knox
knox copied to clipboard
Published
20 hours ago •
apache
apache
KNOX-2794 - Added cookie auth support into JWT federation provider
What changes were proposed in this pull request?
As described in KNOX-2794, the JWT federation filter is enhanced to support authentication using a JWT supplied via an HTTP cookie.
How was this patch tested?
Updated existing JUnit test classes and have new test cases to cover the new functionality. In addition to unit testing comprehensive manual test steps were executed as follows:
- Deployed a new topology called
tokenexchange:
<?xml version="1.0" encoding="UTF-8"?>
<topology>
<name>tokenexchanged</name>
<gateway>
<provider>
<role>federation</role>
<name>JWTProvider</name>
<enabled>true</enabled>
<param>
<name>knox.token.use.cookie</name>
<value>true</value>
</param>
<!--
<param>
<name>knox.token.cookie.name</name>
<value>customCookieName</value>
</param>
-->
<param>
<name>knox.token.exp.server-managed</name>
<value>true</value>
</param>
</provider>
</gateway>
<service>
<role>KNOXTOKEN</role>
<param>
<name>knox.token.ttl</name>
<value>36000000</value>
</param>
</service>
</topology>
Started Knox and ran the following curl commands. Please note that at one point I included the knox.token.cookie.name configuration too (see below cases):
1. Valid hadoop-jwt cookie
curl -iku : --cookie "hadoop-jwt=eyJraWQiOiJ0Q2dMV1VZbVZ0MlpweVhLNXJUdHA4WDVLTno2TjNYYl85TzZUdE95aUR3IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJhZG1pbiIsImtpZCI6InRDZ0xXVVltVnQyWnB5WEs1clR0cDhYNUtOejZOM1hiXzlPNlR0T3lpRHciLCJpc3MiOiJLTk9YU1NPIiwiZXhwIjoxNjYxMzMzMjA3LCJtYW5hZ2VkLnRva2VuIjoiZmFsc2UiLCJrbm94LmlkIjoiMTFjMDIyNWMtNTU5Zi00MTE2LWE3M2ItYjhhM2JmZGIwODA1In0.E1qoRKx50g6czHwGh3UVwqqNGpQS3sWckJAEAFQuqmC8LQG2ocrRx3NXgcyvlqjMpeRBMLYMflsUA_b_6lG9adHld-Dy_fhAKknNuZR82nj8jNkrFPPf55C6Uc3NshjK-N_yp_1NSEjN6HKI7UKMJX5oL3xDCYAhQhjFQga3EXDPdh1Rvo7RY0s-em3KHH-gT4UCdS_WT7u5mC2BKXI3o4a8yoAV0iFaIvdO4FPWxyIe4A_r9Vt0EiZezga3hvr8HPR3LRBWGpaW-4J-0KUTb2SsB6vXSuBTKxXns3jA2W8MDzb4cMm4LmIaaBt3H7npk7x-hljzNKhZdSFjb83z9g" -X GET https://localhost:8443/gateway/tokenexchange/knoxtoken/api/v1/token
HTTP/1.1 200 OK
Date: Tue, 23 Aug 2022 09:28:45 GMT
Content-Type: application/json
Content-Length: 2253
