Yep, that was the issue; I was behind a proxy (bang my head). This got me past the current issue and into a new set of issues. Firstly, is there a way to set a proxy with Knox for scenarios such as this? Second, now I see the following error (which it looks like there may have been a JIRA opened for this a while back):
2018-03-03 22:45:46,171 ERROR knox.gateway (AbstractGatewayFilter.java:doFilter(69)) - Failed to execute filter: org.pac4j.core.exception.TechnicalException: State parameter is different from the one sent in authentication request. Session expired or possible threat of cross-site request forgery 2018-03-03 22:45:46,171 ERROR knox.gateway (GatewayFilter.java:doFilter(177)) - Gateway processing failed: javax.servlet.ServletException: org.pac4j.core.exception.TechnicalException: State parameter is different from the one sent in authentication request. Session expired or possible threat of cross-site request forgery javax.servlet.ServletException: org.pac4j.core.exception.TechnicalException: State parameter is different from the one sent in authentication request. Session expired or possible threat of cross-site request forgery at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:70) ... -Ryan On Sat, Mar 3, 2018 at 10:45 PM, larry mccay <[email protected]> wrote: > Maybe you have a proxy configured in your browser to allow you to get > there. > > On Sat, Mar 3, 2018 at 10:35 PM, Ryan H <[email protected] > > wrote: > >> Hi Larry, >> >> I can reach the host via browser, but not via ping... Ping results in >> "Unknown Host", I'm seeing a correlation here... >> >> -Ryan >> >> On Sat, Mar 3, 2018 at 10:32 PM, larry mccay <[email protected]> wrote: >> >>> Hi Ryan - >>> >>> Welcome to Knox-ville! >>> >>> Going to start with a very obvious question - can you ping that host >>> from the machine where the gateway is running? >>> >>> thanks, >>> >>> --larry >>> >>> On Sat, Mar 3, 2018 at 10:07 PM, Ryan H <ryan.howell.development@gmail >>> .com> wrote: >>> >>>> Hi All, >>>> >>>> Disclaimer: I am very new to Knox! >>>> >>>> I am working on setting up KnoxSSO with an OpenID provider (Cloud >>>> Foundry UAA) for AuthN to an application (Apache NiFi). I am running into >>>> an issue where it seems that the oidc.discoverUri is resulting in the >>>> following error: >>>> >>>> 2018-03-03 21:59:37,104 ERROR knox.gateway >>>> (AbstractGatewayFilter.java:doFilter(69)) - Failed to execute filter: >>>> org.pac4j.core.exception.TechnicalException: >>>> java.net.UnknownHostException: {guid-id}.sub-uaa.another.zone >>>> .aws-us01.something.io >>>> 2018-03-03 21:59:37,104 ERROR knox.gateway >>>> (GatewayFilter.java:doFilter(177)) - Gateway processing failed: >>>> javax.servlet.ServletException: >>>> org.pac4j.core.exception.TechnicalException: >>>> java.net.UnknownHostException: {guid-id}.sub-uaa.another.zone >>>> .aws-us01.something.io >>>> javax.servlet.ServletException: >>>> org.pac4j.core.exception.TechnicalException: >>>> java.net.UnknownHostException: {guid-id}.sub-uaa.another.zone >>>> .aws-us01.something.io >>>> at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilte >>>> r(AbstractGatewayFilter.java:70) >>>> at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(Gatewa >>>> yFilter.java:377) >>>> at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(Gateway >>>> Filter.java:277) >>>> at org.apache.knox.gateway.webappsec.filter.XFrameOptionsFilter >>>> .doFilter(XFrameOptionsFilter.java:58) >>>> at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(Gatewa >>>> yFilter.java:377) >>>> at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(Gateway >>>> Filter.java:277) >>>> at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter >>>> .java:171) >>>> at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter >>>> .java:94) >>>> at org.apache.knox.gateway.GatewayServlet.service(GatewayServle >>>> t.java:141) >>>> at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder >>>> .java:812) >>>> >>>> *Here is my topology from knoxsso.xml config:* >>>> >>>> <topology> >>>> <gateway> >>>> <provider> >>>> <role>webappsec</role> >>>> <name>WebAppSec</name> >>>> <enabled>true</enabled> >>>> <param><name>xframe.options.en >>>> abled</name><value>true</value></param> >>>> </provider> >>>> <provider> >>>> <role>federation</role> >>>> <name>pac4j</name> >>>> <enabled>true</enabled> >>>> <param> >>>> <name>pac4j.callbackUrl</name> >>>> <value>https://localhost:8443/ >>>> gateway/knoxsso/api/v1/websso</value> >>>> </param> >>>> <param> >>>> <name>clientName</name> >>>> <value>OidcClient</value> >>>> </param> >>>> <param> >>>> <name>oidc.id</name> >>>> <value>some_client_id</value> >>>> </param> >>>> <param> >>>> <name>oidc.secret</name> >>>> <value>some_client_secret</value> >>>> </param> >>>> <param> >>>> <name>oidc.discoveryUri</name> >>>> <value>https://{guid-id}.sub-u >>>> aa.another.zone.aws-us01.something.io/.well-known/openid-con >>>> figuration</value> >>>> </param> >>>> <param> >>>> <name>oidc.preferredJwsAlgorithm</name> >>>> <value>RS256</value> >>>> </param> >>>> </provider> >>>> </gateway> >>>> <application> >>>> <name>knoxauth</name> >>>> </application> >>>> <service> >>>> <role>KNOXSSO</role> >>>> <param> >>>> <name>knoxsso.cookie.secure.only</name> >>>> <value>false</value> >>>> </param> >>>> <param> >>>> <name>knoxsso.token.ttl</name> >>>> <value>3600000</value> >>>> </param> >>>> <param> >>>> <name>knoxsso.redirect.whitelist.regex</name> >>>> <value>^https?:\/\/(localhost >>>> |127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value> >>>> </param> >>>> </service> >>>> </topology> >>>> >>>> >>>> *Here is my topology from sandbox.xml:* >>>> >>>> <topology> >>>> >>>> <gateway> >>>> >>>> <provider> >>>> <role>federation</role> >>>> <name>SSOCookieProvider</name> >>>> <enabled>true</enabled> >>>> <param> >>>> <name>sso.authentication.provider.url</name> >>>> <value>https://127.0.0.1:8443/gateway/knoxsso/api/v1/websso< >>>> /value> >>>> </param> >>>> </provider> >>>> >>>> <provider> >>>> <role>identity-assertion</role> >>>> <name>Default</name> >>>> <enabled>true</enabled> >>>> </provider> >>>> >>>> </gateway> >>>> >>>> <service> >>>> <role>NIFI</role> >>>> <url>http://localhost:8080</url> >>>> </service> >>>> >>>> </topology> >>>> >>>> I was able to use the gateway to get to the NiFi app with basic auth as >>>> a connectivity test, and now I want to drop in the OpenID provider for the >>>> auth I am really after. Any help is greatly appreciated! >>>> >>>> >>>> Cheers, >>>> >>>> Ryan H. >>>> >>> >>> >> >
