Hi Nick - Can you please provide your topologies that you are using for both sandbox.xml and knoxsso.xml?
I have tested OIDC usecase before and would like to compare the configuration that you have - I did not try it against Keycloak but it should be generic OIDC. Also, can you provide the full stacktrace from the log? thanks, --larry On Mon, Oct 2, 2017 at 2:22 PM, N. Vidiadakis <[email protected]> wrote: > Hello to all, > > I'm relatively new to the whole Hadoop/KNOX ecosystem but I'm appointed > with relatively more complicated task: integrate KNOX with an Idp and > specifically with a Keycloak installation which uses OpenID. > > I've tried following the User Guide and my current state is I get > redirected to the Keycloak Login portal, I enter my credentials and then > get back to the KnoxSSO urls with an error 500. The log files contain: > > gateway.log: > > Caused by: java.lang.IllegalArgumentException: The client authentication > must not be null > at com.nimbusds.oauth2.sdk.TokenRequest.<init>(TokenRequest.java:87) > at com.nimbusds.oauth2.sdk.TokenRequest.<init>(TokenRequest.java:112) > > gateway-audit.log: > > 17/10/02 18:07:17 ||287109de-665e-469e-811e-8991550b27e6|audit|91.138.248. > 128|WEBHDFS||||access|uri|/gateway/sandbox/webhdfs/v1/? > op=GETHOMEDIRECTORY|unavailable|Request method: GET > 17/10/02 18:07:17 ||287109de-665e-469e-811e-8991550b27e6|audit|91.138.248. > 128|WEBHDFS||||access|uri|/gateway/sandbox/webhdfs/v1/? > op=GETHOMEDIRECTORY|success|Response status: 302 > 17/10/02 18:07:17 ||a17b49de-dcf6-4bf1-90b1-6f2551e5380f|audit|91.138.248. > 128|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso?originalUrl= > https://83.212.114.145:8443/gateway/sandbox/webhdfs/v1/?op= > GETHOMEDIRECTORY|unavailable|Request method: GET > 17/10/02 18:07:17 ||a17b49de-dcf6-4bf1-90b1-6f2551e5380f|audit|91.138.248. > 128|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso?originalUrl= > https://83.212.114.145:8443/gateway/sandbox/webhdfs/v1/?op= > GETHOMEDIRECTORY|success|Response status: 302 > 17/10/02 18:07:17 ||0cef72c6-e010-4275-a309-66124e7a1cdb|audit|91.138.248. > 128|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso? > pac4jCallback=true&client_name=OidcClient&state=8_- > 8Ni4pQynijY1ov26rNhXAYkWBWx10GyqJSnZHXYA&code=dFHZBD2zpFbZYFLUArBdHaA1Nb_ > uEoDzHhULpehX7Sg.cbc5dae7-3532-4e56-a530-de1ea90b078a|unavailable|Request > method: GET > 17/10/02 18:07:17 ||0cef72c6-e010-4275-a309-66124e7a1cdb|audit|91.138.248. > 128|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso? > pac4jCallback=true&client_name=OidcClient&state=8_- > 8Ni4pQynijY1ov26rNhXAYkWBWx10GyqJSnZHXYA&code=dFHZBD2zpFbZYFLUArBdHaA1Nb_ > uEoDzHhULpehX7Sg.cbc5dae7-3532-4e56-a530-de1ea90b078a|failure| > > Also, Keycloak does not report something out of the ordinary. > > My question is if and how to further debug this. I also wanted to try a > bearer-only configuration but the documentation is not clear enough for the > configuration. > > Please. Help. > > KR, > Nick Vidiadakis >
