Hello to all, You say "you set something else in your metadata". You mean on my IDP (Keycloak) or can I configure something different on knoxsso topology?
KR, Nick On Tue, Oct 3, 2017 at 6:00 AM, Jérôme LELEU <[email protected]> wrote: > Hi, > > Indeed, the issue occurs in the Nimbus SDK inside pac4j. > > The client authentication is built from your metadata configuration and we > only support *client_secret_post* and *client_secret_basic*. I guess you > set something else in your metadata, certainly private_key_jwt. > > From the spec: > > token_endpoint_auth_methods_supportedOPTIONAL. JSON array containing a > list of Client Authentication methods supported by this Token Endpoint. The > options are client_secret_post, client_secret_basic, client_secret_jwt, > and private_key_jwt, as described in Section 9 of OpenID Connect Core 1.0 > <https://openid.net/specs/openid-connect-discovery-1_0.html#OpenID.Core> > [OpenID.Core]. > Other authentication methods MAY be defined by extensions. If omitted, the > default is client_secret_basic -- the HTTP Basic Authentication Scheme > specified in Section 2.3.1 of OAuth 2.0 > <https://openid.net/specs/openid-connect-discovery-1_0.html#RFC6749> > [RFC6749]. > > > Thanks. > Best regards, > Jérôme > > On Mon, Oct 2, 2017 at 9:49 PM, larry mccay <[email protected]> wrote: > >> Unfortunately, it seems that you will need to put a breakpoint in the >> code at org.apache.hadoop.gateway.pac4j.filter.Pac4jDispatcherFil >> ter.doFilter(Pac4jDispatcherFilter.java:205) and walk through - >> hopefully into the pac4j code and nimbus to see what is expected and not >> being found. >> >> Explicitly adding Jerome... >> >> @Jerome - does this error ring any bells for you? >> >> On Mon, Oct 2, 2017 at 3:09 PM, N. Vidiadakis <[email protected]> >> wrote: >> >>> I've done the modifications and unfortunately, I have the same results: >>> >>> 2017-10-02 19:06:10,559 ERROR hadoop.gateway >>> (AbstractGatewayFilter.java:doFilter(69)) - Failed to execute filter: >>> java.lang.IllegalArgumentException: The client authentication must not >>> be null >>> 2017-10-02 19:06:10,560 ERROR hadoop.gateway >>> (GatewayFilter.java:doFilter(146)) - Gateway processing failed: >>> javax.servlet.ServletException: java.lang.IllegalArgumentException: The >>> client authentication must not be null >>> javax.servlet.ServletException: java.lang.IllegalArgumentException: The >>> client authentication must not be null >>> at org.apache.hadoop.gateway.filter.AbstractGatewayFilter.doFil >>> ter(AbstractGatewayFilter.java:70) >>> at org.apache.hadoop.gateway.GatewayFilter$Holder.doFilter(Gate >>> wayFilter.java:346) >>> at org.apache.hadoop.gateway.GatewayFilter$Chain.doFilter(Gatew >>> ayFilter.java:246) >>> at org.apache.hadoop.gateway.GatewayFilter.doFilter(GatewayFilt >>> er.java:140) >>> ... >>> >>> KR, >>> Nick >>> >>> On Mon, Oct 2, 2017 at 9:57 PM, larry mccay <[email protected]> wrote: >>> >>>> Can you add the following after your discoveryUrl in the knoxsso.xml: >>>> >>>> <param> >>>> <name>oidc.useNonce</name> >>>> <value>false</value> >>>> </param> >>>> <param> >>>> <name>oidc.customParamKey1</name> 5. scope >>>> <value>scope</value> >>>> </param> >>>> <param> >>>> <name>oidc.customParamValue1</name> >>>> <value>openid</value> >>>> </param> >>>> >>>> In the testing that I did the the idp did not require the email and >>>> profile scopes that are requested by default by pac4j. Therefore, the >>>> customParam was being used here to limit the scopes to just openid. >>>> >>>> I happen to have the useNonce param in mine - so you might as well try >>>> that too. >>>> >>>> On Mon, Oct 2, 2017 at 2:49 PM, N. Vidiadakis <[email protected]> >>>> wrote: >>>> >>>>> Hi Larry, >>>>> >>>>> You can find attached