Any thoughts on workarounds for this? I'm pretty much dead in the water at this point. I started to dig into the code a bit, but avoided loading it in to Eclipse and trying to debug (It'd prob take me a while to get an actual dev environment set up for this project and be able to debug). I'd really like to use Knox for this project but not sure what to do at this point. I'm just wondering if it is something that I don't have configured or set up properly...
Cheers, Ryan On Sun, Mar 4, 2018 at 8:45 PM, Ryan H <ryan.howell.developm...@gmail.com> wrote: > Just tried with the 1.1.0-SNAPSHOT build with same result; but with a new > warning now (might not be relevant, but including anyways). Same error as > before if going incognito browser. > > Here is the error that I now get: > > 2018-03-04 20:37:50,653 ERROR engine.DefaultCallbackLogic > (DefaultCallbackLogic.java:renewSession(123)) - Unable to renew the > session. The session store may not support this feature > 2018-03-04 20:39:10,899 WARN federation.jwt > (AbstractJWTFilter.java:validateToken(305)) > - Failed to verify the token signature. > > *Updated knoxsso.xml file:* > <topology> > <gateway> > <provider> > <role>webappsec</role> > <name>WebAppSec</name> > <enabled>true</enabled> > <param><name>xframe.options.enabled</name><value>true</ > value></param> > </provider> > <provider> > <role>federation</role> > <name>pac4j</name> > <enabled>true</enabled> > *<param>* > * <name>pac4j.session.store</name>* > * <value>J2ESessionStore</value>* > * </param>* > <param> > <name>pac4j.callbackUrl</name> > <value>https://localhost:8443/gateway/knoxsso/api/v1/websso< > /value> > </param> > <param> > <name>clientName</name> > <value>OidcClient</value> > </param> > <param> > <name>oidc.id</name> > <value>my_client_id</value> > </param> > <param> > <name>oidc.secret</name> > <value>my_client_secret</value> > </param> > <param> > <name>oidc.discoveryUri</name> > <value>https://my-openid-provider:443/.well-known/ > openid-configuration</value> > </param> > <param> > <name>oidc.preferredJwsAlgorithm</name> > <value>RS256</value> > </param> > </provider> > </gateway> > > <application> > <name>knoxauth</name> > </application> > > <service> > <role>KNOXSSO</role> > <param> > <name>knoxsso.cookie.secure.only</name> > <value>false</value> > </param> > <param> > <name>knoxsso.cookie.max.age</name> > <value>session</value> > </param> > <param> > <name>knoxsso.token.ttl</name> > <value>30000</value> > </param> > <param> > <name>knoxsso.redirect.whitelist.regex</name> > <value>^https?:\/\/(localhost|127\.0\.0\.1|0:0:0: > 0:0:0:0:1|::1):[0-9].*$</value> > </param> > </service> > > </topology> > > > > On Sun, Mar 4, 2018 at 8:26 PM, Sandeep Moré <moresand...@gmail.com> > wrote: > >> Thanks for the update, I have a hunch that the "state" param is not >> getting passed to Pac4J via the SessionStore (Error 1). >> Keep us posted. >> >> Thanks ! >> >> On Sun, Mar 4, 2018 at 7:40 PM, Ryan H <ryan.howell.developm...@gmail.com >> > wrote: >> >>> Hey Guys, >>> >>> I will pull 1.1.0 this evening and give it a go. >>> >>> A little more information on the flow for the error(s): >>> >>> When I log in with regular browser (not incognito), I get the following >>> error: >>> ERROR engine.DefaultCallbackLogic >>> (DefaultCallbackLogic.java:renewSession(123)) >>> - Unable to renew the session. The session store may not support this >>> feature >>> >>> When I try to log in using an incognito browser, I get the following >>> error: >>> ERROR knox.gateway (AbstractGatewayFilter.java:doFilter(69)) - Failed >>> to execute filter: org.pac4j.core.exception.TechnicalException: State >>> parameter is different from the one sent in authentication request. Session >>> expired or possible threat of cross-site request forgery >>> 2018-03-04 19:30:42,151 ERROR knox.gateway >>> (GatewayFilter.java:doFilter(177)) >>> - Gateway processing