I've done the modifications and unfortunately, I have the same results: 2017-10-02 19:06:10,559 ERROR hadoop.gateway (AbstractGatewayFilter.java:doFilter(69)) - Failed to execute filter: java.lang.IllegalArgumentException: The client authentication must not be null 2017-10-02 19:06:10,560 ERROR hadoop.gateway (GatewayFilter.java:doFilter(146)) - Gateway processing failed: javax.servlet.ServletException: java.lang.IllegalArgumentException: The client authentication must not be null javax.servlet.ServletException: java.lang.IllegalArgumentException: The client authentication must not be null at org.apache.hadoop.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:70) at org.apache.hadoop.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:346) at org.apache.hadoop.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:246) at org.apache.hadoop.gateway.GatewayFilter.doFilter(GatewayFilter.java:140) ...
KR, Nick On Mon, Oct 2, 2017 at 9:57 PM, larry mccay <[email protected]> wrote: > Can you add the following after your discoveryUrl in the knoxsso.xml: > > <param> > <name>oidc.useNonce</name> > <value>false</value> > </param> > <param> > <name>oidc.customParamKey1</name> 5. scope > <value>scope</value> > </param> > <param> > <name>oidc.customParamValue1</name> > <value>openid</value> > </param> > > In the testing that I did the the idp did not require the email and > profile scopes that are requested by default by pac4j. Therefore, the > customParam was being used here to limit the scopes to just openid. > > I happen to have the useNonce param in mine - so you might as well try > that too. > > On Mon, Oct 2, 2017 at 2:49 PM, N. Vidiadakis <[email protected]> > wrote: > >> Hi Larry, >> >> You can find attached the topologies and the stack trace. >> >> thank you in advance, >> Nick >> >> >> On Mon, Oct 2, 2017 at 9:34 PM, larry mccay <[email protected]> wrote: >> >>> Hi Nick - >>> >>> Can you please provide your topologies that you are using for both >>> sandbox.xml and knoxsso.xml? >>> >>> I have tested OIDC usecase before and would like to compare the >>> configuration that you have - I did not try it against Keycloak but it >>> should be generic OIDC. >>> >>> Also, can you provide the full stacktrace from the log? >>> >>> thanks, >>> >>> --larry >>> >>> On Mon, Oct 2, 2017 at 2:22 PM, N. Vidiadakis <[email protected]> >>> wrote: >>> >>>> Hello to all, >>>> >>>> I'm relatively new to the whole Hadoop/KNOX ecosystem but I'm appointed >>>> with relatively more complicated task: integrate KNOX with an Idp and >>>> specifically with a Keycloak installation which uses OpenID. >>>> >>>> I've tried following the User Guide and my current state is I get >>>> redirected to the Keycloak Login portal, I enter my credentials and then >>>> get back to the KnoxSSO urls with an error 500. The log files contain: >>>> >>>> gateway.log: >>>> >>>> Caused by: java.lang.IllegalArgumentException: The client >>>> authentication must not be null >>>> at com.nimbusds.oauth2.sdk.TokenRequest.<init>(TokenRequest.java:87) >>>> at com.nimbusds.oauth2.sdk.TokenRequest.<init>(TokenRequest.java:112) >>>> >>>> gateway-audit.log: >>>> >>>> 17/10/02 18:07:17 ||287109de-665e-469e-811e-8991 >>>> 550b27e6|audit|91.138.248.128|WEBHDFS||||access|uri|/gateway >>>> /sandbox/webhdfs/v1/?op=GETHOMEDIRECTORY|unavailable|Request method: >>>> GET >>>> 17/10/02 18:07:17 ||287109de-665e-469e-811e-8991 >>>> 550b27e6|audit|91.138.248.128|WEBHDFS||||access|uri|/gateway >>>> /sandbox/webhdfs/v1/?op=GETHOMEDIRECTORY|success|Response status: 302 >>>> 17/10/02 18:07:17 ||a17b49de-dcf6-4bf1-90b1-6f25 >>>> 51e5380f|audit|91.138.248.128|KNOXSSO||||access|uri|/gateway >>>> /knoxsso/api/v1/websso?originalUrl=https://83.212.114.145:84 >>>> 43/gateway/sandbox/webhdfs/v1/?op=GETHOMEDIRECTORY|unavailable|Request >>>> method: GET >>>> 17/10/02 18:07:17 ||a17b49de-dcf6-4bf1-90b1-6f25 >>>> 51e5380f|audit|91.138.248.128|KNOXSSO||||access|uri|/gateway >>>> /knoxsso/api/v1/websso?originalUrl=https://83.212.114.145:84 >>>> 43/gateway/sandbox/webhdfs/v1/?op=GETHOMEDIRECTORY|success|Response >>>> status: 302 >>>> 17/10/02 18:07:17 ||0cef72c6-e010-4275-a309-6612 >>>> 4e7a1cdb|audit|91.138.248.128|KNOXSSO||||access|uri|/gateway >>>> /knoxsso/api/v1/websso?pac4jCallback=true&client_name=OidcCl >>>> ient&state=8_-8Ni4pQynijY1ov26rNhXAYkWBWx10GyqJSnZHXYA&code= >>>> dFHZBD2zpFbZYFLUArBdHaA1Nb_uEoDzHhULpehX7Sg.cbc5dae7-3532- >>>> 4e56-a530-de1ea90b078a|unavailable|Request method: GET >>>> 17/10/02 18:07:17 ||0cef72c6-e010-4275-a309-6612 >>>> 4e7a1cdb|audit|91.138.248.128|KNOXSSO||||access|uri|/gateway >>>> /knoxsso/api/v1/websso?pac4jCallback=true&client_name=OidcCl >>>> ient&state=8_-8Ni4pQynijY1ov26rNhXAYkWBWx10GyqJSnZHXYA&code= >>>> dFHZBD2zpFbZYFLUArBdHaA1Nb_uEoDzHhULpehX7Sg.cbc5dae7-3532- >>>> 4e56-a530-de1ea90b078a|failure| >>>> >>>> Also, Keycloak does not report something out of the ordinary. >>>> >>>> My question is if and how to further debug this. I also wanted to try a >>>> bearer-only configuration but the documentation is not clear enough for the >>>> configuration. >>>> >>>> Please. Help. >>>> >>>> KR, >>>> Nick Vidiadakis >>>> >>> >>> >> >