the topologies and the stack trace. >>>>> >>>>> thank you in advance, >>>>> Nick >>>>> >>>>> >>>>> On Mon, Oct 2, 2017 at 9:34 PM, larry mccay <[email protected]> wrote: >>>>> >>>>>> Hi Nick - >>>>>> >>>>>> Can you please provide your topologies that you are using for both >>>>>> sandbox.xml and knoxsso.xml? >>>>>> >>>>>> I have tested OIDC usecase before and would like to compare the >>>>>> configuration that you have - I did not try it against Keycloak but it >>>>>> should be generic OIDC. >>>>>> >>>>>> Also, can you provide the full stacktrace from the log? >>>>>> >>>>>> thanks, >>>>>> >>>>>> --larry >>>>>> >>>>>> On Mon, Oct 2, 2017 at 2:22 PM, N. Vidiadakis <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hello to all, >>>>>>> >>>>>>> I'm relatively new to the whole Hadoop/KNOX ecosystem but I'm >>>>>>> appointed with relatively more complicated task: integrate KNOX with an >>>>>>> Idp >>>>>>> and specifically with a Keycloak installation which uses OpenID. >>>>>>> >>>>>>> I've tried following the User Guide and my current state is I get >>>>>>> redirected to the Keycloak Login portal, I enter my credentials and then >>>>>>> get back to the KnoxSSO urls with an error 500. The log files contain: >>>>>>> >>>>>>> gateway.log: >>>>>>> >>>>>>> Caused by: java.lang.IllegalArgumentException: The client >>>>>>> authentication must not be null >>>>>>> at com.nimbusds.oauth2.sdk.TokenRequest.<init>(TokenRequest.java:87) >>>>>>> at com.nimbusds.oauth2.sdk.TokenRequest.<init>(TokenRequest.jav >>>>>>> a:112) >>>>>>> >>>>>>> gateway-audit.log: >>>>>>> >>>>>>> 17/10/02 18:07:17 ||287109de-665e-469e-811e-8991 >>>>>>> 550b27e6|audit|91.138.248.128|WEBHDFS||||access|uri|/gateway >>>>>>> /sandbox/webhdfs/v1/?op=GETHOMEDIRECTORY|unavailable|Request >>>>>>> method: GET >>>>>>> 17/10/02 18:07:17 ||287109de-665e-469e-811e-8991 >>>>>>> 550b27e6|audit|91.138.248.128|WEBHDFS||||access|uri|/gateway >>>>>>> /sandbox/webhdfs/v1/?op=GETHOMEDIRECTORY|success|Response status: >>>>>>> 302 >>>>>>> 17/10/02 18:07:17 ||a17b49de-dcf6-4bf1-90b1-6f25 >>>>>>> 51e5380f|audit|91.138.248.128|KNOXSSO||||access|uri|/gateway >>>>>>> /knoxsso/api/v1/websso?originalUrl=https://83.212.114.145:84 >>>>>>> 43/gateway/sandbox/webhdfs/v1/?op=GETHOMEDIRECTORY|unavailab >>>>>>> le|Request method: GET >>>>>>> 17/10/02 18:07:17 ||a17b49de-dcf6-4bf1-90b1-6f25 >>>>>>> 51e5380f|audit|91.138.248.128|KNOXSSO||||access|uri|/gateway >>>>>>> /knoxsso/api/v1/websso?originalUrl=https://83.212.114.145:84 >>>>>>> 43/gateway/sandbox/webhdfs/v1/?op=GETHOMEDIRECTORY|success|Response >>>>>>> status: 302 >>>>>>> 17/10/02 18:07:17 ||0cef72c6-e010-4275-a309-6612 >>>>>>> 4e7a1cdb|audit|91.138.248.128|KNOXSSO||||access|uri|/gateway >>>>>>> /knoxsso/api/v1/websso?pac4jCallback=true&client_name=OidcCl >>>>>>> ient&state=8_-8Ni4pQynijY1ov26rNhXAYkWBWx10GyqJSnZHXYA&code= >>>>>>> dFHZBD2zpFbZYFLUArBdHaA1Nb_uEoDzHhULpehX7Sg.cbc5dae7-3532-4e >>>>>>> 56-a530-de1ea90b078a|unavailable|Request method: GET >>>>>>> 17/10/02 18:07:17 ||0cef72c6-e010-4275-a309-6612 >>>>>>> 4e7a1cdb|audit|91.138.248.128|KNOXSSO||||access|uri|/gateway >>>>>>> /knoxsso/api/v1/websso?pac4jCallback=true&client_name=OidcCl >>>>>>> ient&state=8_-8Ni4pQynijY1ov26rNhXAYkWBWx10GyqJSnZHXYA&code= >>>>>>> dFHZBD2zpFbZYFLUArBdHaA1Nb_uEoDzHhULpehX7Sg.cbc5dae7-3532-4e >>>>>>> 56-a530-de1ea90b078a|failure| >>>>>>> >>>>>>> Also, Keycloak does not report something out of the ordinary. >>>>>>> >>>>>>> My question is if and how to further debug this. I also wanted to >>>>>>> try a bearer-only configuration but the documentation is not clear >>>>>>> enough >>>>>>> for the configuration. >>>>>>> >>>>>>> Please. Help. >>>>>>> >>>>>>> KR, >>>>>>> Nick Vidiadakis >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> >
