[
https://issues.apache.org/jira/browse/KNOX-2794?focusedWorklogId=802787&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-802787
]
ASF GitHub Bot logged work on KNOX-2794:
----------------------------------------
Author: ASF GitHub Bot
Created on: 23/Aug/22 09:59
Start Date: 23/Aug/22 09:59
Worklog Time Spent: 10m
Work Description: smolnar82 opened a new pull request, #623:
URL: https://github.com/apache/knox/pull/623
## What changes were proposed in this pull request?
As described in
[KNOX-2794](https://issues.apache.org/jira/browse/KNOX-2794), the JWT
federation filter is enhanced to support authentication using
## How was this patch tested?
Updated existing JUnit test classes and have new test cases to cover the new
functionality.
In addition to unit testing a comprehensive manual test steps were executed
as follows:
1. Deployed a new topology called `tokenexchange`:
```
<?xml version="1.0" encoding="UTF-8"?>
<topology>
<name>tokenexchanged</name>
<gateway>
<provider>
<role>federation</role>
<name>JWTProvider</name>
<enabled>true</enabled>
<param>
<name>knox.token.use.cookie</name>
<value>true</value>
</param>
<!--
<param>
<name>knox.token.cookie.name</name>
<value>customCookieName</value>
</param>
-->
<param>
<name>knox.token.exp.server-managed</name>
<value>true</value>
</param>
</provider>
</gateway>
<service>
<role>KNOXTOKEN</role>
<param>
<name>knox.token.ttl</name>
<value>36000000</value>
</param>
</service>
</topology>
```
Started Knox and ran the following `curl` commands. Please note that at one
point I included the `knox.token.cookie.name` configuration too (see below
cases):
**1. Valid hadoop-jwt cookie**
```
curl -iku : --cookie
"hadoop-jwt=eyJraWQiOiJ0Q2dMV1VZbVZ0MlpweVhLNXJUdHA4WDVLTno2TjNYYl85TzZUdE95aUR3IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJhZG1pbiIsImtpZCI6InRDZ0xXVVltVnQyWnB5WEs1clR0cDhYNUtOejZOM1hiXzlPNlR0T3lpRHciLCJpc3MiOiJLTk9YU1NPIiwiZXhwIjoxNjYxMzMzMjA3LCJtYW5hZ2VkLnRva2VuIjoiZmFsc2UiLCJrbm94LmlkIjoiMTFjMDIyNWMtNTU5Zi00MTE2LWE3M2ItYjhhM2JmZGIwODA1In0.E1qoRKx50g6czHwGh3UVwqqNGpQS3sWckJAEAFQuqmC8LQG2ocrRx3NXgcyvlqjMpeRBMLYMflsUA_b_6lG9adHld-Dy_fhAKknNuZR82nj8jNkrFPPf55C6Uc3NshjK-N_yp_1NSEjN6HKI7UKMJX5oL3xDCYAhQhjFQga3EXDPdh1Rvo7RY0s-em3KHH-gT4UCdS_WT7u5mC2BKXI3o4a8yoAV0iFaIvdO4FPWxyIe4A_r9Vt0EiZezga3hvr8HPR3LRBWGpaW-4J-0KUTb2SsB6vXSuBTKxXns3jA2W8MDzb4cMm4LmIaaBt3H7npk7x-hljzNKhZdSFjb83z9g"
-X GET https://localhost:8443/gateway/tokenexchange/knoxtoken/api/v1/token
HTTP/1.1 200 OK
Date: Tue, 23 Aug 2022 09:28:45 GMT
Content-Type: application/json
Content-Length: 2253
