Knime OpenId Connect

b_kochs · October 2, 2024, 1:57pm

Hello,
the configuration of openID Connect is nearly finished.
When a Url to Knime-Webportal is submitted a Button is presented to connect to the openID-Server (Microsoftonline) and the Testuser is able to connect.
But instead of a https Redirect-Url a http Redirect-Url is generated and compared , which leads to a hold, because it does not match one of the stored Redirect-Url,
which all start with https.

Error:
Message: AADSTS50011: The redirect URI ‘http://cloudserver/knime_cloud/’ specified in the request does not match the redirect URIs configured for the application ‘a1a2’.
Make sure the redirect URI sent in the request matches one added to your application in the Azure portal.

One of the redirect Urls is https://cloudserver/knime_cloud/ so the Microsoft OpenID server : “auth-server-url”: “https://login.microsoftonline.com/a1a2/v2.0”
communicates directly with the knime-server.

I don’t know where the Microsoft OpenID server get’s the hint that http://cloudserver/knime_cloud/ is the right Redirect Url .

If only the protocol could be changed from http to https , the whole url would match.
Configurational changes should be done either the Apache Webserver or Knime-Server?

Greeting B.Kochs

thor · October 3, 2024, 8:38am

The redirect URI is added as a query parameter to the URL leading to the identity provider. KNIME Server uses the URL it receives in the client request. Since you mentioned it seems that the proxy configuration is not entirely correct so that the Tomcat server behind Apache does not see the https protocol. Please check whether you have

RequestHeader set X-Forwarded-Proto "https"

in your Apache configuration (see
KNIME Server Administration Guide).

b_kochs · October 3, 2024, 10:52am

Hello thor
unfortunately RequestHeader set X-Forwarded-Proto “https” does not work.
It was inserted in knime.conf (and tested) before .

Only to mention : I had to insert a Header edit Location to change the Location
Header to https:

Header edit Location ^http://(.*)$ https://$1

In the OpenId configuration
apache-tomcat-9.0.58/conf/Catalina/localhost/knime-oidc-config.json
I wanted to rewrite http Url to https , which has no effect:
“redirect-rewrite-rules”: “^http://(.*)$ https://$1”

What is the right syntax for this rewrite command?

Greeting B.Kochs

thor · October 3, 2024, 1:00pm

We have a couple of KNIME Server running with this configuration without any issues. Please double-check your Apache configuration. Here’s how it looks for us (real example):

<VirtualHost *:443>
    Include ssl.inc
    ServerName xxx.testing.knime.com
    ServerAlias xxx.testing.knime.com
    DocumentRoot /var/www/html

    RewriteEngine On
    RewriteRule ^/?$ https://xxx.testing.knime.com/knime/ [R=302]
    RequestHeader set X-Forwarded-Proto "https"

    ProxyPreserveHost on
    ProxyRequests Off
    ProxyPass /knime http://localhost:40108/knime
    ProxyPass /com.knime.enterprise.sketcher.ketcher http://localhost:40108/com.knime.enterprise.sketcher.ketcher

    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile ...
    SSLCertificateKeyFile ...
</VirtualHost>