0

Hi I'm trying to use Azure as OIDC for Apache Knox within HDP cluster.

My environment:

  • Hortonworks Cloudbreak 2.9.1
  • HDP 3.1.4.0-315
  • Ambari 2.7.4.0
  • Apache Knox 1.0.0
  • Azure

This is my knoxsso.xml topology:

<topology>
<gateway>
    <provider>
        <role>federation</role>
        <name>pac4j</name>
        <enabled>true</enabled>
        <param>
        <name>pac4j.callbackUrl</name>
        <value>https://<master_node_external_ip>:8443/clustername/knoxsso/api/v1/websso</value>
        </param>
        <param>
        <name>clientName</name>
        <value>OidcClient</value>
        </param>
        <param>
        <name>oidc.id</name>
        <value><application_id from Azure AD></value>
        </param>
        <param>
        <name>oidc.secret</name>
        <value><secret from Azure AD></value>
        </param>
        <param>
        <name>oidc.discoveryUri</name>
        <value>https://login.microsoftonline.com/<tenant_id from Azure>/.well-known/openid-configuration</value>
        </param>
    </provider>
</gateway>
<service>
    <role>KNOXSSO</role>
    <param>
        <name>knoxsso.cookie.secure.only</name>
        <value>false</value>
    </param>
    <param>
        <name>knoxsso.token.ttl</name>
        <value>100000</value>
    </param>
    <param>
        <name>knoxsso.redirect.whitelist.regex</name>
        <value>^https?:\/\/(<master_external_ip>|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
    </param>
</service>
</topology>

This is my cluster topology (default.xml):

<?xml version="1.0" encoding="UTF-8"?>
<topology>
        <gateway>
        <provider>
            <role>webappsec</role>
            <name>WebAppSec</name>
            <enabled>true</enabled>
            <param>
            <name>cors.enabled</name>
            <value>true</value>
            </param>
        </provider>
        <provider>
            <role>federation</role>
            <name>SSOCookieProvider</name>
            <enabled>true</enabled>
            <param>
            <name>sso.authentication.provider.url</name>
            <value>https://<master_node_external_ip>:8443/clustername/knoxsso/api/v1/websso</value>
            </param>
        </provider>
        <provider>
            <role>identity-assertion</role>
            <name>Default</name>
            <enabled>true</enabled>
        </provider>
        </gateway>
    <service>
    <role>WEBHDFS</role>
    <url>http://<webhdfs_private_fqdn>:50070/webhdfs</url>
    </service>
    ...
</topology>

Added to Azure -> AAD -> app -> Authentication -> Redirect URIs:

https://<master_node_external_ip>:8443/clustername/knoxsso/api/v1/websso

So I'm trying to open in browser

https://<master_node_external_ip>:8443/clustername/default/webhdfs/v1/?op=LISTSTATUS

It redirects me to https://login.microsoftonline.com/... and asks for username and password which is what I expected. But after successful login, I get an error:

AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: '<app_id>'.

And part of login url contains redirect url:

redirect_uri=https://<master_node_extenal_ip>:8443/clustername/knoxsso/api/v1/websso?pac4jCallback=true&client_name=OidcClient&scope=openid+profile+email&state=<some_random_string>

What am I doing wrong?

Andrey Okhotnikov
  • 31
  • 2
  • 6

2 Answers2

0

This should be resolved in Apache Knox 1.3.0 see: https://issues.apache.org/jira/browse/KNOX-1191

There is also an OIDC community article that doesn't use AAD but does show config for OIDC config in pac4j provider available here: https://community.cloudera.com/t5/Community-Articles/Configure-Knox-with-OpenID-Connect/ta-p/247758

lmccay
  • 396
  • 1
  • 9
-1

Redirect URI in Azure must be:

https://<master_node_external_ip>:8443/clustername/knoxsso/api/v1/websso?pac4jCallback=true&client_name=OidcClient

Now I'm getting new error:

ERR_TOO_MANY_REDIRECTS

There is a thread about this issue: mailinglist

Andrey Okhotnikov
  • 31
  • 2
  • 6