There was an issue found with the google oidc integration recently. This may be the same issue, I will need to dig that up in the dev@ or user@ list and verify.
On Sun, Mar 4, 2018 at 11:47 AM, Ryan H <ryan.howell.developm...@gmail.com> wrote: > Hi Knox Users, > > I am rethreading this error I am getting as I mentioned it in a different > thread that was about a different error (sorry to those active on the other > email thread). > > I am running into an issue with KnoxSSO with the pac4j OIDC federation > provider. When accessing the gateway, I am correctly redirected to my > configured OpenID provider and upon successful authentication, redirected > back to Knox but resulting in error. I am posting the relevant config files > as well as the errors below. I have switched over to testBasicAuth just to > confirm that I can connect to the NiFi app, which I can. I am not really > sure where to go from here. I have sifted the internet and Knox > documentation on this and haven't been able to find anything. I did find > some info on this error with play and pac4j with the way the session was > being handled and assumed that Knox would handle this (if not, it is not > documented that I can find). Any help is appreciated! > > Cheers, > > Ryan > > > *Error 1: * > 2018-03-04 11:22:53,701 ERROR engine.DefaultCallbackLogic > (DefaultCallbackLogic.java:renewSession(123)) - Unable to renew the > session. The session store may not support this feature > > *Error 2:* > 2018-03-04 10:07:05,578 ERROR knox.gateway > (AbstractGatewayFilter.java:doFilter(69)) > - Failed to execute filter: org.pac4j.core.exception.TechnicalException: > State parameter is different from the one sent in authentication request. > Session expired or possible threat of cross-site request forgery > 2018-03-04 10:07:05,578 ERROR knox.gateway (GatewayFilter.java:doFilter(177)) > - Gateway processing failed: javax.servlet.ServletException: > org.pac4j.core.exception.TechnicalException: State parameter is different > from the one sent in authentication request. Session expired or possible > threat of cross-site request forgery > javax.servlet.ServletException: org.pac4j.core.exception.TechnicalException: > State parameter is different from the one sent in authentication request. > Session expired or possible threat of cross-site request forgery > at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter( > AbstractGatewayFilter.java:70) > at org.apache.knox.gateway.GatewayFilter$Holder.doFilter( > GatewayFilter.java:377) > at org.apache.knox.gateway.GatewayFilter$Chain.doFilter( > GatewayFilter.java:277) > at org.apache.knox.gateway.webappsec.filter.XFrameOptionsFilter.doFilter( > XFrameOptionsFilter.java:58) > at org.apache.knox.gateway.GatewayFilter$Holder.doFilter( > GatewayFilter.java:377) > at org.apache.knox.gateway.GatewayFilter$Chain.doFilter( > GatewayFilter.java:277) > at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:171) > at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:94) > at org.apache.knox.gateway.GatewayServlet.service(GatewayServlet.java:141) > at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812) > at org.eclipse.jetty.servlet.ServletHandler.doHandle( > ServletHandler.java:587) > at org.eclipse.jetty.server.handler.ScopedHandler.handle( > ScopedHandler.java:143) > at org.eclipse.jetty.security.SecurityHandler.handle( > SecurityHandler.java:577) > at org.eclipse.jetty.server.session.SessionHandler. > doHandle(SessionHandler.java:223) > at org.eclipse.jetty.server.handler.ContextHandler. > doHandle(ContextHandler.java:1127) > at org.eclipse.jetty.servlet.ServletHandler.doScope( > ServletHandler.java:515) > at org.eclipse.jetty.server.session.SessionHandler. > doScope(SessionHandler.java:185) > at org.eclipse.jetty.server.handler.ContextHandler. > doScope(ContextHandler.java:1061) > at org.eclipse.jetty.server.handler.ScopedHandler.handle( > ScopedHandler.java:141) > at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle( > ContextHandlerCollection.java:215) > at org.eclipse.jetty.server.handler.HandlerWrapper.handle( > HandlerWrapper.java:97) > at org.apache.knox.gateway.trace.TraceHandler.handle(TraceHandler.java:51) > at org.eclipse.jetty.server.handler.HandlerWrapper.handle( > HandlerWrapper.java:97) > at org.apache.knox.gateway.filter.CorrelationHandler. > handle(CorrelationHandler.java:39) > at