Skip to content

KNOX-3217: Upgrade pac4j to 6.3.0 for JDK17 #1110

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bonampak merged 8 commits into from
Dec 4, 2025
Merged

KNOX-3217: Upgrade pac4j to 6.3.0 for JDK17 #1110

bonampak merged 8 commits into from
Dec 4, 2025
+162 −130

Conversation

@bonampak
Copy link
Contributor

@bonampak bonampak commented Nov 24, 2025
edited
Loading

KNOX-3217 - Update pac4j-related libraries to the latest version available.

What changes were proposed in this pull request?

Update javaee-pac4j to 8.1.0, pac4j to 6.3.0 and opensaml to 5.1.6.

How was this patch tested?

Tested with auth0 OIDC client, SAML and OIDC with Keycloak. Tested OIDC and AzureAd2Client with Azure dev account.

@bonampak bonampak self-assigned this Nov 24, 2025
@bonampak bonampak changed the base branch from feature/jdk17_upgrade to master November 26, 2025 21:16
@bonampak bonampak marked this pull request as ready for review December 1, 2025 21:22
@bonampak
KNOX-3217: Upgrade pac4j for JDK17. Upgraded pac4j to 5.7.8 and javae…
4a5ecf4 
…e-pac4j to 7.1.0.

(Instead of the jee-pac4j artifact, javaee-pac4j needs to be used - then jakartaee-pac4j if we migrate to Jakarta).
Update opensaml to 4.2.0 and cryptacular to 1.2.5 (from pac4j-saml:5.7.8). Pin net.shibboleth.utilities:java-support to 8.3.1.
Fix KnoxSessionStore getSessionId and Pac4jIdentityAdapter removeProfiles call.
Corrected Pac4jProviderTest.
Pac4jSetCookieResponseWrapper.addCookie() is probably not needed anymore, pac4jcsrf is set in Set-Cookie header and is secure by default (goes through KnoxSessionStore).
@bonampak
KNOX-3217: fix missing net.shibboleth.utilities:java-support:8.3.1 fr…
92707e1 
…om Shibboleth maven repo. Updated shib-release maven repo URL.
@bonampak
KNOX-3217: Update javaee-pac4j to 8.1.0, pac4j to 6.3.0 and opensaml …
38920ac 
…to 5.1.6. Update cryptacular to 1.2.7 and xmlsec to 4.0.4.

org.pac4j.oidc.client.AzureAdClient was removed for AzureAd2Client; AzureAdOidcConfiguration to AzureAd2OidcConfiguration.
Pinned managed dependency versions for org.apache.httpcomponents.client5:httpclient5:5.4.3 and org.apache.httpcomponents.core5:5.3.6 should work:
org.pac4j:pac4j-saml:jar:6.3.0 would bring in org.apache.httpcomponents.client5:httpclient5:jar:5.3.1,
plus a dependency convergence error with org.apache.httpcomponents.core5:httpcore5:jar:5.2.5 and 5.2.4.
@bonampak
KNOX-3217: Also remove pac4jCsrfTokenExpirationDate and pac4jPrevious…
572677d 
…CsrfToken in logout.jsp (added in pac4j 5.0).
@bonampak
KNOX-3217: hibernate-core exclusion is not needed for opensaml-storag…
b4d5a24 
…e-impl.
@bonampak
KNOX-3217: remove managed dependency com.nimbusds:lang-tag:1.5 (will …
6935ec7 
…be 1.7, no dependency convergence issues). org.pac4j.pac4j-oidc:6.3.0 needs com.nimbusds:lang-tag:1.7.
@bonampak
KNOX-3217: Update nimbus-jose-jwt to 10.5 - dependency convergence - …
fac3bc8 
…org.nimbus-jose-jwt:10.5 is needed for org.pac4j:pac4j-oidc:6.3.0. org.apereo.cas.client:cas-client-core:4.0.4 would need nimbus-jose-jwt:9.37.3 and org.apache.hadoop:hadoop-auth:3.4.1 would need nimbus-jose-jwt:9.37.2.
moresandeep
moresandeep approved these changes Dec 4, 2025
View reviewed changes
Copy link
Contributor

@moresandeep moresandeep left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, I would suggest we test it with AzureAD2Client before merging.

@bonampak bonampak merged commit 6e52400 into apache:master Dec 4, 2025
1 check passed
@moresandeep
Copy link
Contributor

moresandeep commented Dec 4, 2025

@bonampak did you test it with AzureAD?

@bonampak
Copy link
Contributor Author

bonampak commented Dec 4, 2025

Yes I did.
Using these settings:

<provider>
            <role>federation</role>
            <name>pac4j</name>
            <enabled>true</enabled>
            <param>
                <name>pac4j.callbackUrl</name>
                <value>https://localhost:8443/gateway/knoxsso/api/v1/websso</value>
            </param>
            <param>
                <name>clientName</name>
                <value>AzureAd2Client</value>
            </param>
            <param>
                <name>oidc.type</name>
                <value>azure</value>
            </param>
            <param>
                <name>oidc.id</name>
                <value>...</value>
            </param>
            <param>
                <name>oidc.secret</name>
                <value>...</value>
            </param>
            <param>
                <name>oidc.azure.tenant</name>
                <value>...</value>
            </param>
            <param>
                <name>oidc.discoveryUri</name>
                <value>https://login.microsoftonline.com/.../v2.0/.well-known/openid-configuration</value>
            </param>
            <param>
                <name>oidc.clientAuthenticationMethod</name>
                <value>client_secret_basic</value>
            </param>
            <param>
                <name>oidc.preferredJwsAlgorithm</name>
                <value>RS256</value>
            </param>
        </provider>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@moresandeep moresandeep moresandeep approved these changes

@hanicz hanicz Awaiting requested review from hanicz

@pzampino pzampino Awaiting requested review from pzampino

@smolnar82 smolnar82 Awaiting requested review from smolnar82

Assignees

@bonampak bonampak

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bonampak @moresandeep