Hi All,
Disclaimer: I am very new to Knox!
I am working on setting up KnoxSSO with an OpenID provider (Cloud Foundry
UAA) for AuthN to an application (Apache NiFi). I am running into an issue
where it seems that the oidc.discoverUri is resulting in the following
error:
2018-03-03 21:59:37,104 ERROR knox.gateway
(AbstractGatewayFilter.java:doFilter(69)) - Failed to execute filter:
org.pac4j.core.exception.TechnicalException: java.net.UnknownHostException:
{guid-id}.sub-uaa.another.zone.aws-us01.something.io
2018-03-03 21:59:37,104 ERROR knox.gateway
(GatewayFilter.java:doFilter(177)) - Gateway processing failed:
javax.servlet.ServletException:
org.pac4j.core.exception.TechnicalException: java.net.UnknownHostException:
{guid-id}.sub-uaa.another.zone.aws-us01.something.io
javax.servlet.ServletException:
org.pac4j.core.exception.TechnicalException: java.net.UnknownHostException:
{guid-id}.sub-uaa.another.zone.aws-us01.something.io
at
org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:70)
at
org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:377)
at
org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:277)
at
org.apache.knox.gateway.webappsec.filter.XFrameOptionsFilter.doFilter(XFrameOptionsFilter.java:58)
at
org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:377)
at
org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:277)
at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:171)
at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:94)
at org.apache.knox.gateway.GatewayServlet.service(GatewayServlet.java:141)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
*Here is my topology from knoxsso.xml config:*
<topology>
<gateway>
<provider>
<role>webappsec</role>
<name>WebAppSec</name>
<enabled>true</enabled>
<param><name>xframe.options.enabled</name><value>true</value></param>
</provider>
<provider>
<role>federation</role>
<name>pac4j</name>
<enabled>true</enabled>
<param>
<name>pac4j.callbackUrl</name>
<value>
https://localhost:8443/gateway/knoxsso/api/v1/websso</value>
</param>
<param>
<name>clientName</name>
<value>OidcClient</value>
</param>
<param>
<name>oidc.id</name>
<value>some_client_id</value>
</param>
<param>
<name>oidc.secret</name>
<value>some_client_secret</value>
</param>
<param>
<name>oidc.discoveryUri</name>
<value>https://{guid-id}.
sub-uaa.another.zone.aws-us01.something.io
/.well-known/openid-configuration</value>
</param>
<param>
<name>oidc.preferredJwsAlgorithm</name>
<value>RS256</value>
</param>
</provider>
</gateway>
<application>
<name>knoxauth</name>
</application>
<service>
<role>KNOXSSO</role>
<param>
<name>knoxsso.cookie.secure.only</name>
<value>false</value>
</param>
<param>
<name>knoxsso.token.ttl</name>
<value>3600000</value>
</param>
<param>
<name>knoxsso.redirect.whitelist.regex</name>
<value>^https?:\/\/(localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
</param>
</service>
</topology>
*Here is my topology from sandbox.xml:*
<topology>
<gateway>
<provider>
<role>federation</role>
<name>SSOCookieProvider</name>
<enabled>true</enabled>
<param>
<name>sso.authentication.provider.url</name>
<value>https://127.0.0.1:8443/gateway/knoxsso/api/v1/websso</value>
</param>
</provider>
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
</provider>
</gateway>
<service>
<role>NIFI</role>
<url>http://localhost:8080</url>
</service>
</topology>
I was able to use the gateway to get to the NiFi app with basic auth as a
connectivity test, and now I want to drop in the OpenID provider for the
auth I am really after. Any help is greatly appreciated!
Cheers,
Ryan H.