failed: javax.servlet.ServletException: >>> org.pac4j.core.exception.TechnicalException: State parameter is >>> different from the one sent in authentication request. Session expired or >>> possible threat of cross-site request forgery >>> javax.servlet.ServletException: org.pac4j.core.exception.TechnicalException: >>> State parameter is different from the one sent in authentication request. >>> Session expired or possible threat of cross-site request forgery >>> at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilte >>> r(AbstractGatewayFilter.java:70) >>> ... >>> >>> As for the state param: >>> When I log in using a regular browser (not incognito): the state param >>> is the same. >>> >>> When I use the incognito browser: the state param is different from the >>> OpenID provider and Knox (why I am not sure). >>> >>> I am using Cloud Foundry UAA for the OpenID provider, which works well >>> when configured directly with Apache NiFi. I would like to use Apache Knox >>> though as our gateway though for many reasons. I will follow up once I try >>> with the 1.1.0 build of Knox. >>> >>> Cheers, >>> >>> Ryan >>> >>> On Sun, Mar 4, 2018 at 6:21 PM, Sandeep Moré <moresand...@gmail.com> >>> wrote: >>> >>>> Hello Ryan, >>>> >>>> Can you check the value of the State parameter ? you should see it in >>>> the request and response. >>>> >>>> The state attribute is stored in the session so if is not getting >>>> properly passed we might have an issue there (KNOX-1190 is tracking this), >>>> the current implementation of SessionStore for Pac4J is a bit limited. >>>> >>>> Can you try adding the following to your knoxsso.xml topology with the >>>> current Knox build (1.1.0, you will have to build it from source as this >>>> will not work with the current 1.0.0 release) >>>> >>>> <param> >>>> <name>pac4j.session.store</name> >>>> <value>J2ESessionStore</value> >>>> </param> >>>> >>>> I am hoping this should save the "state" variable in the in-memory >>>> session store. >>>> >>>> Let us know what you find ! >>>> >>>> Also, what ODIC are you trying to integrate to, just curious to know >>>> what all works with Knox. >>>> >>>> >>>> On Sun, Mar 4, 2018 at 11:47 AM, Ryan H <ryan.howell.development@gmail >>>> .com> wrote: >>>> >>>>> Hi Knox Users, >>>>> >>>>> I am rethreading this error I am getting as I mentioned it in a >>>>> different thread that was about a different error (sorry to those active >>>>> on >>>>> the other email thread). >>>>> >>>>> I am running into an issue with KnoxSSO with the pac4j OIDC federation >>>>> provider. When accessing the gateway, I am correctly redirected to my >>>>> configured OpenID provider and upon successful authentication, redirected >>>>> back to Knox but resulting in error. I am posting the relevant config >>>>> files >>>>> as well as the errors below. I have switched over to testBasicAuth just to >>>>> confirm that I can connect to the NiFi app, which I can. I am not really >>>>> sure where to go from here. I have sifted the internet and Knox >>>>> documentation on this and haven't been able to find anything. I did find >>>>> some info on this error with play and pac4j with the way the session was >>>>> being handled and assumed that Knox would handle this (if not, it is not >>>>> documented that I can find). Any help is appreciated! >>>>> >>>>> Cheers, >>>>> >>>>> Ryan >>>>> >>>>> >>>>> *Error 1: * >>>>> 2018-03-04 11:22:53,701 ERROR engine.DefaultCallbackLogic >>>>> (DefaultCallbackLogic.java:renewSession(123)) - Unable to renew the >>>>> session. The session store may not support this feature >>>>> >>>>> *Error 2:* >>>>> 2018-03-04 10:07:05,578 ERROR knox.gateway >>>>> (AbstractGatewayFilter.java:doFilter(69)) - Failed to execute filter: >>>>> org.pac4j.core.exception.TechnicalException: State parameter is >>>>> different from the one sent in authentication request. Session expired or >>>>> possible