Can you add the following after your discoveryUrl in the knoxsso.xml:
<param>
<name>oidc.useNonce</name>
<value>false</value>
</param>
<param>
<name>oidc.customParamKey1</name> 5. scope
<value>scope</value>
</param>
<param>
<name>oidc.customParamValue1</name>
<value>openid</value>
</param>
In the testing that I did the the idp did not require the email and profile
scopes that are requested by default by pac4j. Therefore, the customParam
was being used here to limit the scopes to just openid.
I happen to have the useNonce param in mine - so you might as well try that
too.
On Mon, Oct 2, 2017 at 2:49 PM, N. Vidiadakis <[email protected]> wrote:
> Hi Larry,
>
> You can find attached the topologies and the stack trace.
>
> thank you in advance,
> Nick
>
>
> On Mon, Oct 2, 2017 at 9:34 PM, larry mccay <[email protected]> wrote:
>
>> Hi Nick -
>>
>> Can you please provide your topologies that you are using for both
>> sandbox.xml and knoxsso.xml?
>>
>> I have tested OIDC usecase before and would like to compare the
>> configuration that you have - I did not try it against Keycloak but it
>> should be generic OIDC.
>>
>> Also, can you provide the full stacktrace from the log?
>>
>> thanks,
>>
>> --larry
>>
>> On Mon, Oct 2, 2017 at 2:22 PM, N. Vidiadakis <[email protected]>
>> wrote:
>>
>>> Hello to all,
>>>
>>> I'm relatively new to the whole Hadoop/KNOX ecosystem but I'm appointed
>>> with relatively more complicated task: integrate KNOX with an Idp and
>>> specifically with a Keycloak installation which uses OpenID.
>>>
>>> I've tried following the User Guide and my current state is I get
>>> redirected to the Keycloak Login portal, I enter my credentials and then
>>> get back to the KnoxSSO urls with an error 500. The log files contain:
>>>
>>> gateway.log:
>>>
>>> Caused by: java.lang.IllegalArgumentException: The client
>>> authentication must not be null
>>> at com.nimbusds.oauth2.sdk.TokenRequest.<init>(TokenRequest.java:87)
>>> at com.nimbusds.oauth2.sdk.TokenRequest.<init>(TokenRequest.java:112)
>>>
>>> gateway-audit.log:
>>>
>>> 17/10/02 18:07:17 ||287109de-665e-469e-811e-8991
>>> 550b27e6|audit|91.138.248.128|WEBHDFS||||access|uri|/gateway
>>> /sandbox/webhdfs/v1/?op=GETHOMEDIRECTORY|unavailable|Request method: GET
>>> 17/10/02 18:07:17 ||287109de-665e-469e-811e-8991
>>> 550b27e6|audit|91.138.248.128|WEBHDFS||||access|uri|/gateway
>>> /sandbox/webhdfs/v1/?op=GETHOMEDIRECTORY|success|Response status: 302
>>> 17/10/02 18:07:17 ||a17b49de-dcf6-4bf1-90b1-6f25
>>> 51e5380f|audit|91.138.248.128|KNOXSSO||||access|uri|/gateway
>>> /knoxsso/api/v1/websso?originalUrl=https://83.212.114.145:84
>>> 43/gateway/sandbox/webhdfs/v1/?op=GETHOMEDIRECTORY|unavailable|Request
>>> method: GET
>>> 17/10/02 18:07:17 ||a17b49de-dcf6-4bf1-90b1-6f25
>>> 51e5380f|audit|91.138.248.128|KNOXSSO||||access|uri|/gateway
>>> /knoxsso/api/v1/websso?originalUrl=https://83.212.114.145:84
>>> 43/gateway/sandbox/webhdfs/v1/?op=GETHOMEDIRECTORY|success|Response
>>> status: 302
>>> 17/10/02 18:07:17 ||0cef72c6-e010-4275-a309-6612
>>> 4e7a1cdb|audit|91.138.248.128|KNOXSSO||||access|uri|/gateway
>>> /knoxsso/api/v1/websso?pac4jCallback=true&client_name=OidcCl
>>> ient&state=8_-8Ni4pQynijY1ov26rNhXAYkWBWx10GyqJSnZHXYA&code=
>>> dFHZBD2zpFbZYFLUArBdHaA1Nb_uEoDzHhULpehX7Sg.cbc5dae7-3532
>>> -4e56-a530-de1ea90b078a|unavailable|Request method: GET
>>> 17/10/02 18:07:17 ||0cef72c6-e010-4275-a309-6612
>>> 4e7a1cdb|audit|91.138.248.128|KNOXSSO||||access|uri|/gateway
>>> /knoxsso/api/v1/websso?pac4jCallback=true&client_name=OidcCl
>>> ient&state=8_-8Ni4pQynijY1ov26rNhXAYkWBWx10GyqJSnZHXYA&code=
>>> dFHZBD2zpFbZYFLUArBdHaA1Nb_uEoDzHhULpehX7Sg.cbc5dae7-3532
>>> -4e56-a530-de1ea90b078a|failure|
>>>
>>> Also, Keycloak does not report something out of the ordinary.
>>>
>>> My question is if and how to further debug this. I also wanted to try a
>>> bearer-only configuration but the documentation is not clear enough for the
>>> configuration.
>>>
>>> Please. Help.
>>>
>>> KR,
>>> Nick Vidiadakis
>>>
>>
>>
>
