Re: KNOX Pac4j Azure AD Open ID

Hi Jerome/Sandeep, Azure AD does support query parameters in the Reply URL for Azure app registration, whereas in v2 with microsoft app registration portal, it does not. However, even in the first case where it allows the parameters during configuration, it does not honor them by sending it back

Re: KNOX Pac4j Azure AD Open ID

Hello Jérôme You are right about the client_name and pac4JCallback parameters. I do not think this is because of misconfiguration, the issue in this case is that Azure AD does not support query params in the callback URLs. Best, Sandeep On Mon, Feb 26, 2018 at 1:42 AM, Jérôme LELEU

Re: KNOX Pac4j Azure AD Open ID

Hi, The callback URL sent by the IdP does not have the client_name parameter, nor the pac4jCallback parameter (the parameter has changed between versions). So the callback is not properly detected and an authentication is tried over and over again. So I guess there is a misconfiguration on the

Re: KNOX Pac4j Azure AD Open ID

So, it seems that OidcClient and Auth0 is working but AAD and Google are not. While I've never tested AAD, I have tested Google so there may be a regression there. I notice that there are specific clients for both AzureAd and Google now - see:

Re: KNOX Pac4j Azure AD Open ID

Yes, you are right. I tested again the pac4j provider with client as "testBasicAuth". This works perfectly and I noticed that pac4j provides a "hadoop-jwt" token at the last step to the SSO, and then its able to get the results for the original URL. I also tested pac4j with basicAuth and

Re: KNOX Pac4j Azure AD Open ID

Hi Colm - Thanks for trying to reproduce. Starting to get concerned about a regression I see that you are using localhost - that will definitely present problems for Set-Cookie with some browsers. I know that Chrome will not accept it for sure. Can you switch to a full domain name? I

Re: KNOX Pac4j Azure AD Open ID

I can reproduce the issue with Google. From the logs I see the following: 2018-02-19 17:21:58,484 DEBUG session.KnoxSessionStore (KnoxSessionStore.java:get(91)) - Get from session: pac4jRequestedUrl =

Re: KNOX Pac4j Azure AD Open ID

No, the hadoop-jwt cookie is for KnoxSSO and the SSOCookieProvider. If it isn't being set, it could be that it isn't getting past the pac4j federation provider to the KnoxSSO service itself because there is a redirect from the pac4j provider or the Set-Cookie just isn't being accepted by the

Re: KNOX Pac4j Azure AD Open ID

Hello Sandeep, Sorry, that was an incomplete post earlier. *myCluster.topology:* 1. 2. 3. 4. webappsec 5. WebAppSec 6. true 7. cors.enabled

Re: KNOX Pac4j Azure AD Open ID

It looks like you may be using ip addresses for your Knox URLs - to webhdfs. In order to rule out cookie related issue can you do a couple things: 1. check whether a cookie called hadoop-jwt is actually set in your browser 2. if not, you may want to set an actual domain in your /etc/hosts or

Re: KNOX Pac4j Azure AD Open ID

Hello Nisha, Can you share details of "mycluster" topology ? also, can you turn up the logs to debug and share them along with the audit log that would help us to understand the problem better. Best, Sandeep On Fri, Feb 16, 2018 at 3:16 AM, Nisha Menon wrote: > Hello,