pac4j and Apache Knox

Hi, Let's open this private discussion on the Knox dev mailing list. I'm Jerome Leleu and the creator of pac4j (https://github.com/pac4j/pac4j), a security engine for Java with many implementations for J2E, Play, Spring, Vertx, Ratpack... The idea is to offer something as powerful as Spring Secur

Re: pac4j and Apache Knox

Hi Jerome, This sounds very exciting and is just the sort of thing the open architecture of Knox is intended to allow. Larry and I have looked at pac4j a number of times thinking that it would be a good fit and would provide a great feature set to the Hadoop community. Kevin. On 11/6/15, 3:3

Re: pac4j and Apache Knox

Hi, Perfect timing ;-) I have started implemented the pac4j support in Knox, it's a very basic attempt: https://github.com/apache/knox/pull/2/files This implementation reuses the pac4j implementation for J2E. I have a ProviderDeploymentContributorBase which registers two filters: - the first one

Re: pac4j and Apache Knox

Hi Jérôme - Happy to see you here! I apologize for having missed your note on the list a few days ago. Glad to see that the article was helpful and it seems like you are making great progress. Let me dig into your note a bit deeper and answer your questions. Welcome! --larry On Tue, Nov 10, 2

Re: pac4j and Apache Knox

Let's get you past the error that you are getting... It seems as though you have change the topology for pac4j but didn't change the role to "federation". It looks like it is grabbing a random authentication provider and seems to be the hadoop-auth provider. Change that to federation and see if t

Re: pac4j and Apache Knox

To be a bit more explicit your Pac4jFederationProviderContributor declares itself to be of role “federation” but when you used it in the sandbox.xml topology file you were attempting to configure it as an provider with role authentication. On 11/10/15, 11:32 AM, "larry mccay" wrote: >Let's

Re: pac4j and Apache Knox

Good catch. Will test with the right role... 2015-11-10 17:36 GMT+01:00 Kevin Minder : > To be a bit more explicit your Pac4jFederationProviderContributor declares > itself to be of role “federation” but when you used it in the sandbox.xml > topology file you were attempting to configure it as an

Re: pac4j and Apache Knox

Hi, By changing the role to the appropriate value, the error is gone, but I have a new problem: *Caused by: javax.servlet.ServletException: Required authentication provider URL is missing.* * at org.apache.hadoop.gateway.provider.federation.jwt.filter.SSOCookieFederationFilter.init(SSOCookieFeder

Re: pac4j and Apache Knox

We really need to fix this behavior... It seems you traded in your random authentication provider for a random federation provider. :/ This is most likely due to not having your new provider on the classpath for the serviceLoader to find. Just to try and articulate how it works... The deploymen

Re: pac4j and Apache Knox

I think I know what it probably is. The gateway-release module pom.xml is what actually defines the classpath of the final packaged server. If you take a look at that you will see it references all of the providers that are intended to be included by default. Try adding yours to the dependenc

Re: pac4j and Apache Knox

Yes, Kevin, that seems to be missing from the pull request. Also, the parent pom doesn't have all of the changes needed to add a new module. See the section in the article called "Root Level Pom.xml" and the section below that for the "Gateway Release Module Pom.xml" https://github.com/lmccay/gate

Re: pac4j and Apache Knox

Hi, Thanks for your feedback. I didn't understand why the dependency was required so I didn't add it. Now, it starts working: *$ curl -ivk "https://localhost:8443/gateway/sandbox/webhdfs/v1/tmp?op=LISTSTATUS "* ** Trying ::1.

