[
https://issues.apache.org/jira/browse/KNOX-3186?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sandor Molnar resolved KNOX-3186.
---------------------------------
Fix Version/s: 2.1.0
Resolution: Fixed
> SSOCookieProvider does not work with istio external authorizer
> --------------------------------------------------------------
>
> Key: KNOX-3186
> URL: https://issues.apache.org/jira/browse/KNOX-3186
> Project: Apache Knox
> Issue Type: Bug
> Reporter: Sandeep More
> Assignee: Sandeep More
> Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> SSOCookieProvider does not work in it's current form with istio external
> authorizer
> * The reason SSOCookieProvider does not work in its current form is because
> of the way istio external authorizer forwards the request.
> * Say we a request comes to the endpoint [https://www.local.com:8443/knox/]
> protected by istio external authorizer.
> * It is intercepted by istio and forwarded to
> [http://www.local.com:8443/gateway/sandbox/auth/api/v1/extauthz/knox/|http://www.local.com:8443/gateway/knox-test-cdpauth/auth/api/v1/extauthz/knox/]
> * Sandbox topology kicks off SSO flow
> [https://www.local.com:8443/gateway/knoxsso/api/v1/websso?originalUrl=http://www.local.com:8443/gateway/sandbox/auth/api/v1/extauthz/knox/|https://www.local.com:8443/gateway/knox-test-samlsso/api/v1/websso?originalUrl=http://www.local.com:8443/gateway/knox-test-cdpauth/auth/api/v1/extauthz/knox/],
> notice the originalURL it is not [https://www.local.com:8443/knox/] but
> [http://www.local.com:8443/gateway/sandbox/auth/api/v1/extauthz/knox/|http://www.local.com:8443/gateway/knox-test-cdpauth/auth/api/v1/extauthz/knox/]
> After successful SSO the request ends up at
> [http://www.local.com:8443/gateway/sandbox/auth/api/v1/extauthz/knox/|http://www.local.com:8443/gateway/knox-test-cdpauth/auth/api/v1/extauthz/knox/]
> which is not where we want it to go.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
