The usecase here is described as an application that is:
As long as the KnoxSSO cookie is valid it can be replayed by the backend for API calls.
There may be a window where the cookie is valid for the request to the webapp but not by the time it gets to the API call in the backend.
We will need to be able to react to a redirect in that case.
Alternatively, you could leverage KnoxToken service to exchange the KnoxSSO cookie for a JWT token with associated metadata and manage that token in the application session.
Requesting a new token prior to expiration.
This would require another topology that was protected by the JWTProvider rather than the SSOCookieProvider and that you send the token as a bearer token to the API calls rather than a cookie.
@startuml Browser -> KnoxGateway: 1. requestWebApp KnoxGateway -> SSOCookieProvider: 2. checkForCookie SSOCookieProvider -> Browser: 3. redirectToKnoxSSO Browser -> KnoxSSO: 4. determineIdP KnoxSSO -> Browser: 5. challengeForAuthn Browser -> KnoxSSO: 6. authenticate KnoxSSO -> Browser: 7. redirectToKnoxGateway Browser -> KnoxGateway: 8. requestWebApp(cookie) KnoxGateway -> SSOCookieProvider: 9. checkForCookie SSOCookieProvider -> KnoxGateway: 10. continueToWebApp KnoxGateway -> Dispatch: 11. dispatchToWebApp Dispatch -> WebApp: 12. getWebAppPage(cookie, user.name|doas) WebApp -> KnoxGateway: 13. requestWebHDFS(cookie|bearerToken) KnoxGateway -> SSOCookieProvider: 14. checkForCookieOrBearerToken SSOCookieProvider -> KnoxGateway: 15. continueToWebHDFS KnoxGateway -> Dispatch: 16. dispatchToWebHDFS Dispatch -> WebHDFS: 17. getWebHDFS(cookie, user.name|doas) WebHDFS -> KnoxGateway: 18. WebHDFSResponse KnoxGateway -> WebApp: 19. WebHDFSResponse WebApp -> KnoxGateway: 20. getWebAppPageResponse KnoxGateway -> Browser: 21. renderPage @enduml |