Knox as OIDC Provider by smolnar82 · Pull Request #1215 · apache/knox

smolnar82 · 2026-04-27T09:29:43Z

What changes were proposed in this pull request?

Knox becomes an OIDC Provider itself. Until this change it was participating OIDC flows as a Service Provider only through the pac4j federation filter.
This PR is driven by KIP-18.

How was this patch tested?

Manually tested the

client credentials flow
authorization code flow
- purely from Knox
- through federation (using KeyCloak and Auth0)
- with PKCE

Integration Tests

Added Docker-based integration tests that cover the flows described above.

UI changes

The login page has been updated in a way such that it lists all pre-configured federated OPs, if any.

github-actions · 2026-04-27T09:49:26Z

Test Results

27 tests 27 ✅ 3s ⏱️
1 suites 0 💤
1 files 0 ❌

Results for commit 2ba32fa.

♻️ This comment has been updated with latest results.

…ing (apache#1216)

apache#1217) * KNOX-3311: Fix X509CertificateUtil.fetchPublicCertsFromServer issue where default truststore can't be loaded due to invalid/missing password * KNOX-3311: Added unit tests

…escriptors (apache#1220)

* KNOX-3315: Adds BCFKS as an option cert export * KNOX-3315: Address review comments

apache#1219) KNOX-3312 - Client Credentials Flow with HTTP Basic needs Unwrapped Servlet Request

…ICEBERG-REST (apache#1225)

…pache#1229)

…ineshkumar Yadav <dineshkumar.yadav@outlook.com>) (apache#1230)

…'s recent changes

…IDF is present in any topology

… CI/Dev workflows

smolnar82 · 2026-05-15T12:32:26Z

As part of this PR I modified the Docker-based test orchestration as well, I'll update the README.md later on...

 I have unified the Docker build process and streamlined the CI workflow.

  Key Changes:
   1. Unified Dockerfile: I've updated .github/workflows/build/Dockerfile to be the single source of truth. It now handles the extraction of pre-built Knox and KnoxShell tarballs from the target directory.
   2. Simplified Docker Compose: .github/workflows/compose/docker-compose.yml now uses the project root as its context and points to the unified Dockerfile. I also removed the redundant knox-dev-local service.
   3. Cleaner CI Workflow: In .github/workflows/tests.yml, I removed the manual "Extract Artifacts" step and the unnecessary environment variables (KNOX_URL, BRANCH). The Docker build now directly consumes the artifacts produced by the Maven
      step.
   4. Removed Redundancy: I deleted Dockerfile.local as it is no longer needed.

  The local workflow is now perfectly aligned with the CI:
   1. Run mvn clean install -DskipTests -Ppackage (or similar) on your host.
   2. Run docker compose build knox-dev in .github/workflows/compose/.
   3. The Docker build will be extremely fast as it just copies and extracts your local artifacts.

Now the tests are completed in 5 mins as opposed to the previous 17-18 mins rounds.

Cc. @moresandeep @hanicz (wrt. KNOX-3256)

smolnar82 requested review from bonampak, hanicz, moresandeep and pzampino April 27, 2026 09:30

smolnar82 self-assigned this Apr 27, 2026

smolnar82 added the KnoxIDF label Apr 27, 2026

smolnar82 marked this pull request as draft April 27, 2026 09:32

KNOX-3310: Fix redundant ALIAS_PASSPHRASE assignment and improve logg…

762593a

…ing (apache#1216)

smolnar82 force-pushed the knox_idf_smolnar branch from be983fe to 8a46369 Compare April 29, 2026 10:36

KNOX-3311: Fix X509CertificateUtil.fetchPublicCertsFromServer issue w… (

4f94d95

apache#1217) * KNOX-3311: Fix X509CertificateUtil.fetchPublicCertsFromServer issue where default truststore can't be loaded due to invalid/missing password * KNOX-3311: Added unit tests

smolnar82 force-pushed the knox_idf_smolnar branch from 8a46369 to b72fcfd Compare May 5, 2026 11:17