{"access_token":"eyJqa3UiOiJodHRwczpcL1wvbG9jYWxob3N0Ojg0NDNcL2dhdGV3YXlcL3Rva2VuZXhjaGFuZ2VcL2tub3h0b2tlblwvYXBpXC92MVwvandrcy5qc29uIiwia2lkIjoidENnTFdVWW1WdDJacHlYSzVyVHRwOFg1S056Nk4zWGJfOU82VHRPeWlEdyIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJhZG1pbiIsImprdSI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6ODQ0M1wvZ2F0ZXdheVwvdG9rZW5leGNoYW5nZVwva25veHRva2VuXC9hcGlcL3YxXC9qd2tzLmpzb24iLCJraWQiOiJ0Q2dMV1VZbVZ0MlpweVhLNXJUdHA4WDVLTno2TjNYYl85TzZUdE95aUR3IiwiaXNzIjoiS05PWFNTTyIsImV4cCI6MTY2MTI4MjkyNSwibWFuYWdlZC50b2tlbiI6ImZhbHNlIiwia25veC5pZCI6ImVhZjRlMWY4LWIwNTktNDkxYS05Mjg0LWNhYTEyZDVlMzdjNyJ9.fnn3LHZ_JQWPe8wqi-4Jn_IAg3N9NNhNYLH0DBU3yVmJo1X60U3ab6q-5hAKUwHAzSnQNoGEdTOevKlqfJJqyIf928nISqz_zoO9rZD4os91OfIZpaS0EiovNf8W1FzIEWV-zUO2kVtBJ6ALV_vtrL4c_RrEWnd1zwUWosn2qYIe5_6kw_QAjuqmKRYnOoxCwf4BVJUBn92dlqi16syzCWOEKYI8LF14MjfLYnLXnUqO6urt5VRYR28n5JYEhkQuZYsdT30bLWp3rf9MtFNu9X11tnAoAt15L6KE3kbknO35SM2t9bEbMfWUVzAW_5X7pYoNTQiwXIROyHuuyfZ26w","token_id":"eaf4e1f8-b059-491a-9284-caa12d5e37c7","managed":"false","endpoint_public_cert":"MIIDeDCCAmCgAwIBAgIIOD6cdHBctFAwDQYJKoZIhvcNAQEFBQAwXzELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFRlc3QxDTALBgNVBAcTBFRlc3QxDzANBgNVBAoTBkhhZG9vcDENMAsGA1UECxMEVGVzdDESMBAGA1UEAxMJbG9jYWxob3N0MB4XDTIyMDgyMzA5MjYwOFoXDTIzMDgyMzA5MjYwOFowXzELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFRlc3QxDTALBgNVBAcTBFRlc3QxDzANBgNVBAoTBkhhZG9vcDENMAsGA1UECxMEVGVzdDESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjVGicpMnDjNlOgpmi8UM9eNlwiiECSLWbYXl7qEfZPknNb2KznOFJOopbiifqStw6AvEWCujCE4+0EBQlK+x7Q9/9v3/uUvrfTcNASw7OybAnGQXSJtCMJEAaxN8YHu9SxVh2XgdmpX+ZOpue4Ow6F2e+MW0uDD+gLFv/uBuoe96FBvtc7KGfH0OnXoNgKHK2bJfhpeV9W1E0SViVdmH0WcGUghfiA29aiKRCsV68MVU3qqBc6IoNe9lpTgqojHxLNR+AIcPugWQRB7Z2/Ep3cbCLQQkUlkqWKaONtDdwixjYM4HIo9Kih8+QkQd7TQ/GhZODfaN6V8zzK+dDNejswIDAQABozgwNjA0BgNVHREELTArghNzbW9sbmFyLU1CUDE2LmxvY2Fsgglsb2NhbGhvc3SCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQUFAAOCAQEAebpUaoqmPv+TFA6LUf/6zfNemn0g0gIAqw0IJUokCEcKD8Hc281cwEfuIGn3mqbtaov1MRZm2Xf57dbCdq63Og2DxU/0U9E2nHGY7q7AvsFCg9rAFNjqjViH0i1Qbl3VAUZdAtOKT6ywh5cSi2oWRxg2RxGnauTm21rk4Q9+bzUdpRKngDAA5Hjs24Msh9TaZmVCJyPh1DX6fAhgj3QOQhyNNEdH+X42PEG4TOYIsQK7MtVl6UfZzK5hd3NPymXiS+FhCrKbcWBT3vx4L6kpzkrcupF1BTEe4g5nX0nNK3SgXhQ7j2r7QSNQpqlzPYW49uKti8hlE718k4+bAEqgkQ==","token_type":"Bearer","expires_in":1661282925099}
```
**2. Invalid hadoop-jwt cookie (removed a character at the end of the
supplied cookie)**
```
curl -iku : --cookie
