Knime server open id connect fails to authenticate against a valid access token

schitranshi · July 9, 2020, 2:11pm

Hi,

I am configuring Knime server to connect to an IDP (Azure B2C in my case), When I pass the access token in the Authroization header I get a 200 OK response but empty body (this is through an API client).
When I try to access the knime server from a browser tab with a valid access token (tokens are set in the localstorage) it returns with an error -
java.lang.NullPointerException
com.google.common.base.Preconditions.checkNotNull(Preconditions.java:787)
com.google.common.cache.LocalCache.getIfPresent(LocalCache.java:4127)
com.google.common.cache.LocalCache$LocalManualCache.getIfPresent(LocalCache.java:5047)
com.knime.enterprise.tomcat.authenticator.oidc.KnimeOAuthUserinfo.getUserinfoString(KnimeOAuthUserinfo.java:106)
com.knime.enterprise.tomcat.authenticator.oidc.KnimeOAuthUserinfo.getUserinfoToken(KnimeOAuthUserinfo.java:84)
com.knime.enterprise.tomcat.authenticator.oidc.KnimeOAuthRequestAuthenticator.resolveCode(KnimeOAuthRequestAuthenticator.java:250)
org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:280)
org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:139)
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:203)
org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:50)
com.knime.enterprise.tomcat.authenticator.KnimeServerAuthenticator.doAuthenticate(KnimeServerAuthenticator.java:453)
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:575)
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
org.apache.tomee.catalina.OpenEJBSecurityListener$RequestCapturer.invoke(OpenEJBSecurityListener.java:97)
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800)
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:800)
org.apache.tomcat.util.net.Nio2Endpoint$SocketProcessor.doRun(Nio2Endpoint.java:1699)
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
org.apache.tomcat.util.net.AbstractEndpoint.processSocket(AbstractEndpoint.java:1050)
org.apache.tomcat.util.net.Nio2Endpoint$Nio2SocketWrapper$4.completed(Nio2Endpoint.java:630)
org.apache.tomcat.util.net.Nio2Endpoint$Nio2SocketWrapper$4.completed(Nio2Endpoint.java:608)
org.apache.tomcat.util.net.SecureNio2Channel$1.completed(SecureNio2Channel.java:960)
org.apache.tomcat.util.net.SecureNio2Channel$1.completed(SecureNio2Channel.java:889)
sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126)
sun.nio.ch.Invoker$2.run(Invoker.java:218)
sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
java.lang.Thread.run(Thread.java:748)

the knime-oidc-config
{
“auth-server-url”: “https://.b2clogin.com//v2.0/”,
“authorization-endpoint”: “https://.b2clogin.com/.onmicrosoft.com/oauth2/v2.0/authorize?p=”,
“token-endpoint”: “https://.b2clogin.com/.onmicrosoft.com/oauth2/v2.0/token?p=”,
“jwks-endpoint”: “https://.b2clogin.com/truatab2c.onmicrosoft.com/discovery/v2.0/keys?p=”,
“userinfo-endpoint”: “https://graph.microsoft.com/v1.0/me”,
“resource”: “client-id”,
“credentials”: {
“secret” : “secret”
},
“additional-authorization-endpoint-parameters”: “”,
“additional-scopes”: “openid email”,
“principal-attribute”: “emails”,
“use-userinfo-for-principal”: “false”
}
From the error it seems that the Knime sever is fetching the user information from the userinfo-endpoint, although I have set the use-userinfo-for-principal parameter to false.

So my question is -

Is the Knime server calling user-info endpoint ? if yes what attribute is it expecting that is not available in the access token claims ?
How can I configure knime so that it uses a principal attribute in the access token provided ?

oole · July 13, 2020, 8:38am

Hi @schitranshi,

Thank you for trying out the preview feature!

Regarding your questions:

Yes the KNIME Server is actually calling the userinfo endpoint. It seems that the userinfo is not properly returned, you could try calling the userinfo endpoint directly (for example using postman) and see what the userinfo endpoint actually returns.
The authenticator is always calling the userinfo endpoint. For the upcoming release the parameter use-userinfo-for-principal option will no longer be available, since that lead to complications with multiple identity providers.

Also you do not need to specify the openid scope, since the KNIME Server relies on that scope and will always supply it.

If you need further help please let us know!

schitranshi · July 13, 2020, 11:22am

Thanks for the response,
so as a quick test, I have put in place a custom API which mocks the userinfo endpoint and returns with the attribute I have set in the

principal-attribute

parameter. it still fails with the same error.

shivani · October 5, 2020, 12:54pm

Hi,
I also tried enabling SSO with KNIME server following Enterprise User Authentication using Keycloak IAM (in which I have configured Microsoft AD as IDP for the client) and changed the config files accordingly. But, I am getting the below attached error msg on accessing knime server from brower.

Configs added in files are as follow:
knime.xml (changes only):
Valve className=“com.knime.enterprise.tomcat.authenticator.KnimeServerAuthenticator” enableSpnego=“false” basicAuthPaths="/rest" formAuthPaths="/" secretKey=“some_key” enableOAuth=“true” enableBasicAuthWithOAuth=“false” oAuthConfigurationPath=“path_to_tomcat/conf/Catalina/localhost/knime-oidc-config.json”/

knime-oidc-config.json
{
“identity-provider-name” : “KEYCLOAK”,
“auth-server-url”: “http://IP:8080/auth/realms/r1”,
“authorization-endpoint” : “http://IP:8080/auth/realms/r1/protocol/openid-connect/auth”,
“token-endpoint” : “http://IP:8080/auth/realms/r1/protocol/openid-connect/token”,
“jwks-endpoint” : “http://IP:8080/auth/realms/r1/protocol/openid-connect/certs”,
“userinfo-endpoint” : “http://IP:8080/auth/realms/r1/protocol/openid-connect/userinfo”,
“resource”: “client id”,
“credentials”: {
“secret” : “some secret”
},
“additional-scopes”: “openid address email”,
“principal-attribute”: “email”
}

Not able to identify the cause of error and see the knime server logs. Principal attribute mentioned here is in sync with attributes returned by userinfo endpoint API (tried using POSTMAN). Any help would be much appreciated.

Thanks