The usecase here is described as an application that is:

  1. Proxied via KnoxGateway (service def for webapp required)
  2. Leveraging KnoxSSO (either natively or via SSOCookieProvider in Knox topology)
  3. Web App backend makes hadoop API calls through Knox using KnoxSSO cookie (will require topology with SSOCookieProvider)

As long as the KnoxSSO cookie is valid it can be replayed by the backend for API calls.

There may be a window where the cookie is valid for the request to the webapp but not by the time it gets to the API call in the backend.

We will need to be able to react to a redirect in that case.

Alternatively, you could leverage KnoxToken service to exchange the KnoxSSO cookie for a JWT token with associated metadata and manage that token in the application session.

Requesting a new token prior to expiration.

This would require another topology that was protected by the JWTProvider rather than the SSOCookieProvider and that you send the token as a bearer token to the API calls rather than a cookie.

  Browser Browser KnoxGateway KnoxGateway SSOCookieProvider SSOCookieProvider KnoxSSO KnoxSSO Dispatch Dispatch WebApp WebApp WebHDFS WebHDFS 1. requestWebApp 2. checkForCookie 3. redirectToKnoxSSO 4. determineIdP 5. challengeForAuthn 6. authenticate 7. redirectToKnoxGateway 8. requestWebApp(cookie) 9. checkForCookie 10. continueToWebApp 11. dispatchToWebApp 12. getWebAppPage(cookie, user.name|doas) 13. requestWebHDFS(cookie|bearerToken) 14. checkForCookieOrBearerToken 15. continueToWebHDFS 16. dispatchToWebHDFS 17. getWebHDFS(cookie, user.name|doas) 18. WebHDFSResponse 19. WebHDFSResponse 20. getWebAppPageResponse 21. renderPage