Fwd: KNOX Pac4j Azure AD Open ID

Fri, 16 Feb 2018 00:17:41 -0800 

Hello,

I have setup KNOX to connect with Azure AD using pac4j.

However, after the authentication at Azure login page, it gets into an
infinite loop and does not give back the original REST call response.

*Details:*

1. I try to access the original URL eg:
*https://x.x.2.3:8442/gateway/mycluster/webhdfs/v1/user?op=LISTSTATUS
<https://x.x.2.3:8442/gateway/mycluster/webhdfs/v1/user?op=LISTSTATUS>*

2. It redirects to *https://**login.microsoftonline.com
<http://login.microsoftonline.com/>* and asks for credentials.

3. After successful login at Azure login page, it redirects to
*http://x.x.2.3:8442/gateway/knoxsso/api/v1/websso
<http://x.x.2.3:8442/gateway/knoxsso/api/v1/websso>* with code, session and
state variables passed as below:

*https://x.x.2.3:8442/gateway/knoxsso/api/v1/websso?code=AQABAAIAAABHh4k***********************LFFm7C9cIShE7nggAA&state=5dzTZBYhEVDBrA*****************GZRNfANGb5ls&session_state=42f2447b-621***********790eaa2d18
<https://x.x.2.3:8442/gateway/knoxsso/api/v1/websso?code=AQABAAIAAABHh4k***********************LFFm7C9cIShE7nggAA&state=5dzTZBYhEVDBrA*****************GZRNfANGb5ls&session_state=42f2447b-621***********790eaa2d18>*

2. Following this call, it *again *calls the *login.microsoftonline.com
<http://login.microsoftonline.com/>* like below:

*https://login.microsoftonline.com/f82969ba-b***********c1d0557a/oauth2/authorize?response_type=code&client_id=385*******3-a4bdceaa34&redirect_uri=https%3A%2F%2Fx.x.2.3%3A8442%2Fgateway%2Fknoxsso%2Fapi%2Fv1%2Fwebsso%3Fpac4jCallback%3Dtrue%26client_name%3DOidcClient≻ope=openid+profile+email&state=5dzTZBYhEVDBrAInao9VHDRd33uiRp-GZRNfANGb5ls&nonce=BvCUroM7_aKFjmbLYxaxbS0Mq9SJ8If0CUpITEGB-bw
<https://login.microsoftonline.com/f82969ba-b***********c1d0557a/oauth2/authorize?response_type=code&client_id=385*******3-a4bdceaa34&redirect_uri=https%3A%2F%2Fx.x.2.3%3A8442%2Fgateway%2Fknoxsso%2Fapi%2Fv1%2Fwebsso%3Fpac4jCallback%3Dtrue%26client_name%3DOidcClient%E2%89%BBope=openid+profile+email&state=5dzTZBYhEVDBrAInao9VHDRd33uiRp-GZRNfANGb5ls&nonce=BvCUroM7_aKFjmbLYxaxbS0Mq9SJ8If0CUpITEGB-bw>*

After this, step 1 and 2 alternate several times and finally lands up in
"ERR_TOO_MANY_REDIRECTS"!!!

This is my knoxsso.xml:


   1. <topology>
   2.           <gateway>
   3.               <provider>
   4.                   <role>webappsec</role>
   5.                   <name>WebAppSec</name>
   6.                   <enabled>true</enabled>
   7.
<param><name>xframe.options.enabled</name><value>true</value></param>
   8.               </provider>
   9.               <provider>
   10.                   <role>federation</role>
   11.                   <name>pac4j</name>
   12.                   <enabled>true</enabled>
   13.                   <param>
   14.                     <name>pac4j.callbackUrl</name>
   15.
<value>https://x.x.2.3:8442/gateway/knoxsso/api/v1/websso</value>
   16.                   </param>
   17.                   <param>
   18.                     <name>clientName</name>
   19.                     <value>OidcClient</value>
   20.                   </param>
   21.                   <param>
   22.                     <name>oidc.id</name>
   23.                     <value>385c2bc*****************2695eaa34</value>
   24.                   </param>
   25.                   <param>
   26.                     <name>oidc.secret</name>
   27.
<value>Y30wOwM88BY************vYmPp8KMyDY2W+o=</value>
   28.                   </param>
   29.                   <param>
   30.                     <name>oidc.discoveryUri</name>
   31.
<value>https://login.microsoftonline.com/f82969***********1d0557a/.well-known/openid-configuration</value>
   32.                   </param>
   33.               </provider>
   34.               <provider>
   35.                   <role>identity-assertion</role>
   36.                   <name>Default</name>
   37.                   <enabled>true</enabled>
   38.               </provider>
   39.           </gateway>
   40.           <application>
   41.             <name>knoxauth</name>
   42.           </application>
   43.           <service>
   44.               <role>KNOXSSO</role>
   45.               <param>
   46.                   <name>knoxsso.cookie.secure.only</name>
   47.                   <value>false</value>
   48.               </param>
   49.               <param>
   50.                   <name>knoxsso.token.ttl</name>
   51.                   <value>30000</value>
   52.               </param>
   53.               <param>
   54.                  <name>knoxsso.redirect.whitelist.regex</name>
   55.
<value>^https?:\/\/(dap-e0|x\.x\.2\.3|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$/value>
   56.               </param>
   57.           </service>
   58.       </topology>

I tried using response_type "id_token", enabling nonces, knoxsso.secure to
true, preferredJwsAlgorithm as RS256 etc. Nothing helps.

gateway-audit.log when redirection error starts:


   1. 18/02/15 12:38:02
||7a66725e-6d9d-4ef5-9017-2b52d7d15ccf|audit|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso?code=AQABAAIAAABHh4kmS_a**********************_WuZRkgVKneLpp83HnSlcntEbAmAgAA&state=0n7h1Y2LTz_**************99P92pZonRN-c&session_state=f0ac55a1-4***********-53e3e126b40e|success|Response
status: 302

It clearly shows Response status as "302" and not "200". This leads to
redirection!

What could I be missing here? Any pointers will be greatly appreciated.
Regards
Nisha

Reply via email to