at
> org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
> at
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
> at
> org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
> at
> org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:602)
> at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
> at
> org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1612)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
> at
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1434)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
> at
> org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501)
> at
> org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1582)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
> at
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1349)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
> at
> org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:234)
> at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> at
> org.apache.knox.gateway.trace.TraceHandler.handle(TraceHandler.java:51)
> at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> at
> org.apache.knox.gateway.filter.CorrelationHandler.handle(CorrelationHandler.java:41)
> at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> at
> org.apache.knox.gateway.filter.PortMappingHelperHandler.handle(PortMappingHelperHandler.java:106)
> at
> org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)
> at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> at org.eclipse.jetty.server.Server.handle(Server.java:516)
> at
> org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:383)
> at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:556)
> at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:375)
> at
> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:273)
> at
> org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
> at
> org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:135)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:773)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:905)
> at java.base/java.lang.Thread.run(Unknown Source)
> {code}
> I check KNOX 1.5 code and I found KNOX upgrade pac4j from 3.8.5 to 4.0.3. In
> pac4j 4.0.3, pac4j add a new param named *pkce*
> https://github.com/pac4j/pac4j/blob/6e6e02947e7d42213130b8fc8116d767e2d944c9/pac4j-oidc/src/main/java/org/pac4j/oidc/config/OidcConfiguration.java#L91
> *pkce* is enable by default, so that it will store a *CodeVerifier* object to
> sessionstore and it can not be cast to Serializable.
> https://github.com/pac4j/pac4j/blob/c3df8a6dedc2a653f8691bd8efbbbcd8e684bed5/pac4j-oidc/src/main/java/org/pac4j/oidc/redirect/OidcRedirectionActionBuilder.java#L104
>
> The error is caused by
> https://github.com/apache/knox/blob/025a014e63509383ee2c8d0cf72338fcd2a1f44d/gateway-provider-security-pac4j/src/main/java/org/apache/knox/gateway/pac4j/session/KnoxSessionStore.java#L118
> I think we can not login by *oidc* successfully all the time, hope this
> problem can be fixed as soon as possible.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
