[
https://issues.apache.org/jira/browse/KNOX-3258?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tamás Marcinkovics updated KNOX-3258:
-------------------------------------
Description:
When configuring Knox to use OpenID Connect, (setting up pac4j as a federation
provider in knoxsso and using the client OidcClient or AzureAdClient, etc.),
login fails with a 500 internal server error and the stack trace shows that
oauth2-oidc-sdk:8.22 used by pac4j:4.5.6 is not compatible with the
com.nimbusds:nimbus-jose-jwt:10.
HTTP ERROR 500 javax.servlet.ServletException: javax.servlet.ServletException:
java.lang.NoSuchMethodError:
com.nimbusds.jwt.JWTClaimsSet.toJSONObject()Lnet/minidev/json/JSONObject;
URI: /gateway/knoxsso/api/v1/websso
STATUS: 500
MESSAGE: javax.servlet.ServletException: javax.servlet.ServletException:
java.lang.NoSuchMethodError:
com.nimbusds.jwt.JWTClaimsSet.toJSONObject()Lnet/minidev/json/JSONObject;
SERVLET: knoxsso-knox-gateway-servlet
CAUSED BY: javax.servlet.ServletException: javax.servlet.ServletException:
java.lang.NoSuchMethodError:
com.nimbusds.jwt.JWTClaimsSet.toJSONObject()Lnet/minidev/json/JSONObject;
CAUSED BY: javax.servlet.ServletException: java.lang.NoSuchMethodError:
com.nimbusds.jwt.JWTClaimsSet.toJSONObject()Lnet/minidev/json/JSONObject;
CAUSED BY: java.lang.NoSuchMethodError:
com.nimbusds.jwt.JWTClaimsSet.toJSONObject()Lnet/minidev/json/JSONObject;
Stack trace:
ERROR knox.gateway (GatewayServlet.java:service(129)) - Gateway processing
failed: javax.servlet.ServletException: java.lang.NoSuchMethodError:
com.nimbusds.jwt.JWTClaimsSet.toJSONObject()Lnet/minidev/json/JSONObject;
javax.servlet.ServletException: java.lang.NoSuchMethodError:
com.nimbusds.jwt.JWTClaimsSet.toJSONObject()Lnet/minidev/json/JSONObject;
at
org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:65)
~[gateway-spi-2.1.0.jar:2.1.0]
...
Caused by: java.lang.NoSuchMethodError:
com.nimbusds.jwt.JWTClaimsSet.toJSONObject()Lnet/minidev/json/JSONObject;
at
com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet.<init>(IDTokenClaimsSet.java:238)
~[oauth2-oidc-sdk-8.22.jar:8.22]
at
com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.toIDTokenClaimsSet(IDTokenValidator.java:339)
~[oauth2-oidc-sdk-8.22.jar:8.22]
at
com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:289)
~[oauth2-oidc-sdk-8.22.jar:8.22]
at
com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:224)
~[oauth2-oidc-sdk-8.22.jar:8.22]
at
org.pac4j.oidc.profile.creator.TokenValidator.validate(TokenValidator.java:103)
~[pac4j-oidc-4.5.6.jar:?]
at
org.pac4j.oidc.profile.creator.OidcProfileCreator.create(OidcProfileCreator.java:93)
~[pac4j-oidc-4.5.6.jar:?]
at
org.pac4j.oidc.profile.creator.OidcProfileCreator.create(OidcProfileCreator.java:45)
~[pac4j-oidc-4.5.6.jar:?]
at
org.pac4j.core.client.BaseClient.retrieveUserProfile(BaseClient.java:119)
~[pac4j-core-4.5.6.jar:?]
at org.pac4j.core.client.BaseClient.getUserProfile(BaseClient.java:99)
~[pac4j-core-4.5.6.jar:?]
at
org.pac4j.core.engine.DefaultCallbackLogic.perform(DefaultCallbackLogic.java:88)
~[pac4j-core-4.5.6.jar:?]