Re: pac4j and Apache Knox

Terrific! Okay... original questions: 1) Webflow: is it normal to get a redirection to Facebook or another IdP when I made the request (for such a configuration of course)? Is this request meant to happen in a browser? (because it's the use case it was made for) It is normal. The usecases in whi

Re: pac4j and Apache Knox

Hi, 1) Webflow: I think I get the idea with the KnoxSSO service: how can I test everything to ensure pac4j works correctly with it and will be usable in Hadoop UIs? 2) Callback url: For indirect clients, pac4j is designed to be called on any url, to save it, to call the identity provider provid

Re: pac4j and Apache Knox

Hi Jérôme - Great questions and I'm so glad that you are here to ask them. I think that the set of documentation that I am working on for a KnoxSSO integration guide will probably answer most of your questions. I need to spend a bit more time thinking about the some of it so that I can incorporat

Re: pac4j and Apache Knox

I’ll add a bit to the logging answer. I created that for several reasons. 1) Localization as Larry mentions. 2) It abstract from actual logging provider and you can see for example gateway-i18n-logging-sl4j as an alternate integration. 3) Another important aspect is centralization. It centralize

Re: pac4j and Apache Knox

Here is a *very* early version of an integration guide for KnoxSSO: http://knox.apache.org/books/knox-0-7-0/knoxsso_integration.html It will walk you through setting up an environment to for using KnoxSSO to secure the REST APIs using KnoxSSO cookies and a webflow. The initial environment uses si

Re: pac4j and Apache Knox

Hi, Thanks for the explanations. I'll use the MessageFactory in the gateway-provider-security-pac4j and log4j for all pac4j components. Best regards, Jérôme 2015-11-13 15:51 GMT+01:00 Kevin Minder : > I’ll add a bit to the logging answer. I created that for several reasons. > 1) Localization

Re: pac4j and Apache Knox

Hi, Thanks for providing this early documentation. I will study it carefully. Best regards, Jérôme 2015-11-14 19:03 GMT+01:00 larry mccay : > Here is a *very* early version of an integration guide for KnoxSSO: > > http://knox.apache.org/books/knox-0-7-0/knoxsso_integration.html > > It will wal

Re: pac4j and Apache Knox

Hi, I've read the documentation and things seem fairly clear to me. Let me share my understanding and progress: - the KnoxSSO service is mandatory and the gateway-provider-security-pac4j won't work without it: the KnoxSSO service is responsible for creating a hadoop-jwt cookie from the current au

Re: pac4j and Apache Knox

Hi Jérôme - Great progress! You have the flow down perfectly. You should be also aware that the SSOCookieProvider is a mechanism for consuming the SSO cookie for the REST APIs. There are also integrations for the various Hadoop UIs - most components within the core Hadoop common project have a UI

Re: pac4j and Apache Knox

Hi, I'm looking forward to read the new documentation you'll write on the REST API support. About the 404, I'm not sure to understand why you want me to remove "idp/" from the url as the KnoxSSO service is defined in the idp.xml topology: does its url not have a /idp? About the OpenID Connect su

Re: pac4j and Apache Knox

Ahhh - in that case use: https://localhost:8443/gateway/idp/api/v1/websso The original resource path for the knoxsso service would have made it more like: https://localhost:8443/gateway/idp/knoxsso/api/v1/websso Which seems redundant and arbitrary. We need to evolve such services to be distinct

Re: pac4j and Apache Knox

Hi, As the j2e-pac4j library now supports the required features for Knox, I restarted working on pac4j - Knox integration. Though, I have a very strange error. The deployment of the WARs fails with the following error: *java.lang.IllegalArgumentException: Not supported: indent-number* I tried to

Re: pac4j and Apache Knox

Hi Jérôme - That's a new one for me. Strikes me as a library mismatch or something. What does your pom.xml look like? thanks, --larry On Tue, Nov 24, 2015 at 9:03 AM, Jérôme LELEU wrote: > Hi, > > As the j2e-pac4j library now supports the required features for Knox, I > restarted working on

Re: pac4j and Apache Knox

Hi, I updated the pull request with my latest changes: https://github.com/apache/knox/pull/2/files#diff-3b70d7177f6e0b395f99316a73bb71b0R17 Thanks. Best regards, Jérôme 2015-11-24 16:04 GMT+01:00 larry mccay : > Hi Jérôme - > > That's a new one for me. > Strikes me as a library mismatch or som