KNOX-3314: Ensure secure length for encryptQueryString generated by d…

37fbbde

…escriptors (apache#1220)

smolnar82 force-pushed the knox_idf_smolnar branch 2 times, most recently from 7f07a3f to 2bb7979 Compare May 5, 2026 14:32

KNOX-3315: Adds BCFKS as an option cert export (apache#1221)

df17516

* KNOX-3315: Adds BCFKS as an option cert export * KNOX-3315: Address review comments

smolnar82 force-pushed the knox_idf_smolnar branch from 2bb7979 to 8a12ee4 Compare May 6, 2026 12:42

KNOX-3312 - Client Credentials Flow with HTTP Basic needs Unwrapped S… (

fb70788

apache#1219) KNOX-3312 - Client Credentials Flow with HTTP Basic needs Unwrapped Servlet Request

smolnar82 marked this pull request as ready for review May 6, 2026 14:38

smolnar82 and others added 11 commits May 8, 2026 12:04

KNOX-3317: Fixed NPE when no token-metadata-headers are declared for …

7b5e518

…ICEBERG-REST (apache#1225)

KNOX-3321 - KnoxToken Support for RFC 8693 Token Exchange act Claim (a…

f546084

…pache#1229)

KNOX-3319 : Ranger REST API not fully implemented in cdp-proxy-api (D…

96cd8f6

…ineshkumar Yadav <dineshkumar.yadav@outlook.com>) (apache#1230)

KnoxIDF - Initial commit

84f550c

KnoxIDF - multi OP support

540dfe1

KnoxIDF - make token endpoint configurable during discovery

790c808

KnoxIDF - Code cleanup and bug fixes

353144d

KnoxIDF - Multi OP enablement improvements and code adoption to Larry…

8efe393

…'s recent changes

KnoxIDF - code cleanup, round 2

56027d1

Removed unused imports

6c2b12d

KnoxIDF - Add REFRESH_TOKEN support

af3d55e

smolnar82 added 4 commits May 15, 2026 07:45

KnoxIDF - Automatically enable JdbcFederatedIdentityService when Knox…

b6c9609

…IDF is present in any topology

KnoxIDF - Added Docker-based integration tests

5a90627

KnoxIDF - Fix Docker-based test results publishing

f6ac966

KnoxIDF - Fix Docker-based test results publishing; round 2

c1b243a

smolnar82 force-pushed the knox_idf_smolnar branch from bd92451 to c1b243a Compare May 15, 2026 05:45

smolnar82 added 4 commits May 15, 2026 09:20

KnoxIDF: configurable user params provider (only LDAP for now)

cfdb016

KnoxIDF: add support for auth code flow with PKCE

824a9c5

KnoxIDF: fix an issue with the empty user params provider implementation

0fb341c

KnoxIDF: Refactor Docker build to use local Maven artifacts and unify…

dfaf896

… CI/Dev workflows

KnoxIDF: Use constants wherever possible

96e5dbe

smolnar82 changed the title ~~Knox IDF - First steps~~ Knox as OIDC Provider May 15, 2026

CheckStyle issue fixed

2ba32fa

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Knox as OIDC Provider#1215

Knox as OIDC Provider#1215
smolnar82 wants to merge 26 commits into
apache:knox_idffrom
smolnar82:knox_idf_smolnar

smolnar82 commented Apr 27, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented Apr 27, 2026 •

edited

Loading

Uh oh!

smolnar82 commented May 15, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

smolnar82 commented Apr 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

What changes were proposed in this pull request?

How was this patch tested?

Integration Tests

UI changes

Uh oh!

github-actions Bot commented Apr 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Test Results

Uh oh!

smolnar82 commented May 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

smolnar82 commented Apr 27, 2026 •

edited

Loading

github-actions Bot commented Apr 27, 2026 •

edited

Loading

smolnar82 commented May 15, 2026 •

edited

Loading