at
org.pac4j.jee.filter.CallbackFilter.internalFilter(CallbackFilter.java:75)
~[jee-pac4j-5.0.0.jar:?]
at
org.pac4j.jee.filter.AbstractConfigFilter.doFilter(AbstractConfigFilter.java:70)
~[jee-pac4j-5.0.0.jar:?]
at
org.apache.knox.gateway.pac4j.filter.Pac4jDispatcherFilter.doFilter(Pac4jDispatcherFilter.java:344)
~[gateway-provider-security-pac4j-2.1.0.jar:2.1.0]
at
org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:392)
~[gateway-server-2.1.0.jar:2.1.0]
at
org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:306)
~[gateway-server-2.1.0.jar:2.1.0]
at
org.apache.knox.gateway.filter.XForwardedHeaderFilter.doFilter(XForwardedHeaderFilter.java:50)
~[gateway-server-xforwarded-filter-2.1.0.jar:2.1.0]
at
org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:59)
~[gateway-spi-2.1.0.jar:2.1.0]
... 57 more
This change was introduced in jose-jwt:9.x.
org.pac4j:pac4j:4.5.6 declares
<nimbus-jose-jwt.version>8.22.1</nimbus-jose-jwt.version>
We cannot upgrade pac4j due to java 8 dependency.
[https://mvnrepository.com/artifact/com.nimbusds/oauth2-oidc-sdk/versions]
oauth2-oidc-sdk versions 8.x depend on jose-jwt:8.x:
[https://mvnrepository.com/artifact/com.nimbusds/oauth2-oidc-sdk/8.36.2]
:nimbus-jose-jwt:8.20.1
oauth2-oidc-sdk versions 9.x depend on jose-jwt:9.x.
[https://mvnrepository.com/artifact/com.nimbusds/oauth2-oidc-sdk/9.43.6|https://mvnrepository.com/artifact/com.nimbusds/oauth2-oidc-sdk/8.36.2]
: nimbus-jose-jwt:9.37.3
but this also breaks pac4j login:
Caused by: java.lang.NoSuchMethodError: 'void
com.nimbusds.openid.connect.sdk.UserInfoRequest.<init>(java.net.URI,
com.nimbusds.oauth2.sdk.token.BearerAccessToken)'
at
org.pac4j.oidc.profile.creator.OidcProfileCreator.create(OidcProfileCreator.java:99)
~[pac4j-oidc-4.5.6.jar:?]
at
org.pac4j.oidc.profile.creator.OidcProfileCreator.create(OidcProfileCreator.java:45)
~[pac4j-oidc-4.5.6.jar:?]
at org.pac4j.core.client.BaseClient.retrieveUserProfile(BaseClient.java:119)
~[pac4j-core-4.5.6.jar:?]
at org.pac4j.core.client.BaseClient.getUserProfile(BaseClient.java:99)
~[pac4j-core-4.5.6.jar:?]
We have to remain on 9.13 because of the UserInfoRequest change:
[https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/src/master/CHANGELOG.txt]
:
version 9.14 (2021-08-19)
* Updates UserInfoRequest to support DPoPAccessToken.
* Adds static AccessToken.parse(HTTPRequest) method.
* Updates AccessTokenUtils.
lang-tag and other libraries do not need to be upgraded.
was:
When configuring Knox to use OpenID Connect, (setting up pac4j as a federation
provider in knoxsso and using the client OidcClient or AzureAdClient, etc.),
login fails with a 500 internal server error and the stack trace shows that
oauth2-oidc-sdk:8.22 used by pac4j:4.5.6 is not compatible with the
com.nimbusds:nimbus-jose-jwt:10.
