Hi Knox Users,
I am rethreading this error I am getting as I mentioned it in a different
thread that was about a different error (sorry to those active on the other
email thread).
I am running into an issue with KnoxSSO with the pac4j OIDC federation
provider. When accessing the gateway, I am correctly redirected to my
configured OpenID provider and upon successful authentication, redirected
back to Knox but resulting in error. I am posting the relevant config files
as well as the errors below. I have switched over to testBasicAuth just to
confirm that I can connect to the NiFi app, which I can. I am not really
sure where to go from here. I have sifted the internet and Knox
documentation on this and haven't been able to find anything. I did find
some info on this error with play and pac4j with the way the session was
being handled and assumed that Knox would handle this (if not, it is not
documented that I can find). Any help is appreciated!
Cheers,
Ryan
*Error 1: *
2018-03-04 11:22:53,701 ERROR engine.DefaultCallbackLogic
(DefaultCallbackLogic.java:renewSession(123)) - Unable to renew the
session. The session store may not support this feature
*Error 2:*
2018-03-04 10:07:05,578 ERROR knox.gateway
(AbstractGatewayFilter.java:doFilter(69)) - Failed to execute filter:
org.pac4j.core.exception.TechnicalException: State parameter is different
from the one sent in authentication request. Session expired or possible
threat of cross-site request forgery
2018-03-04 10:07:05,578 ERROR knox.gateway
(GatewayFilter.java:doFilter(177)) - Gateway processing failed:
javax.servlet.ServletException:
org.pac4j.core.exception.TechnicalException: State parameter is different
from the one sent in authentication request. Session expired or possible
threat of cross-site request forgery
javax.servlet.ServletException:
org.pac4j.core.exception.TechnicalException: State parameter is different
from the one sent in authentication request. Session expired or possible
threat of cross-site request forgery
at
org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:70)
at
org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:377)
at
org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:277)
at
org.apache.knox.gateway.webappsec.filter.XFrameOptionsFilter.doFilter(XFrameOptionsFilter.java:58)
at
org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:377)
at
org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:277)
at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:171)
at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:94)
at org.apache.knox.gateway.GatewayServlet.service(GatewayServlet.java:141)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
at
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
at
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
at
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
at
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
at
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at
org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.apache.knox.gateway.trace.TraceHandler.handle(TraceHandler.java:51)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at
org.apache.knox.gateway.filter.CorrelationHandler.handle(CorrelationHandler.java:39)
at org.eclipse.jetty.servlets.gzip.GzipHandler.handle(GzipHandler.java:479)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at
org.apache.knox.gateway.filter.PortMappingHelperHandler.handle(PortMappingHelperHandler.java:152)
at
org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:499)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
at
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
at
org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
at
org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.pac4j.core.exception.TechnicalException: State parameter is
different from the one sent in authentication request. Session expired or
possible threat of cross-site request forgery
at
org.pac4j.oidc.credentials.extractor.OidcExtractor.extract(OidcExtractor.java:80)
at
org.pac4j.oidc.credentials.extractor.OidcExtractor.extract(OidcExtractor.java:31)
at org.pac4j.core.client.BaseClient.retrieveCredentials(BaseClient.java:61)
at
org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:125)
at
org.pac4j.core.engine.DefaultCallbackLogic.perform(DefaultCallbackLogic.java:79)
at
org.pac4j.j2e.filter.CallbackFilter.internalFilter(CallbackFilter.java:77)
at
org.pac4j.j2e.filter.AbstractConfigFilter.doFilter(AbstractConfigFilter.java:81)
at
org.apache.knox.gateway.pac4j.filter.Pac4jDispatcherFilter.doFilter(Pac4jDispatcherFilter.java:205)
at
org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:377)
at
org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:277)
at
org.apache.knox.gateway.filter.XForwardedHeaderFilter.doFilter(XForwardedHeaderFilter.java:30)
at
org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:61)
... 35 more
*knoxsso.xml:*
<gateway>
<provider>
<role>webappsec</role>
<name>WebAppSec</name>
<enabled>true</enabled>
<param><name>xframe.options.enabled</name><value>true</value></param>
</provider>
<provider>
<role>federation</role>
<name>pac4j</name>
<enabled>true</enabled>
<param>
<name>pac4j.callbackUrl</name>
<value>https://localhost:8443/gateway/knoxsso/api/v1/websso
</value>
</param>
<param>
<name>clientName</name>
<value>OidcClient</value>
</param>
<param>
<name>oidc.id</name>
<value>my_client_id</value>
</param>
<param>
<name>oidc.secret</name>
<value>my_client_secret</value>
</param>
<param>
<name>oidc.discoveryUri</name>
<value>https://
<my-openid-provider-url>/.well-known/openid-configuration</value>
</param>
<param>
<name>oidc.preferredJwsAlgorithm</name>
<value>RS256</value>
</param>
</provider>
</gateway>
<application>
<name>knoxauth</name>
</application>
<service>
<role>KNOXSSO</role>
<param>
<name>knoxsso.cookie.secure.only</name>
<value>false</value>
</param>
<param>
<name>knoxsso.cookie.max.age</name>
<value>session</value>
</param>
<param>
<name>knoxsso.token.ttl</name>
<value>30000</value>
</param>
<param>
<name>knoxsso.redirect.whitelist.regex</name>
<value>^https?:\/\/(localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
</param>
</service>
*sandbox.xml:*
<gateway>
<provider>
<role>federation</role>
<name>SSOCookieProvider</name>
<enabled>true</enabled>
<param>
<name>sso.authentication.provider.url</name>
<value>https://localhost:8443/gateway/knoxsso/api/v1/websso</value>
</param>
</provider>
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
</provider>
</gateway>
<service>
<role>NIFI</role>
<url>http://localhost:8080</url>
</service>
<application>
<role>admin-ui</role>
</application>
<service>
<role>KNOX</role>
</service>