threat of cross-site request forgery >>>>> 2018-03-04 10:07:05,578 ERROR knox.gateway >>>>> (GatewayFilter.java:doFilter(177)) - Gateway processing failed: >>>>> javax.servlet.ServletException: >>>>> org.pac4j.core.exception.TechnicalException: >>>>> State parameter is different from the one sent in authentication request. >>>>> Session expired or possible threat of cross-site request forgery >>>>> javax.servlet.ServletException: >>>>> org.pac4j.core.exception.TechnicalException: >>>>> State parameter is different from the one sent in authentication request. >>>>> Session expired or possible threat of cross-site request forgery >>>>> at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilte >>>>> r(AbstractGatewayFilter.java:70) >>>>> at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(Gatewa >>>>> yFilter.java:377) >>>>> at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(Gateway >>>>> Filter.java:277) >>>>> at org.apache.knox.gateway.webappsec.filter.XFrameOptionsFilter >>>>> .doFilter(XFrameOptionsFilter.java:58) >>>>> at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(Gatewa >>>>> yFilter.java:377) >>>>> at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(Gateway >>>>> Filter.java:277) >>>>> at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter >>>>> .java:171) >>>>> at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter >>>>> .java:94) >>>>> at org.apache.knox.gateway.GatewayServlet.service(GatewayServle >>>>> t.java:141) >>>>> at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder >>>>> .java:812) >>>>> at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHan >>>>> dler.java:587) >>>>> at org.eclipse.jetty.server.handler.ScopedHandler.handle(Scoped >>>>> Handler.java:143) >>>>> at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHa >>>>> ndler.java:577) >>>>> at org.eclipse.jetty.server.session.SessionHandler.doHandle(Ses >>>>> sionHandler.java:223) >>>>> at org.eclipse.jetty.server.handler.ContextHandler.doHandle(Con >>>>> textHandler.java:1127) >>>>> at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHand >>>>> ler.java:515) >>>>> at org.eclipse.jetty.server.session.SessionHandler.doScope(Sess >>>>> ionHandler.java:185) >>>>> at org.eclipse.jetty.server.handler.ContextHandler.doScope(Cont >>>>> extHandler.java:1061) >>>>> at org.eclipse.jetty.server.handler.ScopedHandler.handle(Scoped >>>>> Handler.java:141) >>>>> at org.eclipse.jetty.server.handler.ContextHandlerCollection.ha >>>>> ndle(ContextHandlerCollection.java:215) >>>>> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(Handl >>>>> erWrapper.java:97) >>>>> at org.apache.knox.gateway.trace.TraceHandler.handle(TraceHandl >>>>> er.java:51) >>>>> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(Handl >>>>> erWrapper.java:97) >>>>> at org.apache.knox.gateway.filter.CorrelationHandler.handle(Cor >>>>> relationHandler.java:39) >>>>> at org.eclipse.jetty.servlets.gzip.GzipHandler.handle(GzipHandl >>>>> er.java:479) >>>>> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(Handl >>>>> erWrapper.java:97) >>>>> at org.apache.knox.gateway.filter.PortMappingHelperHandler.hand >>>>> le(PortMappingHelperHandler.java:152) >>>>> at org.eclipse.jetty.server.handler.HandlerCollection.handle(Ha >>>>> ndlerCollection.java:110) >>>>> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(Handl >>>>> erWrapper.java:97) >>>>> at org.eclipse.jetty.server.Server.handle(Server.java:499) >>>>> at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311) >>>>> at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConne >>>>> ction.java:257) >>>>> at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnec >>>>> tion.java:544) >>>>> at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(Queued >>>>> ThreadPool.java:635) >>>>> at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedT >>>>> hreadPool.java:555) >>>>> at