HTTP ERROR 500 javax.servlet.ServletException: javax.servlet.ServletException:
java.lang.NoSuchMethodError:
com.nimbusds.jwt.JWTClaimsSet.toJSONObject()Lnet/minidev/json/JSONObject;
URI: /gateway/knoxsso/api/v1/websso
STATUS: 500
MESSAGE: javax.servlet.ServletException: javax.servlet.ServletException:
java.lang.NoSuchMethodError:
com.nimbusds.jwt.JWTClaimsSet.toJSONObject()Lnet/minidev/json/JSONObject;
SERVLET: knoxsso-knox-gateway-servlet
CAUSED BY: javax.servlet.ServletException: javax.servlet.ServletException:
java.lang.NoSuchMethodError:
com.nimbusds.jwt.JWTClaimsSet.toJSONObject()Lnet/minidev/json/JSONObject;
CAUSED BY: javax.servlet.ServletException: java.lang.NoSuchMethodError:
com.nimbusds.jwt.JWTClaimsSet.toJSONObject()Lnet/minidev/json/JSONObject;
CAUSED BY: java.lang.NoSuchMethodError:
com.nimbusds.jwt.JWTClaimsSet.toJSONObject()Lnet/minidev/json/JSONObject;
Stack trace:
ERROR knox.gateway (GatewayServlet.java:service(129)) - Gateway processing
failed: javax.servlet.ServletException: java.lang.NoSuchMethodError:
com.nimbusds.jwt.JWTClaimsSet.toJSONObject()Lnet/minidev/json/JSONObject;
javax.servlet.ServletException: java.lang.NoSuchMethodError:
com.nimbusds.jwt.JWTClaimsSet.toJSONObject()Lnet/minidev/json/JSONObject;
at
org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:65)
~[gateway-spi-2.1.0.jar:2.1.0]
...
Caused by: java.lang.NoSuchMethodError:
com.nimbusds.jwt.JWTClaimsSet.toJSONObject()Lnet/minidev/json/JSONObject;
at
com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet.<init>(IDTokenClaimsSet.java:238)
~[oauth2-oidc-sdk-8.22.jar:8.22]
at
com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.toIDTokenClaimsSet(IDTokenValidator.java:339)
~[oauth2-oidc-sdk-8.22.jar:8.22]
at
com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:289)
~[oauth2-oidc-sdk-8.22.jar:8.22]
at
com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:224)
~[oauth2-oidc-sdk-8.22.jar:8.22]
at
org.pac4j.oidc.profile.creator.TokenValidator.validate(TokenValidator.java:103)
~[pac4j-oidc-4.5.6.jar:?]
at
org.pac4j.oidc.profile.creator.OidcProfileCreator.create(OidcProfileCreator.java:93)
~[pac4j-oidc-4.5.6.jar:?]
at
org.pac4j.oidc.profile.creator.OidcProfileCreator.create(OidcProfileCreator.java:45)
~[pac4j-oidc-4.5.6.jar:?]
at
org.pac4j.core.client.BaseClient.retrieveUserProfile(BaseClient.java:119)
~[pac4j-core-4.5.6.jar:?]
at org.pac4j.core.client.BaseClient.getUserProfile(BaseClient.java:99)
~[pac4j-core-4.5.6.jar:?]
at
org.pac4j.core.engine.DefaultCallbackLogic.perform(DefaultCallbackLogic.java:88)
~[pac4j-core-4.5.6.jar:?]
at
org.pac4j.jee.filter.CallbackFilter.internalFilter(CallbackFilter.java:75)
~[jee-pac4j-5.0.0.jar:?]
at
org.pac4j.jee.filter.AbstractConfigFilter.doFilter(AbstractConfigFilter.java:70)
~[jee-pac4j-5.0.0.jar:?]