{"access_token":"eyJqa3UiOiJodHRwczpcL1wvbG9jYWxob3N0Ojg0NDNcL2dhdGV3YXlcL3Rva2VuZXhjaGFuZ2VcL2tub3h0b2tlblwvYXBpXC92MVwvandrcy5qc29uIiwia2lkIjoidENnTFdVWW1WdDJacHlYSzVyVHRwOFg1S056Nk4zWGJfOU82VHRPeWlEdyIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJhZG1pbiIsImprdSI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6ODQ0M1wvZ2F0ZXdheVwvdG9rZW5leGNoYW5nZVwva25veHRva2VuXC9hcGlcL3YxXC9qd2tzLmpzb24iLCJraWQiOiJ0Q2dMV1VZbVZ0MlpweVhLNXJUdHA4WDVLTno2TjNYYl85TzZUdE95aUR3IiwiaXNzIjoiS05PWFNTTyIsImV4cCI6MTY2MTI4MjkyNSwibWFuYWdlZC50b2tlbiI6ImZhbHNlIiwia25veC5pZCI6ImVhZjRlMWY4LWIwNTktNDkxYS05Mjg0LWNhYTEyZDVlMzdjNyJ9.fnn3LHZ_JQWPe8wqi-4Jn_IAg3N9NNhNYLH0DBU3yVmJo1X60U3ab6q-5hAKUwHAzSnQNoGEdTOevKlqfJJqyIf928nISqz_zoO9rZD4os91OfIZpaS0EiovNf8W1FzIEWV-zUO2kVtBJ6ALV_vtrL4c_RrEWnd1zwUWosn2qYIe5_6kw_QAjuqmKRYnOoxCwf4BVJUBn92dlqi16syzCWOEKYI8LF14MjfLYnLXnUqO6urt5VRYR28n5JYEhkQuZYsdT30bLWp3rf9MtFNu9X11tnAoAt15L6KE3kbknO35SM2t9bEbMfWUVzAW_5X7pYoNTQiwXIROyHuuyfZ26w","token_id":"eaf4e1f8-b059-491a-9284-caa12d5e37c7","managed":"false","endpoint_public_cert":"MIIDeDCCAmCgAwIBAgIIOD6cdHBctFAwDQYJKoZIhvcNAQEFBQAwXzELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFRlc3QxDTALBgNVBAcTBFRlc3QxDzANBgNVBAoTBkhhZG9vcDENMAsGA1UECxMEVGVzdDESMBAGA1UEAxMJbG9jYWxob3N0MB4XDTIyMDgyMzA5MjYwOFoXDTIzMDgyMzA5MjYwOFowXzELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFRlc3QxDTALBgNVBAcTBFRlc3QxDzANBgNVBAoTBkhhZG9vcDENMAsGA1UECxMEVGVzdDESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjVGicpMnDjNlOgpmi8UM9eNlwiiECSLWbYXl7qEfZPknNb2KznOFJOopbiifqStw6AvEWCujCE4+0EBQlK+x7Q9/9v3/uUvrfTcNASw7OybAnGQXSJtCMJEAaxN8YHu9SxVh2XgdmpX+ZOpue4Ow6F2e+MW0uDD+gLFv/uBuoe96FBvtc7KGfH0OnXoNgKHK2bJfhpeV9W1E0SViVdmH0WcGUghfiA29aiKRCsV68MVU3qqBc6IoNe9lpTgqojHxLNR+AIcPugWQRB7Z2/Ep3cbCLQQkUlkqWKaONtDdwixjYM4HIo9Kih8+QkQd7TQ/GhZODfaN6V8zzK+dDNejswIDAQABozgwNjA0BgNVHREELTArghNzbW9sbmFyLU1CUDE2LmxvY2Fsgglsb2NhbGhvc3SCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQUFAAOCAQEAebpUaoqmPv+TFA6LUf/6zfNemn0g0gIAqw0IJUokCEcKD8Hc281cwEfuIGn3mqbtaov1MRZm2Xf57dbCdq63Og2DxU/0U9E2nHGY7q7AvsFCg9rAFNjqjViH0i1Qbl3VAUZdAtOKT6ywh5cSi2oWRxg2RxGnauTm21rk4Q9+bzUdpRKngDAA5Hjs24Msh9TaZmVCJyPh1DX6fAhgj3QOQhyNNEdH+X42PEG4TOYIsQK7MtVl6UfZzK5hd3NPymXiS+FhCrKbcWBT3vx4L6kpzkrcupF1BTEe4g5nX0nNK3SgXhQ7j2r7QSNQpqlzPYW49uKti8hlE718k4+bAEqgkQ==","token_type":"Bearer","expires_in":1661282925099}
2. Invalid hadoop-jwt cookie (removed a character at the end of the supplied cookie)