org.eclipse.jetty.servlets.gzip.GzipHandler.handle( > GzipHandler.java:479) > at org.eclipse.jetty.server.handler.HandlerWrapper.handle( > HandlerWrapper.java:97) > at org.apache.knox.gateway.filter.PortMappingHelperHandler.handle( > PortMappingHelperHandler.java:152) > at org.eclipse.jetty.server.handler.HandlerCollection. > handle(HandlerCollection.java:110) > at org.eclipse.jetty.server.handler.HandlerWrapper.handle( > HandlerWrapper.java:97) > at org.eclipse.jetty.server.Server.handle(Server.java:499) > at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311) > at org.eclipse.jetty.server.HttpConnection.onFillable( > HttpConnection.java:257) > at org.eclipse.jetty.io.AbstractConnection$2.run( > AbstractConnection.java:544) > at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob( > QueuedThreadPool.java:635) > at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run( > QueuedThreadPool.java:555) > at java.lang.Thread.run(Thread.java:745) > Caused by: org.pac4j.core.exception.TechnicalException: State parameter > is different from the one sent in authentication request. Session expired > or possible threat of cross-site request forgery > at org.pac4j.oidc.credentials.extractor.OidcExtractor. > extract(OidcExtractor.java:80) > at org.pac4j.oidc.credentials.extractor.OidcExtractor. > extract(OidcExtractor.java:31) > at org.pac4j.core.client.BaseClient.retrieveCredentials( > BaseClient.java:61) > at org.pac4j.core.client.IndirectClient.getCredentials( > IndirectClient.java:125) > at org.pac4j.core.engine.DefaultCallbackLogic.perform( > DefaultCallbackLogic.java:79) > at org.pac4j.j2e.filter.CallbackFilter.internalFilter( > CallbackFilter.java:77) > at org.pac4j.j2e.filter.AbstractConfigFilter.doFilter( > AbstractConfigFilter.java:81) > at org.apache.knox.gateway.pac4j.filter.Pac4jDispatcherFilter.doFilter( > Pac4jDispatcherFilter.java:205) > at org.apache.knox.gateway.GatewayFilter$Holder.doFilter( > GatewayFilter.java:377) > at org.apache.knox.gateway.GatewayFilter$Chain.doFilter( > GatewayFilter.java:277) > at org.apache.knox.gateway.filter.XForwardedHeaderFilter.doFilter( > XForwardedHeaderFilter.java:30) > at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter( > AbstractGatewayFilter.java:61) > ... 35 more > > > *knoxsso.xml:* > <gateway> > <provider> > <role>webappsec</role> > <name>WebAppSec</name> > <enabled>true</enabled> > <param><name>xframe.options.enabled</name><value>true</ > value></param> > </provider> > <provider> > <role>federation</role> > <name>pac4j</name> > <enabled>true</enabled> > <param> > <name>pac4j.callbackUrl</name> > <value>https://localhost:8443/gateway/knoxsso/api/v1/websso< > /value> > </param> > <param> > <name>clientName</name> > <value>OidcClient</value> > </param> > <param> > <name>oidc.id</name> > <value>my_client_id</value> > </param> > <param> > <name>oidc.secret</name> > <value>my_client_secret</value> > </param> > <param> > <name>oidc.discoveryUri</name> > <value>https://<my-openid-provider-url>/.well-known/ > openid-configuration</value> > </param> > <param> > <name>oidc.preferredJwsAlgorithm</name> > <value>RS256</value> > </param> > </provider> > </gateway> > > <application> > <name>knoxauth</name> > </application> > > <service> > <role>KNOXSSO</role> > <param> > <name>knoxsso.cookie.secure.only</name> > <value>false</value> > </param> > <param> > <name>knoxsso.cookie.max.age</name> > <value>session</value> > </param> > <param> > <name>knoxsso.token.ttl</name> > <value>30000</value> > </param> > <param> > <name>knoxsso.redirect.whitelist.regex</name> > <value>^https?:\/\/(localhost|127\.0\.0\.1|0:0:0: > 0:0:0:0:1|::1):[0-9].*$</value> > </param> > </service> > > > > *sandbox.xml:* > <gateway> > <provider> > <role>federation</role> > <name>SSOCookieProvider</name> > <enabled>true</enabled> > <param> > <name>sso.authentication.provider.url</name> > <value>https://localhost:8443/gateway/knoxsso/api/v1/websso< > /value> > </param> > </provider> > > <provider> > <role>identity-assertion</role> > <name>Default</name> > <enabled>true</enabled> > </provider> > </gateway> > > <service> > <role>NIFI</role> > <url>http://localhost:8080</url> > </service> > <application> > <role>admin-ui</role> > </application> > <service> > <role>KNOX</role> > </service> > >