Re: pac4j and Apache Knox

We may need to change that line in XmlGatewayDescriptorExporter - try replacing it with the following: t.setOutputProperty(OutputKeys.INDENT, "yes"); t.setOutputProperty("{http://xml.apache.org/xslt}indent-amount";, "2"); Not sure why you got the next error when you commented it out. Again, it ma

Re: pac4j and Apache Knox

Hi, You were right: there was an issue between my xalan dependency (excluding it solves the problem for now). But I've noticed something else: even when defining a provider parameter like NAME, I get name as servlet parameter: are the values transformed in lower case when injected in filters or a

Re: pac4j and Apache Knox

Yes, look at the code that "blindly copies the parameters as filter init params in your Pac4jFederationProviderContributor There is a toLowerCase, there is no reason that you need that and if you are case sensitive in your external code then you should remove it. On Tue, Nov 24, 2015 at 3:16 PM, J

Re: pac4j and Apache Knox

Good catch. Mostly a copy/paste I did from Picketlink ;-) 2015-11-24 21:25 GMT+01:00 larry mccay : > Yes, look at the code that "blindly copies the parameters as filter init > params in your Pac4jFederationProviderContributor > There is a toLowerCase, there is no reason that you need that and if

Re: pac4j and Apache Knox

Hi, Thanks for all your help. I've made the pac4j integration works in Knox (using a simple basic auth where login = pwd or a remote CAS server). I have two points left (before more tests and documentation): 1) In my Pac4jIdentityAdapter, I successfully retrieved the authenticated user and perfo

Re: pac4j and Apache Knox

inline... On Wed, Nov 25, 2015 at 5:04 AM, Jérôme LELEU wrote: > Hi, > > Thanks for all your help. I've made the pac4j integration works in Knox > (using a simple basic auth where login = pwd or a remote CAS server). > > Great! > I have two points left (before more tests and documentation): >

Re: pac4j and Apache Knox

Adding Kevin - since he is somehow not getting this thread anymore... On Wed, Nov 25, 2015 at 8:18 AM, larry mccay wrote: > inline... > > On Wed, Nov 25, 2015 at 5:04 AM, Jérôme LELEU wrote: > >> Hi, >> >> Thanks for all your help. I've made the pac4j integration works in Knox >> (using a simpl

Re: pac4j and Apache Knox

Hi, 1) About the identity-assertion provider, I don't understand what its role is. I added it in my idp.xml topology but unsuccessfully: https://github.com/apache/knox/pull/2/files#diff-4ea9a9a5ee5968f29982478512a63c54R40 Though, I still don't have any principal. I have a log telling me the user p

Re: pac4j and Apache Knox

Hi Jérôme - I am trying to figure out why you aren't getting the username in WebSSOResource. If the default identity-assertion provider is indeed in place then you should get it. Is the pac4j identity adapter filter in the same request processing as the websso resource? Not an easily asked questi

Re: pac4j and Apache Knox

Hi, I'm a bit lost: how the principal provided in Subject.doAs should become available in request.getPrincipalUser() ? I've done one more debugging session, but unsuccessfully. I'm confident the flow is correct. Let me resume what I understand one more time: - I call https://127.0.0.1:8443/gatewa

Re: pac4j and Apache Knox

Hi Jérôme - Yes, that is the flow that I imagined as I walked through it yesterday. It's great that there is an online CAS server to use - that's what was keeping me from trying it out. I will give it a go and keep you posted. thanks, --larry On Wed, Dec 2, 2015 at 3:41 AM, Jérôme LELEU wrote

Re: pac4j and Apache Knox

Oh - do I need to build j2e-pac4 locally in order to resolve the dependencies? [ERROR] Failed to execute goal on project gateway-provider-security-pac4j: Could not resolve dependencies for project org.apache.knox:gateway-provider-security-pac4j:jar:0.7.0-SNAPSHOT: The following artifacts could not