curl -iku : --cookie "hadoop-jwt=eyJraWQiOiJ0Q2dMV1VZbVZ0MlpweVhLNXJUdHA4WDVLTno2TjNYYl85TzZUdE95aUR3IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJhZG1pbiIsImtpZCI6InRDZ0xXVVltVnQyWnB5WEs1clR0cDhYNUtOejZOM1hiXzlPNlR0T3lpRHciLCJpc3MiOiJLTk9YU1NPIiwiZXhwIjoxNjYxMzMzMjA3LCJtYW5hZ2VkLnRva2VuIjoiZmFsc2UiLCJrbm94LmlkIjoiMTFjMDIyNWMtNTU5Zi00MTE2LWE3M2ItYjhhM2JmZGIwODA1In0.E1qoRKx50g6czHwGh3UVwqqNGpQS3sWckJAEAFQuqmC8LQG2ocrRx3NXgcyvlqjMpeRBMLYMflsUA_b_6lG9adHld-Dy_fhAKknNuZR82nj8jNkrFPPf55C6Uc3NshjK-N_yp_1NSEjN6HKI7UKMJX5oL3xDCYAhQhjFQga3EXDPdh1Rvo7RY0s-em3KHH-gT4UCdS_WT7u5mC2BKXI3o4a8yoAV0iFaIvdO4FPWxyIe4A_r9Vt0EiZezga3hvr8HPR3LRBWGpaW-4J-0KUTb2SsB6vXSuBTKxXns3jA2W8MDzb4cMm4LmIaaBt3H7npk7x-hljzNKhZdSFjb83z9" -X GET https://localhost:8443/gateway/tokenexchange/knoxtoken/api/v1/token
HTTP/1.1 401 Unauthorized
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: text/html;charset=iso-8859-1
Content-Length: 497
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
<title>Error 401 There is no valid cookie found</title>
</head>
<body><h2>HTTP ERROR 401 There is no valid cookie found</h2>
<table>
<tr><th>URI:</th><td>/gateway/tokenexchange/knoxtoken/api/v1/token</td></tr>
<tr><th>STATUS:</th><td>401</td></tr>
<tr><th>MESSAGE:</th><td>There is no valid cookie found</td></tr>
<tr><th>SERVLET:</th><td>tokenexchange-knox-gateway-servlet</td></tr>
</table>
</body>
</html>
3. Invalid cookie name (custom cookie name is not included this time)
curl -iku : --cookie "customCookieName=eyJraWQiOiJ0Q2dMV1VZbVZ0MlpweVhLNXJUdHA4WDVLTno2TjNYYl85TzZUdE95aUR3IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJhZG1pbiIsImtpZCI6InRDZ0xXVVltVnQyWnB5WEs1clR0cDhYNUtOejZOM1hiXzlPNlR0T3lpRHciLCJpc3MiOiJLTk9YU1NPIiwiZXhwIjoxNjYxMzMzMjA3LCJtYW5hZ2VkLnRva2VuIjoiZmFsc2UiLCJrbm94LmlkIjoiMTFjMDIyNWMtNTU5Zi00MTE2LWE3M2ItYjhhM2JmZGIwODA1In0.E1qoRKx50g6czHwGh3UVwqqNGpQS3sWckJAEAFQuqmC8LQG2ocrRx3NXgcyvlqjMpeRBMLYMflsUA_b_6lG9adHld-Dy_fhAKknNuZR82nj8jNkrFPPf55C6Uc3NshjK-N_yp_1NSEjN6HKI7UKMJX5oL3xDCYAhQhjFQga3EXDPdh1Rvo7RY0s-em3KHH-gT4UCdS_WT7u5mC2BKXI3o4a8yoAV0iFaIvdO4FPWxyIe4A_r9Vt0EiZezga3hvr8HPR3LRBWGpaW-4J-0KUTb2SsB6vXSuBTKxXns3jA2W8MDzb4cMm4LmIaaBt3H7npk7x-hljzNKhZdSFjb83z9g" -X GET https://localhost:8443/gateway/tokenexchange/knoxtoken/api/v1/token
HTTP/1.1 401 Unauthorized
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: text/html;charset=iso-8859-1
Content-Length: 443
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
<title>Error 401 Unauthorized</title>
</head>
<body><h2>HTTP ERROR 401 Unauthorized</h2>
<table>
<tr><th>URI:</th><td>/gateway/tokenexchange/knoxtoken/api/v1/token</td></tr>
