Hi Ryan - Welcome to Knox-ville!
Going to start with a very obvious question - can you ping that host from the machine where the gateway is running? thanks, --larry On Sat, Mar 3, 2018 at 10:07 PM, Ryan H <[email protected]> wrote: > Hi All, > > Disclaimer: I am very new to Knox! > > I am working on setting up KnoxSSO with an OpenID provider (Cloud Foundry > UAA) for AuthN to an application (Apache NiFi). I am running into an issue > where it seems that the oidc.discoverUri is resulting in the following > error: > > 2018-03-03 21:59:37,104 ERROR knox.gateway > (AbstractGatewayFilter.java:doFilter(69)) > - Failed to execute filter: org.pac4j.core.exception.TechnicalException: > java.net.UnknownHostException: {guid-id}.sub-uaa.another. > zone.aws-us01.something.io > 2018-03-03 21:59:37,104 ERROR knox.gateway (GatewayFilter.java:doFilter(177)) > - Gateway processing failed: javax.servlet.ServletException: > org.pac4j.core.exception.TechnicalException: > java.net.UnknownHostException: {guid-id}.sub-uaa.another. > zone.aws-us01.something.io > javax.servlet.ServletException: org.pac4j.core.exception.TechnicalException: > java.net.UnknownHostException: {guid-id}.sub-uaa.another. > zone.aws-us01.something.io > at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter( > AbstractGatewayFilter.java:70) > at org.apache.knox.gateway.GatewayFilter$Holder.doFilter( > GatewayFilter.java:377) > at org.apache.knox.gateway.GatewayFilter$Chain.doFilter( > GatewayFilter.java:277) > at org.apache.knox.gateway.webappsec.filter.XFrameOptionsFilter.doFilter( > XFrameOptionsFilter.java:58) > at org.apache.knox.gateway.GatewayFilter$Holder.doFilter( > GatewayFilter.java:377) > at org.apache.knox.gateway.GatewayFilter$Chain.doFilter( > GatewayFilter.java:277) > at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:171) > at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:94) > at org.apache.knox.gateway.GatewayServlet.service(GatewayServlet.java:141) > at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812) > > *Here is my topology from knoxsso.xml config:* > > <topology> > <gateway> > <provider> > <role>webappsec</role> > <name>WebAppSec</name> > <enabled>true</enabled> > <param><name>xframe.options. > enabled</name><value>true</value></param> > </provider> > <provider> > <role>federation</role> > <name>pac4j</name> > <enabled>true</enabled> > <param> > <name>pac4j.callbackUrl</name> > <value>https://localhost:8443/ > gateway/knoxsso/api/v1/websso</value> > </param> > <param> > <name>clientName</name> > <value>OidcClient</value> > </param> > <param> > <name>oidc.id</name> > <value>some_client_id</value> > </param> > <param> > <name>oidc.secret</name> > <value>some_client_secret</value> > </param> > <param> > <name>oidc.discoveryUri</name> > <value>https://{guid-id}.sub- > uaa.another.zone.aws-us01.something.io/.well-known/ > openid-configuration</value> > </param> > <param> > <name>oidc.preferredJwsAlgorithm</name> > <value>RS256</value> > </param> > </provider> > </gateway> > <application> > <name>knoxauth</name> > </application> > <service> > <role>KNOXSSO</role> > <param> > <name>knoxsso.cookie.secure.only</name> > <value>false</value> > </param> > <param> > <name>knoxsso.token.ttl</name> > <value>3600000</value> > </param> > <param> > <name>knoxsso.redirect.whitelist.regex</name> > <value>^https?:\/\/(localhost|127\.0\.0\.1|0:0:0: > 0:0:0:0:1|::1):[0-9].*$</value> > </param> > </service> > </topology> > > > *Here is my topology from sandbox.xml:* > > <topology> > > <gateway> > > <provider> > <role>federation</role> > <name>SSOCookieProvider</name> > <enabled>true</enabled> > <param> > <name>sso.authentication.provider.url</name> > <value>https://127.0.0.1:8443/gateway/knoxsso/api/v1/websso< > /value> > </param> > </provider> > > <provider> > <role>identity-assertion</role> > <name>Default</name> > <enabled>true</enabled> > </provider> > > </gateway> > > <service> > <role>NIFI</role> > <url>http://localhost:8080</url> > </service> > > </topology> > > I was able to use the gateway to get to the NiFi app with basic auth as a > connectivity test, and now I want to drop in the OpenID provider for the > auth I am really after. Any help is greatly appreciated! > > > Cheers, > > Ryan H. >
