[jira] [Commented] (KNOX-3186) SSOCookieProvider does not work with istio external authorizer

Tue, 09 Sep 2025 10:27:38 -0700 


    [ 
https://issues.apache.org/jira/browse/KNOX-3186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18019160#comment-18019160
 ] 

ASF subversion and git services commented on KNOX-3186:
-------------------------------------------------------

Commit 890ebc7d291f99afc2e4248e7018bfb99a310991 in knox's branch 
refs/heads/v2.1.0 from Sandeep Moré
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=890ebc7d2 ]

KNOX-3186 - istio external authorizer support for SSOCookieProvider (#1081)



> SSOCookieProvider does not work with istio external authorizer
> --------------------------------------------------------------
>
>                 Key: KNOX-3186
>                 URL: https://issues.apache.org/jira/browse/KNOX-3186
>             Project: Apache Knox
>          Issue Type: Bug
>            Reporter: Sandeep More
>            Assignee: Sandeep More
>            Priority: Major
>             Fix For: 2.1.0
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> SSOCookieProvider does not work in it's current form with istio external 
> authorizer
>  * The reason SSOCookieProvider does not work in its current form is because 
> of the way istio external authorizer forwards the request.
>  * Say we a request comes to the endpoint [https://www.local.com:8443/knox/] 
> protected by istio external authorizer.
>  * It is intercepted by istio and forwarded to 
> [http://www.local.com:8443/gateway/sandbox/auth/api/v1/extauthz/knox/|http://www.local.com:8443/gateway/knox-test-cdpauth/auth/api/v1/extauthz/knox/]
>  * Sandbox topology kicks off SSO flow 
> [https://www.local.com:8443/gateway/knoxsso/api/v1/websso?originalUrl=http://www.local.com:8443/gateway/sandbox/auth/api/v1/extauthz/knox/|https://www.local.com:8443/gateway/knox-test-samlsso/api/v1/websso?originalUrl=http://www.local.com:8443/gateway/knox-test-cdpauth/auth/api/v1/extauthz/knox/],
>  notice the originalURL it is not [https://www.local.com:8443/knox/] but 
> [http://www.local.com:8443/gateway/sandbox/auth/api/v1/extauthz/knox/|http://www.local.com:8443/gateway/knox-test-cdpauth/auth/api/v1/extauthz/knox/]
>  After successful SSO the request ends up at 
> [http://www.local.com:8443/gateway/sandbox/auth/api/v1/extauthz/knox/|http://www.local.com:8443/gateway/knox-test-cdpauth/auth/api/v1/extauthz/knox/]
>  which is not where we want it to go.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to