<tr><th>STATUS:</th><td>401</td></tr>
<tr><th>MESSAGE:</th><td>Unauthorized</td></tr>
<tr><th>SERVLET:</th><td>tokenexchange-knox-gateway-servlet</td></tr>
</table>
</body>
</html>
4. Using custom cookie name (included knox.token.cookie.name is set to 'customCookieName')
curl -iku : --cookie "customCookieName=eyJraWQiOiJ0Q2dMV1VZbVZ0MlpweVhLNXJUdHA4WDVLTno2TjNYYl85TzZUdE95aUR3IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJhZG1pbiIsImtpZCI6InRDZ0xXVVltVnQyWnB5WEs1clR0cDhYNUtOejZOM1hiXzlPNlR0T3lpRHciLCJpc3MiOiJLTk9YU1NPIiwiZXhwIjoxNjYxMzMzMjA3LCJtYW5hZ2VkLnRva2VuIjoiZmFsc2UiLCJrbm94LmlkIjoiMTFjMDIyNWMtNTU5Zi00MTE2LWE3M2ItYjhhM2JmZGIwODA1In0.E1qoRKx50g6czHwGh3UVwqqNGpQS3sWckJAEAFQuqmC8LQG2ocrRx3NXgcyvlqjMpeRBMLYMflsUA_b_6lG9adHld-Dy_fhAKknNuZR82nj8jNkrFPPf55C6Uc3NshjK-N_yp_1NSEjN6HKI7UKMJX5oL3xDCYAhQhjFQga3EXDPdh1Rvo7RY0s-em3KHH-gT4UCdS_WT7u5mC2BKXI3o4a8yoAV0iFaIvdO4FPWxyIe4A_r9Vt0EiZezga3hvr8HPR3LRBWGpaW-4J-0KUTb2SsB6vXSuBTKxXns3jA2W8MDzb4cMm4LmIaaBt3H7npk7x-hljzNKhZdSFjb83z9g" -X GET https://localhost:8443/gateway/tokenexchange/knoxtoken/api/v1/token
HTTP/1.1 200 OK
Date: Tue, 23 Aug 2022 09:33:44 GMT
Content-Type: application/json
Content-Length: 2253
{"access_token":"eyJqa3UiOiJodHRwczpcL1wvbG9jYWxob3N0Ojg0NDNcL2dhdGV3YXlcL3Rva2VuZXhjaGFuZ2VcL2tub3h0b2tlblwvYXBpXC92MVwvandrcy5qc29uIiwia2lkIjoidENnTFdVWW1WdDJacHlYSzVyVHRwOFg1S056Nk4zWGJfOU82VHRPeWlEdyIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJhZG1pbiIsImprdSI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6ODQ0M1wvZ2F0ZXdheVwvdG9rZW5leGNoYW5nZVwva25veHRva2VuXC9hcGlcL3YxXC9qd2tzLmpzb24iLCJraWQiOiJ0Q2dMV1VZbVZ0MlpweVhLNXJUdHA4WDVLTno2TjNYYl85TzZUdE95aUR3IiwiaXNzIjoiS05PWFNTTyIsImV4cCI6MTY2MTI4MzIyNCwibWFuYWdlZC50b2tlbiI6ImZhbHNlIiwia25veC5pZCI6IjA4N2VmZGNjLTVhOWMtNDJjZC1hMDY1LWMwZGM1MmQ4MGQ4MSJ9.IkUPTxbjwnJpnt2Vo7t7ZfhiyX_5Edag5vtVnYrHPiuqcTgoIkLVp-eQI9IB-tS3Zh9FFpfH-qZ_0wupiWW7f-7m2zZApidF4KyFI_--W4gvGXJnFeLeDtR7YNSHtQEbJmqJFPJn1TD6YRmK_Z7hCT1LJm84x8QYwo1FsaXkk3XVgNlo6SpPiyvZjlYHQAHMaeFPHyAuWedinZjCMHr8dYp5Ck-wWPmmsPyIHC9jMKhVyLRiaYRVYg8Tl4LCXzCSFucWVHoR7ydtjrypV3-5HIdn7VU0HUEpE5UKiozhQx0IG6KYiYECq-xJ6F45oJlhx03SrZBlRI-zLO76UiMlNQ","token_id":"087efdcc-5a9c-42cd-a065-c0dc52d80d81","managed":"false","endpoint_public_cert":"MIIDeDCCAmCgAwIBAgIIOD6cdHBctFAwDQYJKoZIhvcNAQEFBQAwXzELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFRlc3QxDTALBgNVBAcTBFRlc3QxDzANBgNVBAoTBkhhZG9vcDENMAsGA1UECxMEVGVzdDESMBAGA1UEAxMJbG9jYWxob3N0MB4XDTIyMDgyMzA5MjYwOFoXDTIzMDgyMzA5MjYwOFowXzELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFRlc3QxDTALBgNVBAcTBFRlc3QxDzANBgNVBAoTBkhhZG9vcDENMAsGA1UECxMEVGVzdDESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjVGicpMnDjNlOgpmi8UM9eNlwiiECSLWbYXl7qEfZPknNb2KznOFJOopbiifqStw6AvEWCujCE4+0EBQlK+x7Q9/9v3/uUvrfTcNASw7OybAnGQXSJtCMJEAaxN8YHu9SxVh2XgdmpX+ZOpue4Ow6F2e+MW0uDD+gLFv/uBuoe96FBvtc7KGfH0OnXoNgKHK2bJfhpeV9W1E0SViVdmH0WcGUghfiA29aiKRCsV68MVU3qqBc6IoNe9lpTgqojHxLNR+AIcPugWQRB7Z2/Ep3cbCLQQkUlkqWKaONtDdwixjYM4HIo9Kih8+QkQd7TQ/GhZODfaN6V8zzK+dDNejswIDAQABozgwNjA0BgNVHREELTArghNzbW9sbmFyLU1CUDE2LmxvY2Fsgglsb2NhbGhvc3SCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQUFAAOCAQEAebpUaoqmPv+TFA6LUf/6zfNemn0g0gIAqw0IJUokCEcKD8Hc281cwEfuIGn3mqbtaov1MRZm2Xf57dbCdq63Og2DxU/0U9E2nHGY7q7AvsFCg9rAFNjqjViH0i1Qbl3VAUZdAtOKT6ywh5cSi2oWRxg2RxGnauTm21rk4Q9+bzUdpRKngDAA5Hjs24Msh9TaZmVCJyPh1DX6fAhgj3QOQhyNNEdH+X42PEG4TOYIsQK7MtVl6UfZzK5hd3NPymXiS+FhCrKbcWBT3vx4L6kpzkrcupF1BTEe4g5nX0nNK3SgXhQ7j2r7QSNQpqlzPYW49uKti8hlE718k4+bAEqgkQ==","token_type":"Bearer","expires_in":1661283224552
5. No cookie passed (expecting a JWT/Passcode token just like before my changes)
curl -iku : -X GET https://localhost:8443/gateway/tokenexchange/knoxtoken/api/v1/token
HTTP/1.1 401 Unauthorized
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: text/html;charset=iso-8859-1
Content-Length: 443
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
<title>Error 401 Unauthorized</title>
</head>
<body><h2>HTTP ERROR 401 Unauthorized</h2>
<table>
<tr><th>URI:</th><td>/gateway/tokenexchange/knoxtoken/api/v1/token</td></tr>
<tr><th>STATUS:</th><td>401</td></tr>
<tr><th>MESSAGE:</th><td>Unauthorized</td></tr>
<tr><th>SERVLET:</th><td>tokenexchange-knox-gateway-servlet</td></tr>
</table>
</body>
</html>
6. Passing the JWT token without cookies
curl -iku Token:eyJqa3UiOiJodHRwczpcL1wvbG9jYWxob3N0Ojg0NDNcL2dhdGV3YXlcL3Rva2VuZXhjaGFuZ2VcL2tub3h0b2tlblwvYXBpXC92MVwvandrcy5qc29uIiwia2lkIjoidENnTFdVWW1WdDJacHlYSzVyVHRwOFg1S056Nk4zWGJfOU82VHRPeWlEdyIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJhZG1pbiIsImprdSI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6ODQ0M1wvZ2F0ZXdheVwvdG9rZW5leGNoYW5nZVwva25veHRva2VuXC9hcGlcL3YxXC9qd2tzLmpzb24iLCJraWQiOiJ0Q2dMV1VZbVZ0MlpweVhLNXJUdHA4WDVLTno2TjNYYl85TzZUdE95aUR3IiwiaXNzIjoiS05PWFNTTyIsImV4cCI6MTY2MTI4MzIyNCwibWFuYWdlZC50b2tlbiI6ImZhbHNlIiwia25veC5pZCI6IjA4N2VmZGNjLTVhOWMtNDJjZC1hMDY1LWMwZGM1MmQ4MGQ4MSJ9.IkUPTxbjwnJpnt2Vo7t7ZfhiyX_5Edag5vtVnYrHPiuqcTgoIkLVp-eQI9IB-tS3Zh9FFpfH-qZ_0wupiWW7f-7m2zZApidF4KyFI_--W4gvGXJnFeLeDtR7YNSHtQEbJmqJFPJn1TD6YRmK_Z7hCT1LJm84x8QYwo1FsaXkk3XVgNlo6SpPiyvZjlYHQAHMaeFPHyAuWedinZjCMHr8dYp5Ck-wWPmmsPyIHC9jMKhVyLRiaYRVYg8Tl4LCXzCSFucWVHoR7ydtjrypV3-5HIdn7VU0HUEpE5UKiozhQx0IG6KYiYECq-xJ6F45oJlhx03SrZBlRI-zLO76UiMlNQ -X GET https://localhost:8443/gateway/tokenexchange/knoxtoken/api/v1/token
HTTP/1.1 200 OK
Date: Tue, 23 Aug 2022 09:38:24 GMT
Content-Type: application/json
Content-Length: 2253
{"access_token":"eyJqa3UiOiJodHRwczpcL1wvbG9jYWxob3N0Ojg0NDNcL2dhdGV3YXlcL3Rva2VuZXhjaGFuZ2VcL2tub3h0b2tlblwvYXBpXC92MVwvandrcy5qc29uIiwia2lkIjoidENnTFdVWW1WdDJacHlYSzVyVHRwOFg1S056Nk4zWGJfOU82VHRPeWlEdyIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJhZG1pbiIsImprdSI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6ODQ0M1wvZ2F0ZXdheVwvdG9rZW5leGNoYW5nZVwva25veHRva2VuXC9hcGlcL3YxXC9qd2tzLmpzb24iLCJraWQiOiJ0Q2dMV1VZbVZ0MlpweVhLNXJUdHA4WDVLTno2TjNYYl85TzZUdE95aUR3IiwiaXNzIjoiS05PWFNTTyIsImV4cCI6MTY2MTI4MzUwNCwibWFuYWdlZC50b2tlbiI6ImZhbHNlIiwia25veC5pZCI6IjA0Y2UzNzMyLTVmMWEtNDM3ZS05ZGE3LTQwMWE2NzViMTNiZiJ9.YHKpW5CXaxiZWA2vmlHeGGn6hvbiOnVepTb0CTbeB2xWAOwh9_HyRIL2dvKj-UMVIvjsuaE2zUohC77sqZYRGKNpHupC5ctp8ig8sTxabDlZlGe4rzxu7kBYmMIme0SUnm0iU3pHMhSMXUd9Z8_hLw5NCiYfoY75gEtwoCYRDb4eYI6V_6i_Z1WSm8M4J2-R5KxS5J8mgCbh7lnwMe8gWS2zIbRjb0nh4YFlVQkkMXcUGJwHpREEPeZtsQ2-JdvMeMFyc6DFEp4d36TkmpQk-BwbHCHVuAFJZ0fNEpRy4iBuKPrlnsPOpihphxPqf3GLsL-_WbSNhtPl7DIHTnDbRQ","token_id":"04ce3732-5f1a-437e-9da7-401a675b13bf","managed":"false","endpoint_public_cert":"MIIDeDCCAmCgAwIBAgIIOD6cdHBctFAwDQYJKoZIhvcNAQEFBQAwXzELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFRlc3QxDTALBgNVBAcTBFRlc3QxDzANBgNVBAoTBkhhZG9vcDENMAsGA1UECxMEVGVzdDESMBAGA1UEAxMJbG9jYWxob3N0MB4XDTIyMDgyMzA5MjYwOFoXDTIzMDgyMzA5MjYwOFowXzELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFRlc3QxDTALBgNVBAcTBFRlc3QxDzANBgNVBAoTBkhhZG9vcDENMAsGA1UECxMEVGVzdDESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjVGicpMnDjNlOgpmi8UM9eNlwiiECSLWbYXl7qEfZPknNb2KznOFJOopbiifqStw6AvEWCujCE4+0EBQlK+x7Q9/9v3/uUvrfTcNASw7OybAnGQXSJtCMJEAaxN8YHu9SxVh2XgdmpX+ZOpue4Ow6F2e+MW0uDD+gLFv/uBuoe96FBvtc7KGfH0OnXoNgKHK2bJfhpeV9W1E0SViVdmH0WcGUghfiA29aiKRCsV68MVU3qqBc6IoNe9lpTgqojHxLNR+AIcPugWQRB7Z2/Ep3cbCLQQkUlkqWKaONtDdwixjYM4HIo9Kih8+QkQd7TQ/GhZODfaN6V8zzK+dDNejswIDAQABozgwNjA0BgNVHREELTArghNzbW9sbmFyLU1CUDE2LmxvY2Fsgglsb2NhbGhvc3SCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQUFAAOCAQEAebpUaoqmPv+TFA6LUf/6zfNemn0g0gIAqw0IJUokCEcKD8Hc281cwEfuIGn3mqbtaov1MRZm2Xf57dbCdq63Og2DxU/0U9E2nHGY7q7AvsFCg9rAFNjqjViH0i1Qbl3VAUZdAtOKT6ywh5cSi2oWRxg2RxGnauTm21rk4Q9+bzUdpRKngDAA5Hjs24Msh9TaZmVCJyPh1DX6fAhgj3QOQhyNNEdH+X42PEG4TOYIsQK7MtVl6UfZzK5hd3NPymXiS+FhCrKbcWBT3vx4L6kpzkrcupF1BTEe4g5nX0nNK3SgXhQ7j2r7QSNQpqlzPYW49uKti8hlE718k4+bAEqgkQ==","token_type":"Bearer","expires_in":1661283504536}
7. Passing the Passcode token without cookies
curl -iku Passcode:TldVeVpUTTFPRFl0WlRrd01DMDBNV0U1TFRrd01UUXRNR00wT1RCaU16RmlOemxrOjpOakk1Wm1KbVlUUXRZakprT0MwME1qQTBMVGxsT1RjdFl6bG1NakJoWTJSbU1ERTM= -X GET https://localhost:8443/gateway/tokenexchange/knoxtoken/api/v1/token
HTTP/1.1 200 OK
Date: Tue, 23 Aug 2022 09:46:56 GMT
Content-Type: application/json
Content-Length: 2253
{"access_token":"eyJqa3UiOiJodHRwczpcL1wvbG9jYWxob3N0Ojg0NDNcL2dhdGV3YXlcL3Rva2VuZXhjaGFuZ2VcL2tub3h0b2tlblwvYXBpXC92MVwvandrcy5qc29uIiwia2lkIjoidENnTFdVWW1WdDJacHlYSzVyVHRwOFg1S056Nk4zWGJfOU82VHRPeWlEdyIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJhZG1pbiIsImprdSI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6ODQ0M1wvZ2F0ZXdheVwvdG9rZW5leGNoYW5nZVwva25veHRva2VuXC9hcGlcL3YxXC9qd2tzLmpzb24iLCJraWQiOiJ0Q2dMV1VZbVZ0MlpweVhLNXJUdHA4WDVLTno2TjNYYl85TzZUdE95aUR3IiwiaXNzIjoiS05PWFNTTyIsImV4cCI6MTY2MTI4NDAxNiwibWFuYWdlZC50b2tlbiI6ImZhbHNlIiwia25veC5pZCI6ImQ1YTk0Njg0LTM5NTctNGNiOC05MjZiLTRkZDE4ZGZiNDQ0OCJ9.Z1XV_mEQgWmN0xIcyS5Pru04YloCsqCHP3BDUcU1W_GxV87TLmmrSqZaJf3bx7DFMWPYbZp-OVBlkGQoyUZiQ_77KfJIN5cGbAKtKrmTNIuKPt1fG7YO4ZcWbIV6d8k7pZAZkogIw-N5BZSQifLCnKuFVScI1l-X1wQxETOt98fdsQH32AMfTRB4mnTy5iHEUcCMhfE43vuDM2bZk4v3TksSQ720Tjo7d72BlkKFRRmfD7Z4spVvnJrcPd4mZW-dX3cd4z3qjmt4jsO9cuw3NPJRPTz-pshVwEw5uWfpjOlMGG9X3npat_2qffQhsrxl-g4HZFuKkjemxbDkD1_9lQ","token_id":"d5a94684-3957-4cb8-926b-4dd18dfb4448","managed":"false","endpoint_public_cert":"MIIDeDCCAmCgAwIBAgIIOD6cdHBctFAwDQYJKoZIhvcNAQEFBQAwXzELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFRlc3QxDTALBgNVBAcTBFRlc3QxDzANBgNVBAoTBkhhZG9vcDENMAsGA1UECxMEVGVzdDESMBAGA1UEAxMJbG9jYWxob3N0MB4XDTIyMDgyMzA5MjYwOFoXDTIzMDgyMzA5MjYwOFowXzELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFRlc3QxDTALBgNVBAcTBFRlc3QxDzANBgNVBAoTBkhhZG9vcDENMAsGA1UECxMEVGVzdDESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjVGicpMnDjNlOgpmi8UM9eNlwiiECSLWbYXl7qEfZPknNb2KznOFJOopbiifqStw6AvEWCujCE4+0EBQlK+x7Q9/9v3/uUvrfTcNASw7OybAnGQXSJtCMJEAaxN8YHu9SxVh2XgdmpX+ZOpue4Ow6F2e+MW0uDD+gLFv/uBuoe96FBvtc7KGfH0OnXoNgKHK2bJfhpeV9W1E0SViVdmH0WcGUghfiA29aiKRCsV68MVU3qqBc6IoNe9lpTgqojHxLNR+AIcPugWQRB7Z2/Ep3cbCLQQkUlkqWKaONtDdwixjYM4HIo9Kih8+QkQd7TQ/GhZODfaN6V8zzK+dDNejswIDAQABozgwNjA0BgNVHREELTArghNzbW9sbmFyLU1CUDE2LmxvY2Fsgglsb2NhbGhvc3SCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQUFAAOCAQEAebpUaoqmPv+TFA6LUf/6zfNemn0g0gIAqw0IJUokCEcKD8Hc281cwEfuIGn3mqbtaov1MRZm2Xf57dbCdq63Og2DxU/0U9E2nHGY7q7AvsFCg9rAFNjqjViH0i1Qbl3VAUZdAtOKT6ywh5cSi2oWRxg2RxGnauTm21rk4Q9+bzUdpRKngDAA5Hjs24Msh9TaZmVCJyPh1DX6fAhgj3QOQhyNNEdH+X42PEG4TOYIsQK7MtVl6UfZzK5hd3NPymXiS+FhCrKbcWBT3vx4L6kpzkrcupF1BTEe4g5nX0nNK3SgXhQ7j2r7QSNQpqlzPYW49uKti8hlE718k4+bAEqgkQ==","token_type":"Bearer","expires_in":1661284016951}
8. Passing an invalid cookie and a valid Passcode
curl -iku Passcode:TldVeVpUTTFPRFl0WlRrd01DMDBNV0U1TFRrd01UUXRNR00wT1RCaU16RmlOemxrOjpOakk1Wm1KbVlUUXRZakprT0MwME1qQTBMVGxsT1RjdFl6bG1NakJoWTJSbU1ERTM= --cookie "customCookieName=eyJraWQiOiJ0Q2dMV1VZbVZ0MlpweVhLNXJUdHA4WDVLTno2TjNYYl85TzZUdE95aUR3IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJhZG1pbiIsImtpZCI6InRDZ0xXVVltVnQyWnB5WEs1clR0cDhYNUtOejZOM1hiXzlPNlR0T3lpRHciLCJpc3MiOiJLTk9YU1NPIiwiZXhwIjoxNjYxMzMzMjA3LCJtYW5hZ2VkLnRva2VuIjoiZmFsc2UiLCJrbm94LmlkIjoiMTFjMDIyNWMtNTU5Zi00MTE2LWE3M2ItYjhhM2JmZGIwODA1In0.E1qoRKx50g6czHwGh3UVwqqNGpQS3sWckJAEAFQuqmC8LQG2ocrRx3NXgcyvlqjMpeRBMLYMflsUA_b_6lG9adHld-Dy_fhAKknNuZR82nj8jNkrFPPf55C6Uc3NshjK-N_yp_1NSEjN6HKI7UKMJX5oL3xDCYAhQhjFQga3EXDPdh1Rvo7RY0s-em3KHH-gT4UCdS_WT7u5mC2BKXI3o4a8yoAV0iFaIvdO4FPWxyIe4A_r9Vt0EiZezga3hvr8HPR3LRBWGpaW-4J-0KUTb2SsB6vXSuBTKxXns3jA2W8MDzb4cMm4LmIaaBt3H7npk7x-hljzNKhZdSFjb83z9" -X GET https://localhost:8443/gateway/tokenexchange/knoxtoken/api/v1/token
HTTP/1.1 401 Unauthorized
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: text/html;charset=iso-8859-1
Content-Length: 497
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
<title>Error 401 There is no valid cookie found</title>
</head>
<body><h2>HTTP ERROR 401 There is no valid cookie found</h2>
<table>
<tr><th>URI:</th><td>/gateway/tokenexchange/knoxtoken/api/v1/token</td></tr>
<tr><th>STATUS:</th><td>401</td></tr>
<tr><th>MESSAGE:</th><td>There is no valid cookie found</td></tr>
<tr><th>SERVLET:</th><td>tokenexchange-knox-gateway-servlet</td></tr>
</table>
</body>
</html>