"hadoop-jwt=eyJraWQiOiJ0Q2dMV1VZbVZ0MlpweVhLNXJUdHA4WDVLTno2TjNYYl85TzZUdE95aUR3IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJhZG1pbiIsImtpZCI6InRDZ0xXVVltVnQyWnB5WEs1clR0cDhYNUtOejZOM1hiXzlPNlR0T3lpRHciLCJpc3MiOiJLTk9YU1NPIiwiZXhwIjoxNjYxMzMzMjA3LCJtYW5hZ2VkLnRva2VuIjoiZmFsc2UiLCJrbm94LmlkIjoiMTFjMDIyNWMtNTU5Zi00MTE2LWE3M2ItYjhhM2JmZGIwODA1In0.E1qoRKx50g6czHwGh3UVwqqNGpQS3sWckJAEAFQuqmC8LQG2ocrRx3NXgcyvlqjMpeRBMLYMflsUA_b_6lG9adHld-Dy_fhAKknNuZR82nj8jNkrFPPf55C6Uc3NshjK-N_yp_1NSEjN6HKI7UKMJX5oL3xDCYAhQhjFQga3EXDPdh1Rvo7RY0s-em3KHH-gT4UCdS_WT7u5mC2BKXI3o4a8yoAV0iFaIvdO4FPWxyIe4A_r9Vt0EiZezga3hvr8HPR3LRBWGpaW-4J-0KUTb2SsB6vXSuBTKxXns3jA2W8MDzb4cMm4LmIaaBt3H7npk7x-hljzNKhZdSFjb83z9"
-X GET https://localhost:8443/gateway/tokenexchange/knoxtoken/api/v1/token
HTTP/1.1 401 Unauthorized
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: text/html;charset=iso-8859-1
Content-Length: 497
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
<title>Error 401 There is no valid cookie found</title>
</head>
<body><h2>HTTP ERROR 401 There is no valid cookie found</h2>
<table>
<tr><th>URI:</th><td>/gateway/tokenexchange/knoxtoken/api/v1/token</td></tr>
<tr><th>STATUS:</th><td>401</td></tr>
<tr><th>MESSAGE:</th><td>There is no valid cookie found</td></tr>
<tr><th>SERVLET:</th><td>tokenexchange-knox-gateway-servlet</td></tr>
</table>
</body>
</html>
```
**3. Invalid cookie name (custom cookie name is not included this time)**
```
curl -iku : --cookie
"customCookieName=eyJraWQiOiJ0Q2dMV1VZbVZ0MlpweVhLNXJUdHA4WDVLTno2TjNYYl85TzZUdE95aUR3IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJhZG1pbiIsImtpZCI6InRDZ0xXVVltVnQyWnB5WEs1clR0cDhYNUtOejZOM1hiXzlPNlR0T3lpRHciLCJpc3MiOiJLTk9YU1NPIiwiZXhwIjoxNjYxMzMzMjA3LCJtYW5hZ2VkLnRva2VuIjoiZmFsc2UiLCJrbm94LmlkIjoiMTFjMDIyNWMtNTU5Zi00MTE2LWE3M2ItYjhhM2JmZGIwODA1In0.E1qoRKx50g6czHwGh3UVwqqNGpQS3sWckJAEAFQuqmC8LQG2ocrRx3NXgcyvlqjMpeRBMLYMflsUA_b_6lG9adHld-Dy_fhAKknNuZR82nj8jNkrFPPf55C6Uc3NshjK-N_yp_1NSEjN6HKI7UKMJX5oL3xDCYAhQhjFQga3EXDPdh1Rvo7RY0s-em3KHH-gT4UCdS_WT7u5mC2BKXI3o4a8yoAV0iFaIvdO4FPWxyIe4A_r9Vt0EiZezga3hvr8HPR3LRBWGpaW-4J-0KUTb2SsB6vXSuBTKxXns3jA2W8MDzb4cMm4LmIaaBt3H7npk7x-hljzNKhZdSFjb83z9g"
-X GET https://localhost:8443/gateway/tokenexchange/knoxtoken/api/v1/token
HTTP/1.1 401 Unauthorized
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: text/html;charset=iso-8859-1
Content-Length: 443
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
<title>Error 401 Unauthorized</title>
</head>
<body><h2>HTTP ERROR 401 Unauthorized</h2>
<table>
<tr><th>URI:</th><td>/gateway/tokenexchange/knoxtoken/api/v1/token</td></tr>
<tr><th>STATUS:</th><td>401</td></tr>
<tr><th>MESSAGE:</th><td>Unauthorized</td></tr>
<tr><th>SERVLET:</th><td>tokenexchange-knox-gateway-servlet</td></tr>
