Hi,
I am configuring Knime server to connect to an IDP (Azure B2C in my case), When I pass the access token in the Authroization header I get a 200 OK response but empty body (this is through an API client).
When I try to access the knime server from a browser tab with a valid access token (tokens are set in the localstorage) it returns with an error -
java.lang.NullPointerException
com.google.common.base.Preconditions.checkNotNull(Preconditions.java:787)
com.google.common.cache.LocalCache.getIfPresent(LocalCache.java:4127)
com.google.common.cache.LocalCache$LocalManualCache.getIfPresent(LocalCache.java:5047)
com.knime.enterprise.tomcat.authenticator.oidc.KnimeOAuthUserinfo.getUserinfoString(KnimeOAuthUserinfo.java:106)
com.knime.enterprise.tomcat.authenticator.oidc.KnimeOAuthUserinfo.getUserinfoToken(KnimeOAuthUserinfo.java:84)
com.knime.enterprise.tomcat.authenticator.oidc.KnimeOAuthRequestAuthenticator.resolveCode(KnimeOAuthRequestAuthenticator.java:250)
org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:280)
org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:139)
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:203)
org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:50)
com.knime.enterprise.tomcat.authenticator.KnimeServerAuthenticator.doAuthenticate(KnimeServerAuthenticator.java:453)
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:575)
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
org.apache.tomee.catalina.OpenEJBSecurityListener$RequestCapturer.invoke(OpenEJBSecurityListener.java:97)
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800)
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:800)
org.apache.tomcat.util.net.Nio2Endpoint$SocketProcessor.doRun(Nio2Endpoint.java:1699)
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
org.apache.tomcat.util.net.AbstractEndpoint.processSocket(AbstractEndpoint.java:1050)
org.apache.tomcat.util.net.Nio2Endpoint$Nio2SocketWrapper$4.completed(Nio2Endpoint.java:630)
org.apache.tomcat.util.net.Nio2Endpoint$Nio2SocketWrapper$4.completed(Nio2Endpoint.java:608)
org.apache.tomcat.util.net.SecureNio2Channel$1.completed(SecureNio2Channel.java:960)
org.apache.tomcat.util.net.SecureNio2Channel$1.completed(SecureNio2Channel.java:889)
sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126)
sun.nio.ch.Invoker$2.run(Invoker.java:218)
sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
java.lang.Thread.run(Thread.java:748)
the knime-oidc-config
{
“auth-server-url”: “https://.b2clogin.com//v2.0/”,
“authorization-endpoint”: “https://.b2clogin.com/.onmicrosoft.com/oauth2/v2.0/authorize?p=”,
“token-endpoint”: “https://.b2clogin.com/.onmicrosoft.com/oauth2/v2.0/token?p=”,
“jwks-endpoint”: “https://.b2clogin.com/truatab2c.onmicrosoft.com/discovery/v2.0/keys?p=”,
“userinfo-endpoint”: “https://graph.microsoft.com/v1.0/me”,
“resource”: “client-id”,
“credentials”: {
“secret” : “secret”
},
“additional-authorization-endpoint-parameters”: “”,
“additional-scopes”: “openid email”,
“principal-attribute”: “emails”,
“use-userinfo-for-principal”: “false”
}
From the error it seems that the Knime sever is fetching the user information from the userinfo-endpoint, although I have set the use-userinfo-for-principal parameter to false.
So my question is -
- Is the Knime server calling user-info endpoint ? if yes what attribute is it expecting that is not available in the access token claims ?
- How can I configure knime so that it uses a principal attribute in the access token provided ?