Uploaded image for project: 'Apache Knox'
  1. Apache Knox
  2. KNOX-2565

KNOX 1.5.0 can not login sso with oidc (pac4j 4.0.3)

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Blocker
    • Resolution: Unresolved
    • 1.5.0
    • None
    • KnoxSSO
    • None

    Description

      When I upgrade KNOX from 1.4.0 to 1.5.0. I found that I can not login KNOX by oidc. this is error log:

      2021-03-31 18:52:45,094 DEBUG org.apache.knox.gateway.pac4j.session.KnoxSessionStore (KnoxSessionStore.java:get(109)) - Get from session: OidcClient$attemptedAuthentication = null
      2021-03-31 18:52:45,095 DEBUG org.apache.knox.gateway.pac4j.session.KnoxSessionStore (KnoxSessionStore.java:set(149)) - Save in session: OidcClient$stateSessionParameter = 2a265d500f
      2021-03-31 18:52:45,321 DEBUG org.apache.knox.gateway.pac4j.session.KnoxSessionStore (KnoxSessionStore.java:set(149)) - Save in session: OidcClient$nonceSessionParameter = mKp7Ax_dBk1_RAFHqkF6kSrLkrzlCW_sbV2R6t50psg
      2021-03-31 18:52:45,449 DEBUG org.apache.knox.gateway.pac4j.session.KnoxSessionStore (KnoxSessionStore.java:set(149)) - Save in session: OidcClient$codeVerifierSessionParameter = com.nimbusds.oauth2.sdk.pkce.CodeVerifier@8dcb5aae
      2021-03-31 18:52:45,450 ERROR org.apache.knox.gateway (AbstractGatewayFilter.java:doFilter(63)) - Failed to execute filter: java.lang.ClassCastException: class com.nimbusds.oauth2.sdk.pkce.CodeVerifier cannot be cast to class java.io.Serializable (com.nimbusds.oauth2.sdk.pkce.CodeVerifier is in unnamed module of loader java.net.URLClassLoader @70177ecd; java.io.Serializable is in module java.base of loader 'bootstrap')
      java.lang.ClassCastException: class com.nimbusds.oauth2.sdk.pkce.CodeVerifier cannot be cast to class java.io.Serializable (com.nimbusds.oauth2.sdk.pkce.CodeVerifier is in unnamed module of loader java.net.URLClassLoader @70177ecd; java.io.Serializable is in module java.base of loader 'bootstrap')
              at org.apache.knox.gateway.pac4j.session.KnoxSessionStore.compressEncryptBase64(KnoxSessionStore.java:118)
              at org.apache.knox.gateway.pac4j.session.KnoxSessionStore.set(KnoxSessionStore.java:151)
              at org.pac4j.oidc.redirect.OidcRedirectionActionBuilder.addStateAndNonceParameters(OidcRedirectionActionBuilder.java:112)
              at org.pac4j.oidc.redirect.OidcRedirectionActionBuilder.getRedirectionAction(OidcRedirectionActionBuilder.java:77)
              at org.pac4j.core.client.IndirectClient.getRedirectionAction(IndirectClient.java:110)
              at org.pac4j.core.engine.DefaultSecurityLogic.redirectToIdentityProvider(DefaultSecurityLogic.java:224)
              at org.pac4j.core.engine.DefaultSecurityLogic.perform(DefaultSecurityLogic.java:157)
              at org.pac4j.jee.filter.SecurityFilter.internalFilter(SecurityFilter.java:83)
              at org.pac4j.jee.filter.AbstractConfigFilter.doFilter(AbstractConfigFilter.java:70)
              at org.apache.knox.gateway.pac4j.filter.Pac4jDispatcherFilter.doFilter(Pac4jDispatcherFilter.java:267)
              at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:363)
              at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:262)
              at org.apache.knox.gateway.filter.XForwardedHeaderFilter.doFilter(XForwardedHeaderFilter.java:50)
              at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:58)
              at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:363)
              at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:262)
              at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:166)
              at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:93)
              at org.apache.knox.gateway.GatewayServlet.service(GatewayServlet.java:135)
              at org.eclipse.jetty.servlet.ServletHolder$NotAsync.service(ServletHolder.java:1443)
              at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:791)
              at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1626)
              at org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:228)
              at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
              at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
              at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548)
              at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
              at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:602)
              at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
              at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
              at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1612)
              at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
              at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1434)
              at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
              at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501)
              at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1582)
              at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
              at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1349)
              at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
              at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:234)
              at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
              at org.apache.knox.gateway.trace.TraceHandler.handle(TraceHandler.java:51)
              at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
              at org.apache.knox.gateway.filter.CorrelationHandler.handle(CorrelationHandler.java:41)
              at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
              at org.apache.knox.gateway.filter.PortMappingHelperHandler.handle(PortMappingHelperHandler.java:106)
              at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)
              at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
              at org.eclipse.jetty.server.Server.handle(Server.java:516)
              at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:383)
              at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:556)
              at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:375)
              at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:273)
              at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
              at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
              at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
              at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
              at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
              at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
              at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:135)
              at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:773)
              at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:905)
              at java.base/java.lang.Thread.run(Unknown Source)
      

      I check KNOX 1.5 code and I found KNOX upgrade pac4j from 3.8.5 to 4.0.3. In pac4j 4.0.3, pac4j add a new param named pkce
      https://github.com/pac4j/pac4j/blob/6e6e02947e7d42213130b8fc8116d767e2d944c9/pac4j-oidc/src/main/java/org/pac4j/oidc/config/OidcConfiguration.java#L91

      pkce is enable by default, so that it will store a CodeVerifier object to sessionstore and it can not be cast to Serializable.
      https://github.com/pac4j/pac4j/blob/c3df8a6dedc2a653f8691bd8efbbbcd8e684bed5/pac4j-oidc/src/main/java/org/pac4j/oidc/redirect/OidcRedirectionActionBuilder.java#L104

      The error is caused by https://github.com/apache/knox/blob/025a014e63509383ee2c8d0cf72338fcd2a1f44d/gateway-provider-security-pac4j/src/main/java/org/apache/knox/gateway/pac4j/session/KnoxSessionStore.java#L118
      I think we can not login by oidc successfully all the time, hope this problem can be fixed as soon as possible.

      Attachments

        Issue Links

          Activity

            People

              cdmikechen cdmikechen
              chenxiang cdmikechen
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 0.5h
                  0.5h