</table>
</body>
</html>
```
**4. Using custom cookie name (included knox.token.cookie.name is set to
'customCookieName')**
```
curl -iku : --cookie
"customCookieName=eyJraWQiOiJ0Q2dMV1VZbVZ0MlpweVhLNXJUdHA4WDVLTno2TjNYYl85TzZUdE95aUR3IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJhZG1pbiIsImtpZCI6InRDZ0xXVVltVnQyWnB5WEs1clR0cDhYNUtOejZOM1hiXzlPNlR0T3lpRHciLCJpc3MiOiJLTk9YU1NPIiwiZXhwIjoxNjYxMzMzMjA3LCJtYW5hZ2VkLnRva2VuIjoiZmFsc2UiLCJrbm94LmlkIjoiMTFjMDIyNWMtNTU5Zi00MTE2LWE3M2ItYjhhM2JmZGIwODA1In0.E1qoRKx50g6czHwGh3UVwqqNGpQS3sWckJAEAFQuqmC8LQG2ocrRx3NXgcyvlqjMpeRBMLYMflsUA_b_6lG9adHld-Dy_fhAKknNuZR82nj8jNkrFPPf55C6Uc3NshjK-N_yp_1NSEjN6HKI7UKMJX5oL3xDCYAhQhjFQga3EXDPdh1Rvo7RY0s-em3KHH-gT4UCdS_WT7u5mC2BKXI3o4a8yoAV0iFaIvdO4FPWxyIe4A_r9Vt0EiZezga3hvr8HPR3LRBWGpaW-4J-0KUTb2SsB6vXSuBTKxXns3jA2W8MDzb4cMm4LmIaaBt3H7npk7x-hljzNKhZdSFjb83z9g"
-X GET https://localhost:8443/gateway/tokenexchange/knoxtoken/api/v1/token
HTTP/1.1 200 OK
Date: Tue, 23 Aug 2022 09:33:44 GMT
Content-Type: application/json
Content-Length: 2253
{"access_token":"eyJqa3UiOiJodHRwczpcL1wvbG9jYWxob3N0Ojg0NDNcL2dhdGV3YXlcL3Rva2VuZXhjaGFuZ2VcL2tub3h0b2tlblwvYXBpXC92MVwvandrcy5qc29uIiwia2lkIjoidENnTFdVWW1WdDJacHlYSzVyVHRwOFg1S056Nk4zWGJfOU82VHRPeWlEdyIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJhZG1pbiIsImprdSI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6ODQ0M1wvZ2F0ZXdheVwvdG9rZW5leGNoYW5nZVwva25veHRva2VuXC9hcGlcL3YxXC9qd2tzLmpzb24iLCJraWQiOiJ0Q2dMV1VZbVZ0MlpweVhLNXJUdHA4WDVLTno2TjNYYl85TzZUdE95aUR3IiwiaXNzIjoiS05PWFNTTyIsImV4cCI6MTY2MTI4MzIyNCwibWFuYWdlZC50b2tlbiI6ImZhbHNlIiwia25veC5pZCI6IjA4N2VmZGNjLTVhOWMtNDJjZC1hMDY1LWMwZGM1MmQ4MGQ4MSJ9.IkUPTxbjwnJpnt2Vo7t7ZfhiyX_5Edag5vtVnYrHPiuqcTgoIkLVp-eQI9IB-tS3Zh9FFpfH-qZ_0wupiWW7f-7m2zZApidF4KyFI_--W4gvGXJnFeLeDtR7YNSHtQEbJmqJFPJn1TD6YRmK_Z7hCT1LJm84x8QYwo1FsaXkk3XVgNlo6SpPiyvZjlYHQAHMaeFPHyAuWedinZjCMHr8dYp5Ck-wWPmmsPyIHC9jMKhVyLRiaYRVYg8Tl4LCXzCSFucWVHoR7ydtjrypV3-5HIdn7VU0HUEpE5UKiozhQx0IG6KYiYECq-xJ6F45oJlhx03SrZBlRI-zLO76UiMlNQ","token_id":"087efdcc-5a9c-42cd-a065-c0dc52d80d81","managed":"false","endpoint_public_cert":"MIIDeDCCAmCgAwIBAgIIOD6cdHBctFAwDQYJKoZIhvcNAQEFBQAwXzELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFRlc3QxDTALBgNVBAcTBFRlc3QxDzANBgNVBAoTBkhhZG9vcDENMAsGA1UECxMEVGVzdDESMBAGA1UEAxMJbG9jYWxob3N0MB4XDTIyMDgyMzA5MjYwOFoXDTIzMDgyMzA5MjYwOFowXzELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFRlc3QxDTALBgNVBAcTBFRlc3QxDzANBgNVBAoTBkhhZG9vcDENMAsGA1UECxMEVGVzdDESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjVGicpMnDjNlOgpmi8UM9eNlwiiECSLWbYXl7qEfZPknNb2KznOFJOopbiifqStw6AvEWCujCE4+0EBQlK+x7Q9/9v3/uUvrfTcNASw7OybAnGQXSJtCMJEAaxN8YHu9SxVh2XgdmpX+ZOpue4Ow6F2e+MW0uDD+gLFv/uBuoe96FBvtc7KGfH0OnXoNgKHK2bJfhpeV9W1E0SViVdmH0WcGUghfiA29aiKRCsV68MVU3qqBc6IoNe9lpTgqojHxLNR+AIcPugWQRB7Z2/Ep3cbCLQQkUlkqWKaONtDdwixjYM4HIo9Kih8+QkQd7TQ/GhZODfaN6V8zzK+dDNejswIDAQABozgwNjA0BgNVHREELTArghNzbW9sbmFyLU1CUDE2LmxvY2Fsgglsb2NhbGhvc3SCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQUFAAOCAQEAebpUaoqmPv+TFA6LUf/6zfNemn0g0gIAqw0IJUokCEcKD8Hc281cwEfuIGn3mqbtaov1MRZm2Xf57dbCdq63Og2DxU/0U9E2nHGY7q7AvsFCg9rAFNjqjViH0i1Qbl3VAUZdAtOKT6ywh5cSi2oWRxg2RxGnauTm21rk4Q9+bzUdpRKngDAA5Hjs24Msh9TaZmVCJyPh1DX6fAhgj3QOQhyNNEdH+X42PEG4TOYIsQK7MtVl6UfZzK5hd3NPymXiS+FhCrKbcWBT3vx4L6kpzkrcupF1BTEe4g5nX0nNK3SgXhQ7j2r7QSNQpqlzPYW49uKti8hlE718k4+bAEqgkQ==","token_type":"Bearer","expires_in":1661283224552
```
**5. No cookie passed (expecting a JWT/Passcode token just like before my
changes)**
```
curl -iku : -X GET
https://localhost:8443/gateway/tokenexchange/knoxtoken/api/v1/token
HTTP/1.1 401 Unauthorized
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: text/html;charset=iso-8859-1
Content-Length: 443
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
<title>Error 401 Unauthorized</title>
</head>
<body><h2>HTTP ERROR 401 Unauthorized</h2>
<table>
<tr><th>URI:</th><td>/gateway/tokenexchange/knoxtoken/api/v1/token</td></tr>
<tr><th>STATUS:</th><td>401</td></tr>
<tr><th>MESSAGE:</th><td>Unauthorized</td></tr>
<tr><th>SERVLET:</th><td>tokenexchange-knox-gateway-servlet</td></tr>
</table>
</body>
</html>
```
**6. Passing the JWT token without cookies**
```
curl -iku
Token:eyJqa3UiOiJodHRwczpcL1wvbG9jYWxob3N0Ojg0NDNcL2dhdGV3YXlcL3Rva2VuZXhjaGFuZ2VcL2tub3h0b2tlblwvYXBpXC92MVwvandrcy5qc29uIiwia2lkIjoidENnTFdVWW1WdDJacHlYSzVyVHRwOFg1S056Nk4zWGJfOU82VHRPeWlEdyIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJhZG1pbiIsImprdSI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6ODQ0M1wvZ2F0ZXdheVwvdG9rZW5leGNoYW5nZVwva25veHRva2VuXC9hcGlcL3YxXC9qd2tzLmpzb24iLCJraWQiOiJ0Q2dMV1VZbVZ0MlpweVhLNXJUdHA4WDVLTno2TjNYYl85TzZUdE95aUR3IiwiaXNzIjoiS05PWFNTTyIsImV4cCI6MTY2MTI4MzIyNCwibWFuYWdlZC50b2tlbiI6ImZhbHNlIiwia25veC5pZCI6IjA4N2VmZGNjLTVhOWMtNDJjZC1hMDY1LWMwZGM1MmQ4MGQ4MSJ9.IkUPTxbjwnJpnt2Vo7t7ZfhiyX_5Edag5vtVnYrHPiuqcTgoIkLVp-eQI9IB-tS3Zh9FFpfH-qZ_0wupiWW7f-7m2zZApidF4KyFI_--W4gvGXJnFeLeDtR7YNSHtQEbJmqJFPJn1TD6YRmK_Z7hCT1LJm84x8QYwo1FsaXkk3XVgNlo6SpPiyvZjlYHQAHMaeFPHyAuWedinZjCMHr8dYp5Ck-wWPmmsPyIHC9jMKhVyLRiaYRVYg8Tl4LCXzCSFucWVHoR7ydtjrypV3-5HIdn7VU0HUEpE5UKiozhQx0IG6KYiYECq-xJ6F45oJlhx03SrZBlRI-zLO76UiMlNQ
-X GET https://localhost:8443/gateway/tokenexchange/knoxtoken/api/v1/token
