[
https://issues.apache.org/jira/browse/KNOX-2565?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17326162#comment-17326162
]
cdmikechen commented on KNOX-2565:
----------------------------------
[~lmccay] But in version 1.5.0, this is a function that can't be used. Should
we make a repair version (like 1.5.1) to solve the problem that 1.5.0 can't be
used?
In addition to this problem, there are several other problems that will lead to
the failure of some functions. I think we should build a repair version to
ensure that version 1.5 is available.
> KNOX 1.5.0 can not login sso with oidc (pac4j 4.0.3)
> ----------------------------------------------------
>
> Key: KNOX-2565
> URL: https://issues.apache.org/jira/browse/KNOX-2565
> Project: Apache Knox
> Issue Type: Bug
> Components: KnoxSSO
> Affects Versions: 1.5.0
> Reporter: cdmikechen
> Assignee: cdmikechen
> Priority: Blocker
> Time Spent: 20m
> Remaining Estimate: 0h
>
> When I upgrade KNOX from 1.4.0 to 1.5.0. I found that I can not login KNOX by
> oidc. this is error log:
> {code}
> 2021-03-31 18:52:45,094 DEBUG
> org.apache.knox.gateway.pac4j.session.KnoxSessionStore
> (KnoxSessionStore.java:get(109)) - Get from session:
> OidcClient$attemptedAuthentication = null
> 2021-03-31 18:52:45,095 DEBUG
> org.apache.knox.gateway.pac4j.session.KnoxSessionStore
> (KnoxSessionStore.java:set(149)) - Save in session:
> OidcClient$stateSessionParameter = 2a265d500f
> 2021-03-31 18:52:45,321 DEBUG
> org.apache.knox.gateway.pac4j.session.KnoxSessionStore
> (KnoxSessionStore.java:set(149)) - Save in session:
> OidcClient$nonceSessionParameter = mKp7Ax_dBk1_RAFHqkF6kSrLkrzlCW_sbV2R6t50psg
> 2021-03-31 18:52:45,449 DEBUG
> org.apache.knox.gateway.pac4j.session.KnoxSessionStore
> (KnoxSessionStore.java:set(149)) - Save in session:
> OidcClient$codeVerifierSessionParameter =
> com.nimbusds.oauth2.sdk.pkce.CodeVerifier@8dcb5aae
> 2021-03-31 18:52:45,450 ERROR org.apache.knox.gateway
> (AbstractGatewayFilter.java:doFilter(63)) - Failed to execute filter:
> java.lang.ClassCastException: class com.nimbusds.oauth2.sdk.pkce.CodeVerifier
> cannot be cast to class java.io.Serializable
> (com.nimbusds.oauth2.sdk.pkce.CodeVerifier is in unnamed module of loader
> java.net.URLClassLoader @70177ecd; java.io.Serializable is in module
> java.base of loader 'bootstrap')
> java.lang.ClassCastException: class com.nimbusds.oauth2.sdk.pkce.CodeVerifier
> cannot be cast to class java.io.Serializable
> (com.nimbusds.oauth2.sdk.pkce.CodeVerifier is in unnamed module of loader
> java.net.URLClassLoader @70177ecd; java.io.Serializable is in module
> java.base of loader 'bootstrap')
> at
> org.apache.knox.gateway.pac4j.session.KnoxSessionStore.compressEncryptBase64(KnoxSessionStore.java:118)
> at
> org.apache.knox.gateway.pac4j.session.KnoxSessionStore.set(KnoxSessionStore.java:151)
> at
> org.pac4j.oidc.redirect.OidcRedirectionActionBuilder.addStateAndNonceParameters(OidcRedirectionActionBuilder.java:112)
> at
> org.pac4j.oidc.redirect.OidcRedirectionActionBuilder.getRedirectionAction(OidcRedirectionActionBuilder.java:77)
> at
> org.pac4j.core.client.IndirectClient.getRedirectionAction(IndirectClient.java:110)
> at
> org.pac4j.core.engine.DefaultSecurityLogic.redirectToIdentityProvider(DefaultSecurityLogic.java:224)
> at
> org.pac4j.core.engine.DefaultSecurityLogic.perform(DefaultSecurityLogic.java:157)
> at
> org.pac4j.jee.filter.SecurityFilter.internalFilter(SecurityFilter.java:83)
> at
> org.pac4j.jee.filter.AbstractConfigFilter.doFilter(AbstractConfigFilter.java:70)
> at
> org.apache.knox.gateway.pac4j.filter.Pac4jDispatcherFilter.doFilter(Pac4jDispatcherFilter.java:267)
> at
> org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:363)
> at
> org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:262)
> at
> org.apache.knox.gateway.filter.XForwardedHeaderFilter.doFilter(XForwardedHeaderFilter.java:50)
> at
> org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:58)
> at
> org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:363)
> at
> org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:262)
> at
> org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:166)
> at
> org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:93)
> at
> org.apache.knox.gateway.GatewayServlet.service(GatewayServlet.java:135)
> at
> org.eclipse.jetty.servlet.ServletHolder$NotAsync.service(ServletHolder.java:1443)
> at
> org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:791)
> at
> org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1626)
> at
> org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:228)
> at
> org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
> at
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
> at
> org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
> at
> org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:602)
> at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
> at
> org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1612)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
> at
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1434)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
> at
> org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501)
> at
> org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1582)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
> at
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1349)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
> at
> org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:234)
> at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> at
> org.apache.knox.gateway.trace.TraceHandler.handle(TraceHandler.java:51)
> at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> at
> org.apache.knox.gateway.filter.CorrelationHandler.handle(CorrelationHandler.java:41)
> at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> at
> org.apache.knox.gateway.filter.PortMappingHelperHandler.handle(PortMappingHelperHandler.java:106)
> at
> org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)
> at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> at org.eclipse.jetty.server.Server.handle(Server.java:516)
> at
> org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:383)
> at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:556)
> at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:375)
> at
> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:273)
> at
> org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
> at
> org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:135)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:773)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:905)
> at java.base/java.lang.Thread.run(Unknown Source)
> {code}
> I check KNOX 1.5 code and I found KNOX upgrade pac4j from 3.8.5 to 4.0.3. In
> pac4j 4.0.3, pac4j add a new param named *pkce*
> https://github.com/pac4j/pac4j/blob/6e6e02947e7d42213130b8fc8116d767e2d944c9/pac4j-oidc/src/main/java/org/pac4j/oidc/config/OidcConfiguration.java#L91
> *pkce* is enable by default, so that it will store a *CodeVerifier* object to
> sessionstore and it can not be cast to Serializable.
> https://github.com/pac4j/pac4j/blob/c3df8a6dedc2a653f8691bd8efbbbcd8e684bed5/pac4j-oidc/src/main/java/org/pac4j/oidc/redirect/OidcRedirectionActionBuilder.java#L104
>
> The error is caused by
> https://github.com/apache/knox/blob/025a014e63509383ee2c8d0cf72338fcd2a1f44d/gateway-provider-security-pac4j/src/main/java/org/apache/knox/gateway/pac4j/session/KnoxSessionStore.java#L118
> I think we can not login by *oidc* successfully all the time, hope this
> problem can be fixed as soon as possible.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