Re: pac4j and Apache Knox

gateway-provider-security-pac4j doesn't build - do you have a pending change for your pom.xml or something? On Wed, Dec 2, 2015 at 7:02 AM, larry mccay wrote: > Hi Jérôme - > > Yes, that is the flow that I imagined as I walked through it yesterday. > It's great that there is an online CAS server

Re: pac4j and Apache Knox

Hi, You need the j2e-pac4j dependencies as well as the pac4j-* dependencies, but you don't need to build them locally (hopefully). But you need a dependency on the Sonatype snapshots repository (where the snapshot versions are hosted), which is added for Maven in the root pom.xml: https://github.

Re: pac4j and Apache Knox

hmmm - I used: mvn clean install -DskipTests=true -Prelease The repository entry is in there already. No worky. On Wed, Dec 2, 2015 at 10:12 AM, Jérôme LELEU wrote: > Hi, > > You need the j2e-pac4j dependencies as well as the pac4j-* dependencies, > but you don't need to build them locally (ho

Re: pac4j and Apache Knox

This is my exact command line: mvn -Prelease clean install -DskipTests You use an internal Maven repository to fetch dependencies from internet: http://nexus-private.hortonworks.com/nexus/content/groups/public/ Does this repository have access to the remote Snapshots Sonatype repo? 2015-12-02

Re: pac4j and Apache Knox

That was it - thanks! On Wed, Dec 2, 2015 at 10:20 AM, Jérôme LELEU wrote: > This is my exact command line: mvn -Prelease clean install -DskipTests > > You use an internal Maven repository to fetch dependencies from internet: > http://nexus-private.hortonworks.com/nexus/content/groups/public/ >

Re: pac4j and Apache Knox

Okay - I had to add an override of getUserPrincipal() to the IdentityAsserterHttpServletRequestWrapper and return the member variable username and it works like a charm. Why I haven't seen this same behavior with other providers is a bit of a mystery but they must be adding other wrappers that han

Re: pac4j and Apache Knox

Jérôme - If you would like to add that change as part of your patch or as a separately filed JIRA to fix a bug that would certainly be welcomed. Otherwise, I can do it. Let me know. thanks, --larry On Wed, Dec 2, 2015 at 11:44 AM, larry mccay wrote: > Okay - I had to add an override of getUs

Re: pac4j and Apache Knox

Hi, Why it doesn't work for pac4j while it works for others is a bit strange to me, but if you have the patch in front of your eyes, I'd rather prefer you to commit it. In all cases, I'll sync with the master. There was one question you didn't answer previously: is the password generated for the

Re: pac4j and Apache Knox

Sure - I can file a JIRA and commit a fix. The secret generation should be done in one instance and replicated across others. This replication/management of the credential stores is outside of the scope of Knox itself as of now. Documentation is done in markdown and is contributing details are av

Re: pac4j and Apache Knox

Fixed in https://issues.apache.org/jira/browse/KNOX-636. On Wed, Dec 2, 2015 at 12:42 PM, larry mccay wrote: > Sure - I can file a JIRA and commit a fix. > > The secret generation should be done in one instance and replicated across > others. > This replication/management of the credential store

Re: pac4j and Apache Knox

"Why it doesn't work for pac4j while it works for others is a bit strange to me," I forgot to address this and it may be of interest for you in pac4j... I believe that the other authentication providers that I have tested with have their own request wrappers that are taking care of the getUserPri

Re: pac4j and Apache Knox

Yes, it's a good explanation. The j2e-pac4j does not do that in fact as for all pac4j implementations, the ProfileManager based on the current WebContext is the good way to get the current authenticated user... 2015-12-03 13:28 GMT+01:00 larry mccay : > "Why it doesn't work for pac4j while it wo

Re: pac4j and Apache Knox

Hi, I just sync'ed with master, cleaned dependencies and added missing Javadocs. Everything works correctly now. Many thanks. The pull request is ready for a full code review: https://github.com/apache/knox/pull/2 I'll write the documentation after the pac4j releases (I hope next week). Thanks.

Re: pac4j and Apache Knox

Excellent! I will carve out some time to do code review. We will need to get some insights into how to go about testing: * is the CAS server going to be available for testing? * what are the specific and generic/standard (if any) authentication mechanisms available - for instance: - Facebook,

Re: pac4j and Apache Knox

Hi, I will write how to configure the pac4j provider in the documentation, but I can already give you some insights. My main goal is always to respect the key design principles of pac4j whatever the environment / framework in which it is implemented. For Knox, I'm pretty happy with the use of the

Re: pac4j and Apache Knox

Excellent, Jérôme. Thanks! On Fri, Dec 4, 2015 at 2:40 AM, Jérôme LELEU wrote: > Hi, > > I will write how to configure the pac4j provider in the documentation, but > I can already give you some insights. > > My main goal is always to respect the key design principles of pac4j > whatever the envi

Re: pac4j and Apache Knox

That ability to configure multiple mechanisms based on clientName is really interesting for Knox. Currently, we require separate topologies per authentication mechanism. The ability to configure them all in one is really great. We would need to think through the best way to provide the clientName

Re: pac4j and Apache Knox

Hi, I didn't get any new feedback on the pull request so I assume everything is ok from your point of view. I released pac4j v1.8.1 and j2e-pac4j v1.2.1 so I updated the pull request to use them and successfully re-tested everything. I opened KNOX-641 and submitted the corresponding patch. I al

Re: pac4j and Apache Knox

Hi Jérôme - I have unfortunately not had a chance to pull, review and test it yet and have intended to do that today. I apologize for the delay. I was actually thinking that this would go into a follow up release that we would try and get done rapidly after the 0.7.0 release but we can discuss th

Re: pac4j and Apache Knox

Hi, No problem. It can go into a version 0.8.0 if needed. The truth is that there is only one change outside the new pac4j module, so I think risks are extremly limited. Just let met know. Thanks. Best regards, Jérôme 2015-12-11 14:23 GMT+01:00 larry mccay : > Hi Jérôme - > > I have unfortuna

Re: pac4j and Apache Knox

Hi Jérôme - Not sure if you saw but I added review comments to KNOX-641. I think that we need to determine whether we want the testBasicAuth in the provider itself. Let's follow up on the JIRA. thanks, --larry On Fri, Dec 11, 2015 at 8:44 AM, Jérôme LELEU wrote: > Hi, > > No problem. It can

Re: pac4j and Apache Knox

Thanks for the review. I will read your comments and post on the JIRA... 2015-12-14 15:28 GMT+01:00 larry mccay : > Hi Jérôme - > > Not sure if you saw but I added review comments to KNOX-641. > > I think that we need to determine whether we want the testBasicAuth in the > provider itself. > > Le

Re: pac4j and Apache Knox

Hi, Happy new year! A few days ago, I updated my patch of the pac4j gateway provider according to all comments on https://issues.apache.org/jira/browse/KNOX-641 as well as the documentation on KNOX-642. Is everything ok for the merge? Thanks. Best regards, Jérôme 2015-12-14 15:28 GMT+01:00 la

Re: pac4j and Apache Knox

Hello Jérôme - Happy New Year! I am going to start reviewing your updates today, hopefully. I was thinking that we need to start discussions on what the key usecases are and how to go about testing them. We can certainly test the testBasicAuth and against the hosted CAS server but what about FB,

Re: pac4j and Apache Knox

Hi, Glad to hear back from you! The core pac4j project is fully tested by unit tests (and some integration tests I run for major version), then all pac4j implementations are each tested by the appropriate demo: j2e-pac4j-demo tests j2e-pac4j, spring-webmvc-pac4j-demo tests spring-webmvc-pac4j, et