HTTP/1.1 200 OK
Date: Tue, 23 Aug 2022 09:38:24 GMT
Content-Type: application/json
Content-Length: 2253
{"access_token":"eyJqa3UiOiJodHRwczpcL1wvbG9jYWxob3N0Ojg0NDNcL2dhdGV3YXlcL3Rva2VuZXhjaGFuZ2VcL2tub3h0b2tlblwvYXBpXC92MVwvandrcy5qc29uIiwia2lkIjoidENnTFdVWW1WdDJacHlYSzVyVHRwOFg1S056Nk4zWGJfOU82VHRPeWlEdyIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJhZG1pbiIsImprdSI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6ODQ0M1wvZ2F0ZXdheVwvdG9rZW5leGNoYW5nZVwva25veHRva2VuXC9hcGlcL3YxXC9qd2tzLmpzb24iLCJraWQiOiJ0Q2dMV1VZbVZ0MlpweVhLNXJUdHA4WDVLTno2TjNYYl85TzZUdE95aUR3IiwiaXNzIjoiS05PWFNTTyIsImV4cCI6MTY2MTI4MzUwNCwibWFuYWdlZC50b2tlbiI6ImZhbHNlIiwia25veC5pZCI6IjA0Y2UzNzMyLTVmMWEtNDM3ZS05ZGE3LTQwMWE2NzViMTNiZiJ9.YHKpW5CXaxiZWA2vmlHeGGn6hvbiOnVepTb0CTbeB2xWAOwh9_HyRIL2dvKj-UMVIvjsuaE2zUohC77sqZYRGKNpHupC5ctp8ig8sTxabDlZlGe4rzxu7kBYmMIme0SUnm0iU3pHMhSMXUd9Z8_hLw5NCiYfoY75gEtwoCYRDb4eYI6V_6i_Z1WSm8M4J2-R5KxS5J8mgCbh7lnwMe8gWS2zIbRjb0nh4YFlVQkkMXcUGJwHpREEPeZtsQ2-JdvMeMFyc6DFEp4d36TkmpQk-BwbHCHVuAFJZ0fNEpRy4iBuKPrlnsPOpihphxPqf3GLsL-_WbSNhtPl7DIHTnDbRQ","token_id":"04ce3732-5f1a-437e-9da7-401a675b13bf","managed":"false","endpoint_public_cert":"MIIDeDCCAmCgAwIBAgIIOD6cdHBctFAwDQYJKoZIhvcNAQEFBQAwXzELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFRlc3QxDTALBgNVBAcTBFRlc3QxDzANBgNVBAoTBkhhZG9vcDENMAsGA1UECxMEVGVzdDESMBAGA1UEAxMJbG9jYWxob3N0MB4XDTIyMDgyMzA5MjYwOFoXDTIzMDgyMzA5MjYwOFowXzELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFRlc3QxDTALBgNVBAcTBFRlc3QxDzANBgNVBAoTBkhhZG9vcDENMAsGA1UECxMEVGVzdDESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjVGicpMnDjNlOgpmi8UM9eNlwiiECSLWbYXl7qEfZPknNb2KznOFJOopbiifqStw6AvEWCujCE4+0EBQlK+x7Q9/9v3/uUvrfTcNASw7OybAnGQXSJtCMJEAaxN8YHu9SxVh2XgdmpX+ZOpue4Ow6F2e+MW0uDD+gLFv/uBuoe96FBvtc7KGfH0OnXoNgKHK2bJfhpeV9W1E0SViVdmH0WcGUghfiA29aiKRCsV68MVU3qqBc6IoNe9lpTgqojHxLNR+AIcPugWQRB7Z2/Ep3cbCLQQkUlkqWKaONtDdwixjYM4HIo9Kih8+QkQd7TQ/GhZODfaN6V8zzK+dDNejswIDAQABozgwNjA0BgNVHREELTArghNzbW9sbmFyLU1CUDE2LmxvY2Fsgglsb2NhbGhvc3SCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQUFAAOCAQEAebpUaoqmPv+TFA6LUf/6zfNemn0g0gIAqw0IJUokCEcKD8Hc281cwEfuIGn3mqbtaov1MRZm2Xf57dbCdq63Og2DxU/0U9E2nHGY7q7AvsFCg9rAFNjqjViH0i1Qbl3VAUZdAtOKT6ywh5cSi2oWRxg2RxGnauTm21rk4Q9+bzUdpRKngDAA5Hjs24Msh9TaZmVCJyPh1DX6fAhgj3QOQhyNNEdH+X42PEG4TOYIsQK7MtVl6UfZzK5hd3NPymXiS+FhCrKbcWBT3vx4L6kpzkrcupF1BTEe4g5nX0nNK3SgXhQ7j2r7QSNQpqlzPYW49uKti8hlE718k4+bAEqgkQ==","token_type":"Bearer","expires_in":1661283504536}
```
**7. Passing the Passcode token without cookies**
```
curl -iku
