Hi, Indeed, the issue occurs in the Nimbus SDK inside pac4j.
The client authentication is built from your metadata configuration and we only support *client_secret_post* and *client_secret_basic*. I guess you set something else in your metadata, certainly private_key_jwt. >From the spec: token_endpoint_auth_methods_supportedOPTIONAL. JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options are client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section 9 of OpenID Connect Core 1.0 <https://openid.net/specs/openid-connect-discovery-1_0.html#OpenID.Core> [OpenID.Core]. Other authentication methods MAY be defined by extensions. If omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 <https://openid.net/specs/openid-connect-discovery-1_0.html#RFC6749> [RFC6749]. Thanks. Best regards, Jérôme On Mon, Oct 2, 2017 at 9:49 PM, larry mccay <[email protected]> wrote: > Unfortunately, it seems that you will need to put a breakpoint in the code > at org.apache.hadoop.gateway.pac4j.filter.Pac4jDispatcherFilter.doFilter( > Pac4jDispatcherFilter.java:205) and walk through - hopefully into the > pac4j code and nimbus to see what is expected and not being found. > > Explicitly adding Jerome... > > @Jerome - does this error ring any bells for you? > > On Mon, Oct 2, 2017 at 3:09 PM, N. Vidiadakis <[email protected]> > wrote: > >> I've done the modifications and unfortunately, I have the same results: >> >> 2017-10-02 19:06:10,559 ERROR hadoop.gateway >> (AbstractGatewayFilter.java:doFilter(69)) - Failed to execute filter: >> java.lang.IllegalArgumentException: The client authentication must not >> be null >> 2017-10-02 19:06:10,560 ERROR hadoop.gateway >> (GatewayFilter.java:doFilter(146)) - Gateway processing failed: >> javax.servlet.ServletException: java.lang.IllegalArgumentException: The >> client authentication must not be null >> javax.servlet.ServletException: java.lang.IllegalArgumentException: The >> client authentication must not be null >> at org.apache.hadoop.gateway.filter.AbstractGatewayFilter.doFil >> ter(AbstractGatewayFilter.java:70) >> at org.apache.hadoop.gateway.GatewayFilter$Holder.doFilter(Gate >> wayFilter.java:346) >> at org.apache.hadoop.gateway.GatewayFilter$Chain.doFilter(Gatew >> ayFilter.java:246) >> at org.apache.hadoop.gateway.GatewayFilter.doFilter(GatewayFilt >> er.java:140) >> ... >> >> KR, >> Nick >> >> On Mon, Oct 2, 2017 at 9:57 PM, larry mccay <[email protected]> wrote: >> >>> Can you add the following after your discoveryUrl in the knoxsso.xml: >>> >>> <param> >>> <name>oidc.useNonce</name> >>> <value>false</value> >>> </param> >>> <param> >>> <name>oidc.customParamKey1</name> 5. scope >>> <value>scope</value> >>> </param> >>> <param> >>> <name>oidc.customParamValue1</name> >>> <value>openid</value> >>> </param> >>> >>> In the testing that I did the the idp did not require the email and >>> profile scopes that are requested by default by pac4j. Therefore, the >>> customParam was being used here to limit the scopes to just openid. >>> >>> I happen to have the useNonce param in mine - so you might as well try >>> that too. >>> >>> On Mon, Oct 2, 2017 at 2:49 PM, N. Vidiadakis <[email protected]> >>> wrote: >>> >>>> Hi Larry, >>>> >>>> You can find attached the topologies and the stack trace. >>>> >>>> thank you in advance, >>>> Nick >>>> >>>> >>>> On Mon, Oct 2, 2017 at 9:34 PM, larry mccay <[email protected]> wrote: >>>> >>>>> Hi Nick - >>>>> >>>>> Can you please provide your topologies that you are using for both >>>>> sandbox.xml and knoxsso.xml? >>>>> >>>>> I have tested OIDC usecase before and would like to compare the >>>>> configuration that you have - I did not try it against Keycloak but it >>>>> should be generic OIDC. >>>>> >>>>> Also, can you provide the full stacktrace from the log? >>>>> >>>>> thanks, >>>>> >>>>> --larry >>>>> >>>>> On Mon, Oct 2, 2017 at 2:22 PM, N. Vidiadakis <[email protected]> >>>>> wrote: >>>>> >>>>>> Hello to all, >>>>>> >>>>>> I'm relatively new to the whole Hadoop/KNOX ecosystem but I'm >>>>>> appointed with relatively more complicated task: integrate KNOX with an >>>>>> Idp >>>>>> and specifically with a Keycloak installation which uses OpenID. >>>>>> >>>>>> I've tried following the User Guide and my current state is I get >>>>>> redirected to the Keycloak Login portal, I enter my credentials and then >>>>>> get back to the KnoxSSO urls with an error 500. The log files contain: >>>>>> >>>>>> gateway.log: >>>>>> >>>>>> Caused by: java.lang.IllegalArgumentException: The client >>>>>> authentication must not be null >>>>>> at com.nimbusds.oauth2.sdk.TokenRequest.<init>(TokenRequest.java:87) >>>>>> at com.nimbusds.oauth2.sdk.TokenRequest.<init>(TokenRequest.java:112) >>>>>> >>>>>> gateway-audit.log: >>>>>> >>>>>> 17/10/02 18:07:17 ||287109de-665e-469e-811e-8991 >>>>>> 550b27e6|audit|91.138.248.128|WEBHDFS||||access|uri|/gateway >>>>>> /sandbox/webhdfs/v1/?op=GETHOMEDIRECTORY|unavailable|Request method: >>>>>> GET >>>>>> 17/10/02 18:07:17 ||287109de-665e-469e-811e-8991 >>>>>> 550b27e6|audit|91.138.248.128|WEBHDFS||||access|uri|/gateway >>>>>> /sandbox/webhdfs/v1/?op=GETHOMEDIRECTORY|success|Response status: 302 >>>>>> 17/10/02 18:07:17 ||a17b49de-dcf6-4bf1-90b1-6f25 >>>>>> 51e5380f|audit|91.138.248.128|KNOXSSO||||access|uri|/gateway >>>>>> /knoxsso/api/v1/websso?originalUrl=https://83.212.114.145:84 >>>>>> 43/gateway/sandbox/webhdfs/v1/?op=GETHOMEDIRECTORY|unavailab >>>>>> le|Request method: GET >>>>>> 17/10/02 18:07:17 ||a17b49de-dcf6-4bf1-90b1-6f25 >>>>>> 51e5380f|audit|91.138.248.128|KNOXSSO||||access|uri|/gateway >>>>>> /knoxsso/api/v1/websso?originalUrl=https://83.212.114.145:84 >>>>>> 43/gateway/sandbox/webhdfs/v1/?op=GETHOMEDIRECTORY|success|Response >>>>>> status: 302 >>>>>> 17/10/02 18:07:17 ||0cef72c6-e010-4275-a309-6612 >>>>>> 4e7a1cdb|audit|91.138.248.128|KNOXSSO||||access|uri|/gateway >>>>>> /knoxsso/api/v1/websso?pac4jCallback=true&client_name=OidcCl >>>>>> ient&state=8_-8Ni4pQynijY1ov26rNhXAYkWBWx10GyqJSnZHXYA&code= >>>>>> dFHZBD2zpFbZYFLUArBdHaA1Nb_uEoDzHhULpehX7Sg.cbc5dae7-3532-4e >>>>>> 56-a530-de1ea90b078a|unavailable|Request method: GET >>>>>> 17/10/02 18:07:17 ||0cef72c6-e010-4275-a309-6612 >>>>>> 4e7a1cdb|audit|91.138.248.128|KNOXSSO||||access|uri|/gateway >>>>>> /knoxsso/api/v1/websso?pac4jCallback=true&client_name=OidcCl >>>>>> ient&state=8_-8Ni4pQynijY1ov26rNhXAYkWBWx10GyqJSnZHXYA&code= >>>>>> dFHZBD2zpFbZYFLUArBdHaA1Nb_uEoDzHhULpehX7Sg.cbc5dae7-3532-4e >>>>>> 56-a530-de1ea90b078a|failure| >>>>>> >>>>>> Also, Keycloak does not report something out of the ordinary. >>>>>> >>>>>> My question is if and how to further debug this. I also wanted to try >>>>>> a bearer-only configuration but the documentation is not clear enough for >>>>>> the configuration. >>>>>> >>>>>> Please. Help. >>>>>> >>>>>> KR, >>>>>> Nick Vidiadakis >>>>>> >>>>> >>>>> >>>> >>> >> >