at
org.apache.knox.gateway.pac4j.filter.Pac4jDispatcherFilter.doFilter(Pac4jDispatcherFilter.java:344)
~[gateway-provider-security-pac4j-2.1.0.jar:2.1.0]
at
org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:392)
~[gateway-server-2.1.0.jar:2.1.0]
at
org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:306)
~[gateway-server-2.1.0.jar:2.1.0]
at
org.apache.knox.gateway.filter.XForwardedHeaderFilter.doFilter(XForwardedHeaderFilter.java:50)
~[gateway-server-xforwarded-filter-2.1.0.jar:2.1.0]
at
org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:59)
~[gateway-spi-2.1.0.jar:2.1.0]
... 57 more
> Fix OIDC client login
> ---------------------
>
> Key: KNOX-3258
> URL: https://issues.apache.org/jira/browse/KNOX-3258
> Project: Apache Knox
> Issue Type: Task
> Components: KnoxSSO
> Affects Versions: 2.1.0
> Reporter: Tamás Marcinkovics
> Assignee: Tamás Marcinkovics
> Priority: Major
> Attachments: http500-oidc-client-pac4j-knox-login.png,
> keycloak-test-after-fix1.png, keycloak-test-after-fix2.png,
> knox-keycloak-oidc-test-example.tar.gz
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> When configuring Knox to use OpenID Connect, (setting up pac4j as a
> federation provider in knoxsso and using the client OidcClient or
> AzureAdClient, etc.),
> login fails with a 500 internal server error and the stack trace shows that
> oauth2-oidc-sdk:8.22 used by pac4j:4.5.6 is not compatible with the
> com.nimbusds:nimbus-jose-jwt:10.
> HTTP ERROR 500 javax.servlet.ServletException:
> javax.servlet.ServletException: java.lang.NoSuchMethodError:
> com.nimbusds.jwt.JWTClaimsSet.toJSONObject()Lnet/minidev/json/JSONObject;
> URI: /gateway/knoxsso/api/v1/websso
> STATUS: 500
> MESSAGE: javax.servlet.ServletException: javax.servlet.ServletException:
> java.lang.NoSuchMethodError:
> com.nimbusds.jwt.JWTClaimsSet.toJSONObject()Lnet/minidev/json/JSONObject;
> SERVLET: knoxsso-knox-gateway-servlet
> CAUSED BY: javax.servlet.ServletException: javax.servlet.ServletException:
> java.lang.NoSuchMethodError:
> com.nimbusds.jwt.JWTClaimsSet.toJSONObject()Lnet/minidev/json/JSONObject;
> CAUSED BY: javax.servlet.ServletException: java.lang.NoSuchMethodError:
> com.nimbusds.jwt.JWTClaimsSet.toJSONObject()Lnet/minidev/json/JSONObject;
> CAUSED BY: java.lang.NoSuchMethodError:
> com.nimbusds.jwt.JWTClaimsSet.toJSONObject()Lnet/minidev/json/JSONObject;
> Stack trace:
> ERROR knox.gateway (GatewayServlet.java:service(129)) - Gateway processing
> failed: javax.servlet.ServletException: java.lang.NoSuchMethodError:
> com.nimbusds.jwt.JWTClaimsSet.toJSONObject()Lnet/minidev/json/JSONObject;
> javax.servlet.ServletException: java.lang.NoSuchMethodError:
> com.nimbusds.jwt.JWTClaimsSet.toJSONObject()Lnet/minidev/json/JSONObject;
> at
> org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:65)
> ~[gateway-spi-2.1.0.jar:2.1.0]
> ...
> Caused by: java.lang.NoSuchMethodError:
> com.nimbusds.jwt.JWTClaimsSet.toJSONObject()Lnet/minidev/json/JSONObject;
> at
> com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet.<init>(IDTokenClaimsSet.java:238)
> ~[oauth2-oidc-sdk-8.22.jar:8.22]
> at
> com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.toIDTokenClaimsSet(IDTokenValidator.java:339)
> ~[oauth2-oidc-sdk-8.22.jar:8.22]
> at
> com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:289)
> ~[oauth2-oidc-sdk-8.22.jar:8.22]
> at
> com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:224)
> ~[oauth2-oidc-sdk-8.22.jar:8.22]
> at
> org.pac4j.oidc.profile.creator.TokenValidator.validate(TokenValidator.java:103)
> ~[pac4j-oidc-4.5.6.jar:?]
> at
> org.pac4j.oidc.profile.creator.OidcProfileCreator.create(OidcProfileCreator.java:93)
> ~[pac4j-oidc-4.5.6.jar:?]
> at
> org.pac4j.oidc.profile.creator.OidcProfileCreator.create(OidcProfileCreator.java:45)
> ~[pac4j-oidc-4.5.6.jar:?]