Re: pac4j and Apache Knox

Great - thanks for that pointer! I will take a look at that and help drive the release related testing. Merge testing will be gated on CAS server (is this SAML or CAS protocol?) and testBasicAuth. On Tue, Jan 5, 2016 at 10:52 AM, Jérôme LELEU wrote: > Hi, > > Glad to hear back from you! > > The

Re: pac4j and Apache Knox

The online CAS server (https://casserverpac4j.herokuapp.com/login) uses the CAS protocol. SAML support can be tested using some online IdP like Okta, TestShib, OpenFeide, Ssocircle... 2016-01-05 17:32 GMT+01:00 larry mccay : > Great - thanks for that pointer! > > I will take a look at that and h

Re: pac4j and Apache Knox

Okay, very good. I've used TestShib for the picketlink provider - thanks for the pointers! On Tue, Jan 5, 2016 at 1:38 PM, Jérôme LELEU wrote: > The online CAS server (https://casserverpac4j.herokuapp.com/login) uses > the > CAS protocol. SAML support can be tested using some online IdP like Okt

Re: pac4j and Apache Knox

From my perspective it would be ideal if there were some automatable functional tests for this. I’m not advocating that these be something included in “mvn clean install” as that is running too long as it is. Given that I don’t have as much context as Larry, I have some questions about what th

Re: pac4j and Apache Knox

Hi, Yes, you can hit the CAS server at Heroku. Notice it's a Heroku free server so it needs to be re-activated first (it takes a couple of seconds). So for a UI test, you should first hit it, wait 30 seconds and then perform the test. Just my 2 cents: Using automated UI tests was my first strateg

Re: pac4j and Apache Knox

I can certainly appreciate the issue of including external resources in automated tests. Nothing has driven me more crazy over the years. The flip side of this of course is not finding out about a breakage until someone is willing to go through the manual testing which will typically happen ju

Re: pac4j and Apache Knox

Jérôme - Please see the comments on KNOX-641. thanks, --larry On Wed, Jan 6, 2016 at 11:24 AM, Kevin Minder wrote: > I can certainly appreciate the issue of including external resources in > automated tests. Nothing has driven me more crazy over the years. The > flip side of this of course

Re: pac4j and Apache Knox

Jérôme - My testing of OpenID Connect is blocked. Can you see the comments in KNOX-641? thanks, --larry On Wed, Jan 6, 2016 at 2:30 PM, larry mccay wrote: > Jérôme - > > Please see the comments on KNOX-641. > > thanks, > > --larry > > On Wed, Jan 6, 2016 at 11:24 AM, Kevin Minder < > kevin.mi

Re: pac4j and Apache Knox

Hi Jérôme - I'm trying to configure the pac4j provider for an okta "application" that I created. The following (from KNOX-642 docs patch) isn't quite enough to make it clear to me how to go about doing so: +saml.keystorePassword | Password of the keystore (storepass) +saml.pri

Re: pac4j and Apache Knox

Hi, Yes, the documentation is a bit too light. But you guessed it right: we need to have a keystore for encryption. The saml.identityProviderMetadataPath can point to a local resource or to a remote one, using the right prefix: resource:, file: or an url (by default, it is a file path). This must

Re: pac4j and Apache Knox

That sounds pretty reasonable. I will likely document a few of the integrations that are possible in blogs/tutorials anyway. I don't want testing of Knox at release time to have to jump around to much in order to be able to test. I think we can make that all good though. I will see what I can do

Re: pac4j and Apache Knox

Hi, I just uploaded a new patch for the documentation with the links pointing to the pac4j wiki. It should be clearer. Thanks. Best regards, Jérôme 2016-01-14 13:20 GMT+01:00 larry mccay : > That sounds pretty reasonable. > I will likely document a few of the integrations that are possible in

