Unfortunately, it seems that you will need to put a breakpoint in the code at org.apache.hadoop.gateway.pac4j.filter.Pac4jDispatcherFilter.doFilter(Pac4jDispatcherFilter.java:205) and walk through - hopefully into the pac4j code and nimbus to see what is expected and not being found.
Explicitly adding Jerome... @Jerome - does this error ring any bells for you? On Mon, Oct 2, 2017 at 3:09 PM, N. Vidiadakis <[email protected]> wrote: > I've done the modifications and unfortunately, I have the same results: > > 2017-10-02 19:06:10,559 ERROR hadoop.gateway > (AbstractGatewayFilter.java:doFilter(69)) > - Failed to execute filter: java.lang.IllegalArgumentException: The > client authentication must not be null > 2017-10-02 19:06:10,560 ERROR hadoop.gateway > (GatewayFilter.java:doFilter(146)) > - Gateway processing failed: javax.servlet.ServletException: > java.lang.IllegalArgumentException: > The client authentication must not be null > javax.servlet.ServletException: java.lang.IllegalArgumentException: The > client authentication must not be null > at org.apache.hadoop.gateway.filter.AbstractGatewayFilter.doFilter( > AbstractGatewayFilter.java:70) > at org.apache.hadoop.gateway.GatewayFilter$Holder.doFilter( > GatewayFilter.java:346) > at org.apache.hadoop.gateway.GatewayFilter$Chain.doFilter( > GatewayFilter.java:246) > at org.apache.hadoop.gateway.GatewayFilter.doFilter( > GatewayFilter.java:140) > ... > > KR, > Nick > > On Mon, Oct 2, 2017 at 9:57 PM, larry mccay <[email protected]> wrote: > >> Can you add the following after your discoveryUrl in the knoxsso.xml: >> >> <param> >> <name>oidc.useNonce</name> >> <value>false</value> >> </param> >> <param> >> <name>oidc.customParamKey1</name> 5. scope >> <value>scope</value> >> </param> >> <param> >> <name>oidc.customParamValue1</name> >> <value>openid</value> >> </param> >> >> In the testing that I did the the idp did not require the email and >> profile scopes that are requested by default by pac4j. Therefore, the >> customParam was being used here to limit the scopes to just openid. >> >> I happen to have the useNonce param in mine - so you might as well try >> that too. >> >> On Mon, Oct 2, 2017 at 2:49 PM, N. Vidiadakis <[email protected]> >> wrote: >> >>> Hi Larry, >>> >>> You can find attached the topologies and the stack trace. >>> >>> thank you in advance, >>> Nick >>> >>> >>> On Mon, Oct 2, 2017 at 9:34 PM, larry mccay <[email protected]> wrote: >>> >>>> Hi Nick - >>>> >>>> Can you please provide your topologies that you are using for both >>>> sandbox.xml and knoxsso.xml? >>>> >>>> I have tested OIDC usecase before and would like to compare the >>>> configuration that you have - I did not try it against Keycloak but it >>>> should be generic OIDC. >>>> >>>> Also, can you provide the full stacktrace from the log? >>>> >>>> thanks, >>>> >>>> --larry >>>> >>>> On Mon, Oct 2, 2017 at 2:22 PM, N. Vidiadakis <[email protected]> >>>> wrote: >>>> >>>>> Hello to all, >>>>> >>>>> I'm relatively new to the whole Hadoop/KNOX ecosystem but I'm >>>>> appointed with relatively more complicated task: integrate KNOX with an >>>>> Idp >>>>> and specifically with a Keycloak installation which uses OpenID. >>>>> >>>>> I've tried following the User Guide and my current state is I get >>>>> redirected to the Keycloak Login portal, I enter my credentials and then >>>>> get back to the KnoxSSO urls with an error 500. The log files contain: >>>>> >>>>> gateway.log: >>>>> >>>>> Caused by: java.lang.IllegalArgumentException: The client >>>>> authentication must not be null >>>>> at com.nimbusds.oauth2.sdk.TokenRequest.<init>(TokenRequest.java:87) >>>>> at com.nimbusds.oauth2.sdk.TokenRequest.<init>(TokenRequest.java:112) >>>>> >>>>> gateway-audit.log: >>>>> >>>>> 17/10/02 18:07:17 ||287109de-665e-469e-811e-8991 >>>>> 550b27e6|audit|91.138.248.128|WEBHDFS||||access|uri|/gateway >>>>> /sandbox/webhdfs/v1/?op=GETHOMEDIRECTORY|unavailable|Request method: >>>>> GET >>>>> 17/10/02 18:07:17 ||287109de-665e-469e-811e-8991 >>>>> 550b27e6|audit|91.138.248.128|WEBHDFS||||access|uri|/gateway >>>>> /sandbox/webhdfs/v1/?op=GETHOMEDIRECTORY|success|Response status: 302 >>>>> 17/10/02 18:07:17 ||a17b49de-dcf6-4bf1-90b1-6f25 >>>>> 51e5380f|audit|91.138.248.128|KNOXSSO||||access|uri|/gateway >>>>> /knoxsso/api/v1/websso?originalUrl=https://83.212.114.145:84 >>>>> 43/gateway/sandbox/webhdfs/v1/?op=GETHOMEDIRECTORY|unavailable|Request >>>>> method: GET >>>>> 17/10/02 18:07:17 ||a17b49de-dcf6-4bf1-90b1-6f25 >>>>> 51e5380f|audit|91.138.248.128|KNOXSSO||||access|uri|/gateway >>>>> /knoxsso/api/v1/websso?originalUrl=https://83.212.114.145:84 >>>>> 43/gateway/sandbox/webhdfs/v1/?op=GETHOMEDIRECTORY|success|Response >>>>> status: 302 >>>>> 17/10/02 18:07:17 ||0cef72c6-e010-4275-a309-6612 >>>>> 4e7a1cdb|audit|91.138.248.128|KNOXSSO||||access|uri|/gateway >>>>> /knoxsso/api/v1/websso?pac4jCallback=true&client_name=OidcCl >>>>> ient&state=8_-8Ni4pQynijY1ov26rNhXAYkWBWx10GyqJSnZHXYA&code= >>>>> dFHZBD2zpFbZYFLUArBdHaA1Nb_uEoDzHhULpehX7Sg.cbc5dae7-3532-4e >>>>> 56-a530-de1ea90b078a|unavailable|Request method: GET >>>>> 17/10/02 18:07:17 ||0cef72c6-e010-4275-a309-6612 >>>>> 4e7a1cdb|audit|91.138.248.128|KNOXSSO||||access|uri|/gateway >>>>> /knoxsso/api/v1/websso?pac4jCallback=true&client_name=OidcCl >>>>> ient&state=8_-8Ni4pQynijY1ov26rNhXAYkWBWx10GyqJSnZHXYA&code= >>>>> dFHZBD2zpFbZYFLUArBdHaA1Nb_uEoDzHhULpehX7Sg.cbc5dae7-3532-4e >>>>> 56-a530-de1ea90b078a|failure| >>>>> >>>>> Also, Keycloak does not report something out of the ordinary. >>>>> >>>>> My question is if and how to further debug this. I also wanted to try >>>>> a bearer-only configuration but the documentation is not clear enough for >>>>> the configuration. >>>>> >>>>> Please. Help. >>>>> >>>>> KR, >>>>> Nick Vidiadakis >>>>> >>>> >>>> >>> >> >