Passcode:TldVeVpUTTFPRFl0WlRrd01DMDBNV0U1TFRrd01UUXRNR00wT1RCaU16RmlOemxrOjpOakk1Wm1KbVlUUXRZakprT0MwME1qQTBMVGxsT1RjdFl6bG1NakJoWTJSbU1ERTM=
-X GET https://localhost:8443/gateway/tokenexchange/knoxtoken/api/v1/token
HTTP/1.1 200 OK
Date: Tue, 23 Aug 2022 09:46:56 GMT
Content-Type: application/json
Content-Length: 2253
{"access_token":"eyJqa3UiOiJodHRwczpcL1wvbG9jYWxob3N0Ojg0NDNcL2dhdGV3YXlcL3Rva2VuZXhjaGFuZ2VcL2tub3h0b2tlblwvYXBpXC92MVwvandrcy5qc29uIiwia2lkIjoidENnTFdVWW1WdDJacHlYSzVyVHRwOFg1S056Nk4zWGJfOU82VHRPeWlEdyIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJhZG1pbiIsImprdSI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6ODQ0M1wvZ2F0ZXdheVwvdG9rZW5leGNoYW5nZVwva25veHRva2VuXC9hcGlcL3YxXC9qd2tzLmpzb24iLCJraWQiOiJ0Q2dMV1VZbVZ0MlpweVhLNXJUdHA4WDVLTno2TjNYYl85TzZUdE95aUR3IiwiaXNzIjoiS05PWFNTTyIsImV4cCI6MTY2MTI4NDAxNiwibWFuYWdlZC50b2tlbiI6ImZhbHNlIiwia25veC5pZCI6ImQ1YTk0Njg0LTM5NTctNGNiOC05MjZiLTRkZDE4ZGZiNDQ0OCJ9.Z1XV_mEQgWmN0xIcyS5Pru04YloCsqCHP3BDUcU1W_GxV87TLmmrSqZaJf3bx7DFMWPYbZp-OVBlkGQoyUZiQ_77KfJIN5cGbAKtKrmTNIuKPt1fG7YO4ZcWbIV6d8k7pZAZkogIw-N5BZSQifLCnKuFVScI1l-X1wQxETOt98fdsQH32AMfTRB4mnTy5iHEUcCMhfE43vuDM2bZk4v3TksSQ720Tjo7d72BlkKFRRmfD7Z4spVvnJrcPd4mZW-dX3cd4z3qjmt4jsO9cuw3NPJRPTz-pshVwEw5uWfpjOlMGG9X3npat_2qffQhsrxl-g4HZFuKkjemxbDkD1_9lQ","token_id":"d5a94684-3957-4cb8-926b-4dd18dfb4448","managed":"false","endpoint_public_cert":"MIIDeDCCAmCgAwIBAgIIOD6cdHBctFAwDQYJKoZIhvcNAQEFBQAwXzELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFRlc3QxDTALBgNVBAcTBFRlc3QxDzANBgNVBAoTBkhhZG9vcDENMAsGA1UECxMEVGVzdDESMBAGA1UEAxMJbG9jYWxob3N0MB4XDTIyMDgyMzA5MjYwOFoXDTIzMDgyMzA5MjYwOFowXzELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFRlc3QxDTALBgNVBAcTBFRlc3QxDzANBgNVBAoTBkhhZG9vcDENMAsGA1UECxMEVGVzdDESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjVGicpMnDjNlOgpmi8UM9eNlwiiECSLWbYXl7qEfZPknNb2KznOFJOopbiifqStw6AvEWCujCE4+0EBQlK+x7Q9/9v3/uUvrfTcNASw7OybAnGQXSJtCMJEAaxN8YHu9SxVh2XgdmpX+ZOpue4Ow6F2e+MW0uDD+gLFv/uBuoe96FBvtc7KGfH0OnXoNgKHK2bJfhpeV9W1E0SViVdmH0WcGUghfiA29aiKRCsV68MVU3qqBc6IoNe9lpTgqojHxLNR+AIcPugWQRB7Z2/Ep3cbCLQQkUlkqWKaONtDdwixjYM4HIo9Kih8+QkQd7TQ/GhZODfaN6V8zzK+dDNejswIDAQABozgwNjA0BgNVHREELTArghNzbW9sbmFyLU1CUDE2LmxvY2Fsgglsb2NhbGhvc3SCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQUFAAOCAQEAebpUaoqmPv+TFA6LUf/6zfNemn0g0gIAqw0IJUokCEcKD8Hc281cwEfuIGn3mqbtaov1MRZm2Xf57dbCdq63Og2DxU/0U9E2nHGY7q7AvsFCg9rAFNjqjViH0i1Qbl3VAUZdAtOKT6ywh5cSi2oWRxg2RxGnauTm21rk4Q9+bzUdpRKngDAA5Hjs24Msh9TaZmVCJyPh1DX6fAhgj3QOQhyNNEdH+X42PEG4TOYIsQK7MtVl6UfZzK5hd3NPymXiS+FhCrKbcWBT3vx4L6kpzkrcupF1BTEe4g5nX0nNK3SgXhQ7j2r7QSNQpqlzPYW49uKti8hlE718k4+bAEqgkQ==","token_type":"Bearer","expires_in":1661284016951}