Re: pac4j and Apache Knox

Hi Jérôme - Thanks for the updated docs - I will take a look today. I am currently still trying to test okta and stuck in a redirect loop. Did you have to change anything in order to get the request.getParameter(Clients.DEFAULT_CLIENT_NAME_PARAMETER) set for the callbacks from okta? It is null in

Re: pac4j and Apache Knox

Nevermind - I had to add ?client_name=SAML2Client to the end of the sso url in okta and in the topology. Now, I am running into a mismatch of audience expectations. I set the audience in the okta application to be KnoxSSO. I guess there is a parameter in the topology to sync up with that? On Fri,

Re: pac4j and Apache Knox

Hi, We have one callback url (the KnoxSSO url) and multiple identity providers so to distinguish between all clients, pac4j uses the callback url + the client_name parameter (Clients.DEFAULT_CLIENT_NAME_PARAMETER). The redirection url generated to the identity provider has this client_name parame

Re: pac4j and Apache Knox

Okay - got past that now We are getting closer! On Fri, Jan 15, 2016 at 10:56 AM, Jérôme LELEU wrote: > Hi, > > We have one callback url (the KnoxSSO url) and multiple identity providers > so to distinguish between all clients, pac4j uses the callback url + the > client_name parameter (Clien

Re: pac4j and Apache Knox

Excellent - it worked! I will review the docs with the hurdles that I had to overcome in mind. Hoping to get this committed today. :) On Fri, Jan 15, 2016 at 11:02 AM, larry mccay wrote: > Okay - got past that now > We are getting closer! > > On Fri, Jan 15, 2016 at 10:56 AM, Jérôme LELEU

Re: pac4j and Apache Knox

KNOX-641 and KNOX-642 have both been committed to master. There is a new docs book where you can check out the pac4j docs available: http://knox.apache.org/books/knox-0-8-0/user-guide.html#Pac4j+Provider+-+CAS+/+OAuth+/+SAML+/+OpenID+Connect I have some additional ideas for the docs that I will r

Re: pac4j and Apache Knox

Hi, It's great news! One more thing I'm thinking of: we always have a demo corresponding to a pac4j support. It would be great to have a knox-pac4j-demo and reference it from the manual. I can handle it. Does it make sense? Thanks. Best regards, Jérôme 2016-01-17 6:37 GMT+01:00 larry mccay

Re: pac4j and Apache Knox

Hi, Following my own idea, here is a demo with the Knox / pac4j support: https://github.com/pac4j/knox-pac4j-demo Feel free to submit pull requests if you want me to amend it. What do you think? Thanks. Best regards, Jérôme 2016-01-18 11:03 GMT+01:00 Jérôme LELEU : > Hi, > > It's great news!

Re: pac4j and Apache Knox

That's great! On Tue, Jan 19, 2016 at 7:53 AM, Jérôme LELEU wrote: > Hi, > > Following my own idea, here is a demo with the Knox / pac4j support: > https://github.com/pac4j/knox-pac4j-demo > Feel free to submit pull requests if you want me to amend it. > > What do you think? > > Thanks. > Best r

Re: pac4j and Apache Knox

Should we add a link in the documentation to point to the demo? 2016-01-19 14:19 GMT+01:00 larry mccay : > That's great! > > On Tue, Jan 19, 2016 at 7:53 AM, Jérôme LELEU wrote: > > > Hi, > > > > Following my own idea, here is a demo with the Knox / pac4j support: > > https://github.com/pac4j/kn

Re: pac4j and Apache Knox

H... I think that providing appropriate templates (see the templates directory in the knox install) for both the knoxsso.xml (instead of idp.xml) and sandbox.xml to reflect the same config would provide the same value and be self contained without the need to keep the binaries up to date in th

Re: pac4j and Apache Knox

Trying to figure out how to specify the client_name for a given authentication attempt when there are multiple mechanisms defined in the topology. What I had in mind was providing a couple links to login with: Login with Okta Login with Twitter Login with Google and at the end of each url I thoug

