About OpenID/OAuth Problem

We continue to strive for OAUth Authentication by modifying knime-oidc-config.json
The contents of the file are as follows.

{
“identity-provider-name” : “Google Identity Provider”,
“auth-server-url”: “https://accounts.google.com/o/oauth2/auth”,
“authorization-endpoint” : “https://accounts.google.com/o/oauth2/auth”,
“token-endpoint” : “https://oauth2.googleapis.com/token”,
“jwks-endpoint” : “https://www.googleapis.com/oauth2/v1/certs”,
“userinfo-endpoint” : “https://www.googleapis.com/oauth2/v1/userinfo”,
“resource”: “client id”,
“credentials”: {
“secret” : “secret key”
},
“additional-scopes”: “email profile”,
“principal-attribute”: “email”,
“group-mapping-claim”: “as_user oauth”
}

Redirecting to the Google sign-in page was successful. An 403 error occurs after I login in the Google page.

Error Page URI:
http://knimedomain:8080/knime/?state=6f397559-0ade-4656-b246-f053d4fea92b&code=4%2F0AX4XfWhI4Qk_FTAI1KFlqbGvoa0MuydrqN8YN0IWKntxSXIA70KkpEaBsthfUrpSTskyNA&scope=email+profile+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile&authuser=0&prompt=none#

Could I get a sample knime-oidc -config.json form related to google OAuth 2.0?
I’m not sure what the problem is.

I would appreciate if you could support me on this problem.

Hi @sayu

have a look, if this works for you:

{
  "identity-provider-name": "Google",
  "auth-server-url": "https://accounts.google.com/",
  "resource": "",
  "credentials": {
  	"secret" : ""
  },
  "additional-authorization-endpoint-parameters": "&prompt=select_account&access_type=offline",
  "additional-scopes": "profile email",
  "principal-attribute": "email",
  "redirect-rewrite-rules" : {
    "^?scope.*" : ""
  },
  "allow-opaque-access-token" : "true",
  "principal-attribute-to-username-regex" : "@<some-domain>"
}

Most importantly, the "additional-authorization-endpoint-parameters" is needed for google. The "principal-attribute-to-username-regex" entry is optional, in case you want to map emails usernames without the @ domain.

For anyone else coming here, we also have documentation here: KNIME Server Advanced Setup Guide.

Kind regards
Marvin

2 Likes

Hi @sayu

I hope you managed to tweak the configuration and got it to work.
Do let us know if you needed any additional changes, or should you still have problems.

Kind regards
Marvin

2 Likes

I really appreciate your help in resolving the problem.
I have additional question.
Is Knime server possible to use only OAuth that does not support OpenID Connect. I saw Knime Server automatically adds openid to the scope parameter.

Hi @sayu

No, we do require OpenID Connect. Is there a reason you need to use OAuth only? Google should work just fine as authentication provider.

Kind regards
Marvin

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.