```
**8. Passing an invalid cookie and a valid Passcode**
```
curl -iku
Passcode:TldVeVpUTTFPRFl0WlRrd01DMDBNV0U1TFRrd01UUXRNR00wT1RCaU16RmlOemxrOjpOakk1Wm1KbVlUUXRZakprT0MwME1qQTBMVGxsT1RjdFl6bG1NakJoWTJSbU1ERTM=
--cookie
"customCookieName=eyJraWQiOiJ0Q2dMV1VZbVZ0MlpweVhLNXJUdHA4WDVLTno2TjNYYl85TzZUdE95aUR3IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJhZG1pbiIsImtpZCI6InRDZ0xXVVltVnQyWnB5WEs1clR0cDhYNUtOejZOM1hiXzlPNlR0T3lpRHciLCJpc3MiOiJLTk9YU1NPIiwiZXhwIjoxNjYxMzMzMjA3LCJtYW5hZ2VkLnRva2VuIjoiZmFsc2UiLCJrbm94LmlkIjoiMTFjMDIyNWMtNTU5Zi00MTE2LWE3M2ItYjhhM2JmZGIwODA1In0.E1qoRKx50g6czHwGh3UVwqqNGpQS3sWckJAEAFQuqmC8LQG2ocrRx3NXgcyvlqjMpeRBMLYMflsUA_b_6lG9adHld-Dy_fhAKknNuZR82nj8jNkrFPPf55C6Uc3NshjK-N_yp_1NSEjN6HKI7UKMJX5oL3xDCYAhQhjFQga3EXDPdh1Rvo7RY0s-em3KHH-gT4UCdS_WT7u5mC2BKXI3o4a8yoAV0iFaIvdO4FPWxyIe4A_r9Vt0EiZezga3hvr8HPR3LRBWGpaW-4J-0KUTb2SsB6vXSuBTKxXns3jA2W8MDzb4cMm4LmIaaBt3H7npk7x-hljzNKhZdSFjb83z9"
-X GET https://localhost:8443/gateway/tokenexchange/knoxtoken/api/v1/token
HTTP/1.1 401 Unauthorized
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: text/html;charset=iso-8859-1
Content-Length: 497
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
<title>Error 401 There is no valid cookie found</title>
</head>
<body><h2>HTTP ERROR 401 There is no valid cookie found</h2>
<table>
<tr><th>URI:</th><td>/gateway/tokenexchange/knoxtoken/api/v1/token</td></tr>
<tr><th>STATUS:</th><td>401</td></tr>
<tr><th>MESSAGE:</th><td>There is no valid cookie found</td></tr>
<tr><th>SERVLET:</th><td>tokenexchange-knox-gateway-servlet</td></tr>
</table>
</body>
</html>
```
Issue Time Tracking
-------------------
Worklog Id: (was: 802787)
Remaining Estimate: 0h
Time Spent: 10m
> Add cokkie auth support in JWT federation provider
> --------------------------------------------------
>
> Key: KNOX-2794
> URL: https://issues.apache.org/jira/browse/KNOX-2794
> Project: Apache Knox
> Issue Type: Sub-task
> Components: Server
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Major
> Fix For: 2.0.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Knox has authentication federation providers to check either a cookie
> ({{{}SSOCookieFederationFilter{}}}) or an HTTP header
> ({{{}JWTFederationFilter{}}}) for a JWT. However, it cannot do both in the
> same filter currently.
> We need to enhance the {{JWTFederationFilter}} to check first for a valid JWT
> in the {{hadoop-jwt}} cookie (cookie name should be configurable) or keep
> doing what it does today, use the {{Authorization}} HTTP header.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