Re: pac4j and Apache Knox

I think that I see... * client_name is a query parameter that is just used to determine that the call into the pac4j provider is coming from an IdP post authentication * clientName is a topology parameter that can be used to select the one client our of the multiple sets that may be configured * w

Re: pac4j and Apache Knox

Hi, You're right: maintaining the demos is a work in itself and we could (should) put samples in the templates directory. Though, I think the demo is valuable to promote Knox: let's say someone as an Hadoop installation and want to secure it: how can he try Knox? Checkout the source, build it, co

Re: pac4j and Apache Knox

You make an interesting point about usability here. At the same time, it highlights the fact that the installation would not be from an Apache distribution channel and I would be concerned about folks checking out the demo and once it was working not picking up an official release. The current de

Re: pac4j and Apache Knox

Hi, Interesting point. In pac4j, we have a callback controller which uses the client_name parameter to finish the login process and a protection filter which protects a resource and redirects the user to the identity provider for login. Since pac4j 1.8, most libraries using it now accept a client

Re: pac4j and Apache Knox

OK. I still think that the demo is valuable for a quick startup, but above all, it means that I must re-create the demo from the Apache release of Knox 0.8.0 as soon as it will be available... I'm not sure to understand what is the problem with the current master in terms of licensing, it's under

Re: pac4j and Apache Knox

That sounds perfect and actually the right way to keep pac4j and the knox pac4j provider aligned properly. I filed https://issues.apache.org/jira/browse/KNOX-655 for this effort. Thanks, Jérôme! --larry On Thu, Jan 21, 2016 at 4:38 AM, Jérôme LELEU wrote: > Hi, > > Interesting point. > > In pa

Re: pac4j and Apache Knox

A build from master is not an official Apache release and there are specific rules for referencing release distributions and artifacts. Unfortunately, the language that I have found isn't clear enough for me to determine what if any violation exists there. I don't want to introduce a link in docs

Re: pac4j and Apache Knox

Hi, Regarding the legal stuffs, it's an issue until I upgrade the demo to an official release. After that, I will only use official releases. At worst, the demo will be out of date. We can keep the same link: that's what I do for demos otherwise it's a nightmare. Previous version x is simply move

Re: pac4j and Apache Knox

Question about the customParamKeyX params... In doing some additional testing with the openid connect integration, it was determined that the scopes provided by default didn't work properly for all providers. Therefore, the following was added and it worked great. oidc.customParamKe

Re: pac4j and Apache Knox

Hi, Yes, you're right, it's limited to two custom parameters. My experience taught me that two parameters were enough for most cases, but indeed, it seems a bit cumbersome to have such configuration. This mechanism is shared with the CAS server configuration which uses properties, thus the name=v

Re: pac4j and Apache Knox

Hi, I just uploaded a patch for KNOX-655 and successfully tested it: using https://127.0.0.1:8443/gateway/sandbox/webhdfs/v1/tmp?op=LISTSTATUS, I'm redirected to my CAS server for login. I can force the authentication on Facebook using: https://127.0.0.1:8443/gateway/idp/api/v1/websso? *client_nam

Re: pac4j and Apache Knox

Let's leave it as is for 0.8.0 but we will need to address that in a less cumbersome way and at the same time be backward compatible. Groovy class would be an interesting approach but I'm not sure that we will want configuration to be code running in the gateway. I am thinking about having the ser

Re: pac4j and Apache Knox

Wonderful! I will review it some time today. Thanks, Jérôme! On Mon, Jan 25, 2016 at 6:52 AM, Jérôme LELEU wrote: > Hi, > > I just uploaded a patch for KNOX-655 and successfully tested it: using > https://127.0.0.1:8443/gateway/sandbox/webhdfs/v1/tmp?op=LISTSTATUS, I'm > redirected to my CAS se

  1   2   >