The usecase here is described as an application that is:

  1. Proxied via KnoxGateway (service def for webapp required)
  2. Leveraging KnoxSSO (either natively or via SSOCookieProvider in Knox topology)
  3. Web App backend makes hadoop API calls through Knox using KnoxSSO cookie (will require topology with SSOCookieProvider)

As long as the KnoxSSO cookie is valid it can be replayed by the backend for API calls.

There may be a window where the cookie is valid for the request to the webapp but not by the time it gets to the API call in the backend.

We will need to be able to react to a redirect in that case.

Alternatively, you could leverage KnoxToken service to exchange the KnoxSSO cookie for a JWT token with associated metadata and manage that token in the application session.

Requesting a new token prior to expiration.

This would require another topology that was protected by the JWTProvider rather than the SSOCookieProvider and that you send the token as a bearer token to the API calls rather than a cookie.


Browser -> KnoxGateway: 1. requestWebApp
KnoxGateway -> SSOCookieProvider: 2. checkForCookie
SSOCookieProvider -> Browser: 3. redirectToKnoxSSO
Browser -> KnoxSSO: 4. determineIdP
KnoxSSO -> Browser: 5. challengeForAuthn
Browser -> KnoxSSO: 6. authenticate
KnoxSSO -> Browser: 7. redirectToKnoxGateway
Browser -> KnoxGateway: 8. requestWebApp(cookie)
KnoxGateway -> SSOCookieProvider: 9. checkForCookie
SSOCookieProvider -> KnoxGateway: 10. continueToWebApp
KnoxGateway -> Dispatch: 11. dispatchToWebApp
Dispatch -> WebApp: 12. getWebAppPage(cookie,|doas)
WebApp -> KnoxGateway: 13. requestWebHDFS(cookie|bearerToken)
KnoxGateway -> SSOCookieProvider: 14. checkForCookieOrBearerToken
SSOCookieProvider -> KnoxGateway: 15. continueToWebHDFS
KnoxGateway -> Dispatch: 16. dispatchToWebHDFS
Dispatch -> WebHDFS: 17. getWebHDFS(cookie,|doas)
WebHDFS -> KnoxGateway: 18. WebHDFSResponse
KnoxGateway -> WebApp: 19. WebHDFSResponse
WebApp -> KnoxGateway: 20. getWebAppPageResponse
KnoxGateway -> Browser: 21. renderPage