Hi Knox Users, I am rethreading this error I am getting as I mentioned it in a different thread that was about a different error (sorry to those active on the other email thread).
I am running into an issue with KnoxSSO with the pac4j OIDC federation provider. When accessing the gateway, I am correctly redirected to my configured OpenID provider and upon successful authentication, redirected back to Knox but resulting in error. I am posting the relevant config files as well as the errors below. I have switched over to testBasicAuth just to confirm that I can connect to the NiFi app, which I can. I am not really sure where to go from here. I have sifted the internet and Knox documentation on this and haven't been able to find anything. I did find some info on this error with play and pac4j with the way the session was being handled and assumed that Knox would handle this (if not, it is not documented that I can find). Any help is appreciated! Cheers, Ryan *Error 1: * 2018-03-04 11:22:53,701 ERROR engine.DefaultCallbackLogic (DefaultCallbackLogic.java:renewSession(123)) - Unable to renew the session. The session store may not support this feature *Error 2:* 2018-03-04 10:07:05,578 ERROR knox.gateway (AbstractGatewayFilter.java:doFilter(69)) - Failed to execute filter: org.pac4j.core.exception.TechnicalException: State parameter is different from the one sent in authentication request. Session expired or possible threat of cross-site request forgery 2018-03-04 10:07:05,578 ERROR knox.gateway (GatewayFilter.java:doFilter(177)) - Gateway processing failed: javax.servlet.ServletException: org.pac4j.core.exception.TechnicalException: State parameter is different from the one sent in authentication request. Session expired or possible threat of cross-site request forgery javax.servlet.ServletException: org.pac4j.core.exception.TechnicalException: State parameter is different from the one sent in authentication request. Session expired or possible threat of cross-site request forgery at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:70) at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:377) at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:277) at org.apache.knox.gateway.webappsec.filter.XFrameOptionsFilter.doFilter(XFrameOptionsFilter.java:58) at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:377) at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:277) at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:171) at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:94) at org.apache.knox.gateway.GatewayServlet.service(GatewayServlet.java:141) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) at org.apache.knox.gateway.trace.TraceHandler.handle(TraceHandler.java:51) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) at org.apache.knox.gateway.filter.CorrelationHandler.handle(CorrelationHandler.java:39) at org.eclipse.jetty.servlets.gzip.GzipHandler.handle(GzipHandler.java:479) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) at org.apache.knox.gateway.filter.PortMappingHelperHandler.handle(PortMappingHelperHandler.java:152) at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) at org.eclipse.jetty.server.Server.handle(Server.java:499) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257) at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635) at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555) at java.lang.Thread.run(Thread.java:745) Caused by: org.pac4j.core.exception.TechnicalException: State parameter is different from the one sent in authentication request. Session expired or possible threat of cross-site request forgery at org.pac4j.oidc.credentials.extractor.OidcExtractor.extract(OidcExtractor.java:80) at org.pac4j.oidc.credentials.extractor.OidcExtractor.extract(OidcExtractor.java:31) at org.pac4j.core.client.BaseClient.retrieveCredentials(BaseClient.java:61) at org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:125) at org.pac4j.core.engine.DefaultCallbackLogic.perform(DefaultCallbackLogic.java:79) at org.pac4j.j2e.filter.CallbackFilter.internalFilter(CallbackFilter.java:77) at org.pac4j.j2e.filter.AbstractConfigFilter.doFilter(AbstractConfigFilter.java:81) at org.apache.knox.gateway.pac4j.filter.Pac4jDispatcherFilter.doFilter(Pac4jDispatcherFilter.java:205) at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:377) at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:277) at org.apache.knox.gateway.filter.XForwardedHeaderFilter.doFilter(XForwardedHeaderFilter.java:30) at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:61) ... 35 more *knoxsso.xml:* <gateway> <provider> <role>webappsec</role> <name>WebAppSec</name> <enabled>true</enabled> <param><name>xframe.options.enabled</name><value>true</value></param> </provider> <provider> <role>federation</role> <name>pac4j</name> <enabled>true</enabled> <param> <name>pac4j.callbackUrl</name> <value>https://localhost:8443/gateway/knoxsso/api/v1/websso </value> </param> <param> <name>clientName</name> <value>OidcClient</value> </param> <param> <name>oidc.id</name> <value>my_client_id</value> </param> <param> <name>oidc.secret</name> <value>my_client_secret</value> </param> <param> <name>oidc.discoveryUri</name> <value>https:// <my-openid-provider-url>/.well-known/openid-configuration</value> </param> <param> <name>oidc.preferredJwsAlgorithm</name> <value>RS256</value> </param> </provider> </gateway> <application> <name>knoxauth</name> </application> <service> <role>KNOXSSO</role> <param> <name>knoxsso.cookie.secure.only</name> <value>false</value> </param> <param> <name>knoxsso.cookie.max.age</name> <value>session</value> </param> <param> <name>knoxsso.token.ttl</name> <value>30000</value> </param> <param> <name>knoxsso.redirect.whitelist.regex</name> <value>^https?:\/\/(localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value> </param> </service> *sandbox.xml:* <gateway> <provider> <role>federation</role> <name>SSOCookieProvider</name> <enabled>true</enabled> <param> <name>sso.authentication.provider.url</name> <value>https://localhost:8443/gateway/knoxsso/api/v1/websso</value> </param> </provider> <provider> <role>identity-assertion</role> <name>Default</name> <enabled>true</enabled> </provider> </gateway> <service> <role>NIFI</role> <url>http://localhost:8080</url> </service> <application> <role>admin-ui</role> </application> <service> <role>KNOX</role> </service>