[jira] [Work logged] (KNOX-3186) SSOCookieProvider does not work with istio external authorizer

Fri, 05 Sep 2025 14:12:02 -0700 


     [ 
https://issues.apache.org/jira/browse/KNOX-3186?focusedWorklogId=982103&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-982103
 ]

ASF GitHub Bot logged work on KNOX-3186:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 05/Sep/25 20:53
            Start Date: 05/Sep/25 20:53
    Worklog Time Spent: 10m 
      Work Description: moresandeep merged PR #1081:
URL: https://github.com/apache/knox/pull/1081




Issue Time Tracking
-------------------

    Worklog Id:     (was: 982103)
    Time Spent: 20m  (was: 10m)

> SSOCookieProvider does not work with istio external authorizer
> --------------------------------------------------------------
>
>                 Key: KNOX-3186
>                 URL: https://issues.apache.org/jira/browse/KNOX-3186
>             Project: Apache Knox
>          Issue Type: Bug
>            Reporter: Sandeep More
>            Assignee: Sandeep More
>            Priority: Major
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> SSOCookieProvider does not work in it's current form with istio external 
> authorizer
>  * The reason SSOCookieProvider does not work in its current form is because 
> of the way istio external authorizer forwards the request.
>  * Say we a request comes to the endpoint [https://www.local.com:8443/knox/] 
> protected by istio external authorizer.
>  * It is intercepted by istio and forwarded to 
> [http://www.local.com:8443/gateway/sandbox/auth/api/v1/extauthz/knox/|http://www.local.com:8443/gateway/knox-test-cdpauth/auth/api/v1/extauthz/knox/]
>  * Sandbox topology kicks off SSO flow 
> [https://www.local.com:8443/gateway/knoxsso/api/v1/websso?originalUrl=http://www.local.com:8443/gateway/sandbox/auth/api/v1/extauthz/knox/|https://www.local.com:8443/gateway/knox-test-samlsso/api/v1/websso?originalUrl=http://www.local.com:8443/gateway/knox-test-cdpauth/auth/api/v1/extauthz/knox/],
>  notice the originalURL it is not [https://www.local.com:8443/knox/] but 
> [http://www.local.com:8443/gateway/sandbox/auth/api/v1/extauthz/knox/|http://www.local.com:8443/gateway/knox-test-cdpauth/auth/api/v1/extauthz/knox/]
>  After successful SSO the request ends up at 
> [http://www.local.com:8443/gateway/sandbox/auth/api/v1/extauthz/knox/|http://www.local.com:8443/gateway/knox-test-cdpauth/auth/api/v1/extauthz/knox/]
>  which is not where we want it to go.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to