java.lang.Thread.run(Thread.java:745) >>>>> Caused by: org.pac4j.core.exception.TechnicalException: State >>>>> parameter is different from the one sent in authentication request. >>>>> Session >>>>> expired or possible threat of cross-site request forgery >>>>> at org.pac4j.oidc.credentials.extractor.OidcExtractor.extract(O >>>>> idcExtractor.java:80) >>>>> at org.pac4j.oidc.credentials.extractor.OidcExtractor.extract(O >>>>> idcExtractor.java:31) >>>>> at org.pac4j.core.client.BaseClient.retrieveCredentials(BaseCli >>>>> ent.java:61) >>>>> at org.pac4j.core.client.IndirectClient.getCredentials(Indirect >>>>> Client.java:125) >>>>> at org.pac4j.core.engine.DefaultCallbackLogic.perform(DefaultCa >>>>> llbackLogic.java:79) >>>>> at org.pac4j.j2e.filter.CallbackFilter.internalFilter(CallbackF >>>>> ilter.java:77) >>>>> at org.pac4j.j2e.filter.AbstractConfigFilter.doFilter(AbstractC >>>>> onfigFilter.java:81) >>>>> at org.apache.knox.gateway.pac4j.filter.Pac4jDispatcherFilter.d >>>>> oFilter(Pac4jDispatcherFilter.java:205) >>>>> at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(Gatewa >>>>> yFilter.java:377) >>>>> at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(Gateway >>>>> Filter.java:277) >>>>> at org.apache.knox.gateway.filter.XForwardedHeaderFilter.doFilt >>>>> er(XForwardedHeaderFilter.java:30) >>>>> at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilte >>>>> r(AbstractGatewayFilter.java:61) >>>>> ... 35 more >>>>> >>>>> >>>>> *knoxsso.xml:* >>>>> <gateway> >>>>> <provider> >>>>> <role>webappsec</role> >>>>> <name>WebAppSec</name> >>>>> <enabled>true</enabled> >>>>> <param><name>xframe.options.enabled</name><value>true</value >>>>> ></param> >>>>> </provider> >>>>> <provider> >>>>> <role>federation</role> >>>>> <name>pac4j</name> >>>>> <enabled>true</enabled> >>>>> <param> >>>>> <name>pac4j.callbackUrl</name> >>>>> <value>https://localhost:8443/gateway/knoxsso/api/v1/websso< >>>>> /value> >>>>> </param> >>>>> <param> >>>>> <name>clientName</name> >>>>> <value>OidcClient</value> >>>>> </param> >>>>> <param> >>>>> <name>oidc.id</name> >>>>> <value>my_client_id</value> >>>>> </param> >>>>> <param> >>>>> <name>oidc.secret</name> >>>>> <value>my_client_secret</value> >>>>> </param> >>>>> <param> >>>>> <name>oidc.discoveryUri</name> >>>>> <value>https://<my-openid-provider-url>/.well-known/openid-c >>>>> onfiguration</value> >>>>> </param> >>>>> <param> >>>>> <name>oidc.preferredJwsAlgorithm</name> >>>>> <value>RS256</value> >>>>> </param> >>>>> </provider> >>>>> </gateway> >>>>> >>>>> <application> >>>>> <name>knoxauth</name> >>>>> </application> >>>>> >>>>> <service> >>>>> <role>KNOXSSO</role> >>>>> <param> >>>>> <name>knoxsso.cookie.secure.only</name> >>>>> <value>false</value> >>>>> </param> >>>>> <param> >>>>> <name>knoxsso.cookie.max.age</name> >>>>> <value>session</value> >>>>> </param> >>>>> <param> >>>>> <name>knoxsso.token.ttl</name> >>>>> <value>30000</value> >>>>> </param> >>>>> <param> >>>>> <name>knoxsso.redirect.whitelist.regex</name> >>>>> <value>^https?:\/\/(localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1| >>>>> ::1):[0-9].*$</value> >>>>> </param> >>>>> </service> >>>>> >>>>> >>>>> >>>>> *sandbox.xml:* >>>>> <gateway> >>>>> <provider> >>>>> <role>federation</role> >>>>> <name>SSOCookieProvider</name> >>>>> <enabled>true</enabled> >>>>> <param> >>>>> <name>sso.authentication.provider.url</name> >>>>> <value>https://localhost:8443/gateway/knoxsso/api/v1/websso< >>>>> /value> >>>>> </param> >>>>> </provider> >>>>> >>>>> <provider> >>>>> <role>identity-assertion</role> >>>>> <name>Default</name> >>>>> <enabled>true</enabled> >>>>> </provider> >>>>> </gateway> >>>>> >>>>> <service> >>>>> <role>NIFI</role> >>>>> <url>http://localhost:8080</url> >>>>> </service> >>>>> <application> >>>>> <role>admin-ui</role> >>>>> </application> >>>>> <service> >>>>> <role>KNOX</role> >>>>> </service> >>>>> >>>>> >>>> >>> >> >