> at
> org.pac4j.core.client.BaseClient.retrieveUserProfile(BaseClient.java:119)
> ~[pac4j-core-4.5.6.jar:?]
> at
> org.pac4j.core.client.BaseClient.getUserProfile(BaseClient.java:99)
> ~[pac4j-core-4.5.6.jar:?]
> at
> org.pac4j.core.engine.DefaultCallbackLogic.perform(DefaultCallbackLogic.java:88)
> ~[pac4j-core-4.5.6.jar:?]
> at
> org.pac4j.jee.filter.CallbackFilter.internalFilter(CallbackFilter.java:75)
> ~[jee-pac4j-5.0.0.jar:?]
> at
> org.pac4j.jee.filter.AbstractConfigFilter.doFilter(AbstractConfigFilter.java:70)
> ~[jee-pac4j-5.0.0.jar:?]
> at
> org.apache.knox.gateway.pac4j.filter.Pac4jDispatcherFilter.doFilter(Pac4jDispatcherFilter.java:344)
> ~[gateway-provider-security-pac4j-2.1.0.jar:2.1.0]
> at
> org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:392)
> ~[gateway-server-2.1.0.jar:2.1.0]
> at
> org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:306)
> ~[gateway-server-2.1.0.jar:2.1.0]
> at
> org.apache.knox.gateway.filter.XForwardedHeaderFilter.doFilter(XForwardedHeaderFilter.java:50)
> ~[gateway-server-xforwarded-filter-2.1.0.jar:2.1.0]
> at
> org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:59)
> ~[gateway-spi-2.1.0.jar:2.1.0]
> ... 57 more
>
> This change was introduced in jose-jwt:9.x.
> org.pac4j:pac4j:4.5.6 declares
> <nimbus-jose-jwt.version>8.22.1</nimbus-jose-jwt.version>
> We cannot upgrade pac4j due to java 8 dependency.
> [https://mvnrepository.com/artifact/com.nimbusds/oauth2-oidc-sdk/versions]
> oauth2-oidc-sdk versions 8.x depend on jose-jwt:8.x:
> [https://mvnrepository.com/artifact/com.nimbusds/oauth2-oidc-sdk/8.36.2]
> :nimbus-jose-jwt:8.20.1
> oauth2-oidc-sdk versions 9.x depend on jose-jwt:9.x.
> [https://mvnrepository.com/artifact/com.nimbusds/oauth2-oidc-sdk/9.43.6|https://mvnrepository.com/artifact/com.nimbusds/oauth2-oidc-sdk/8.36.2]
> : nimbus-jose-jwt:9.37.3
> but this also breaks pac4j login:
> Caused by: java.lang.NoSuchMethodError: 'void
> com.nimbusds.openid.connect.sdk.UserInfoRequest.<init>(java.net.URI,
> com.nimbusds.oauth2.sdk.token.BearerAccessToken)'
> at
> org.pac4j.oidc.profile.creator.OidcProfileCreator.create(OidcProfileCreator.java:99)
> ~[pac4j-oidc-4.5.6.jar:?]
> at
> org.pac4j.oidc.profile.creator.OidcProfileCreator.create(OidcProfileCreator.java:45)
> ~[pac4j-oidc-4.5.6.jar:?]
> at org.pac4j.core.client.BaseClient.retrieveUserProfile(BaseClient.java:119)
> ~[pac4j-core-4.5.6.jar:?]
> at org.pac4j.core.client.BaseClient.getUserProfile(BaseClient.java:99)
> ~[pac4j-core-4.5.6.jar:?]
>
> We have to remain on 9.13 because of the UserInfoRequest change:
>
> [https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/src/master/CHANGELOG.txt]
> :
>
> version 9.14 (2021-08-19)
> * Updates UserInfoRequest to support DPoPAccessToken.
> * Adds static AccessToken.parse(HTTPRequest) method.
> * Updates AccessTokenUtils.
> lang-tag and other libraries do not need to be upgraded.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
