Dear all,
we combined the Knowage-Login with Keyrock (https://catalogue.fiware.org/enablers/identity-management-keyrock) and while there is a guide on how to do that (https://github.com/KnowageLabs/Knowage-Server/tree/master/doc/admin#configuration-with-the-idm---keyrock) we found that guide rather outdated and would therefore like to document our findings (and bugs we stumbled upon).
1) Keyrock itself was rather easy to setup. We used our existing reverse proxy setup (see the other thread for details) and we basically only had to take care of the hostname (choose the one that your users should use) and port (use the one keyrock should actually bind to).
2) When we set up Knowage as an application inside Keyrock and then tried to configure the respective settings inside Knowage, we found our first problem: the tutorial says, you should give the full path to your application as the callback URL. That URL must also be put into Knowage's configuration (it/eng/spagobi/security/OAuth2/configs.properties in knowage-utils-6.1.1.jar).
The problem: when we used the full address (as told in the tutorial and like this: https://bi.telocate.de/knowage/servlet/AdapterHTTP?PAGE=LoginPage&NEW_SESSION=TRUE) then it seemed that Knowage didn't properly URI-encode the string, leading to a confusion of Knowage as it interpreted the &NEW_SESSION=TRUE as a new parameter (instead of part of the URI). It then would complain about mismatching addresses and stop the login process. We played around with pre-encoding the URL in the configuration file (didn't work for obvious reasons) but eventually removed the &NEW_SESSION=TRUE-part, which - luckily - worked.
3) We created the roles as given in the tutorial (/spagobi/user and /spagobi/admin). This didn't help at all. In fact, we had to delete those roles and create another role called "ADMIN". We then assigned the role "purchaser" to our customers and "ADMIN" to our administrative users (which seems like the only combination that actually works) (it's also not enough to assign the ADMIN-role to the company but really has to be assigned to the respective user for unknown reasons, but this might be something in Keyrock). This alone took us about 3 hours, since Knowage would fail with a blank page if configured inproperly and even the log file would not yield too helpful messages (at least from a user/admin perspective):
[http-bio-8080-exec-10] 20 Apr 2018 20:34:23,210 ERROR it.eng.spagobi.commons.dao.UserFunctionalityDAO.readUserFunctionality:102 - No Product Types found for the user!!!
[http-bio-8080-exec-10] 20 Apr 2018 20:34:23,211 ERROR it.eng.spagobi.commons.utilities.UserUtilities.readFunctionalityByRole:709 - Exception
it.eng.spago.error.EMFUserError: severity [ERROR] description [Generic Error]
at it.eng.spagobi.commons.dao.UserFunctionalityDAO.readUserFunctionality(UserFunctionalityDAO.java:103)We also had to change the way Keyrock works before getting this far, since Keyrock's response would be sent with HTTP code 201 when logging in - but Knowage strictly requires code 200. (I guess it should accept 2xx-codes here, instead.)
Another confusing thing: although the role ADMIN works, another role named "USER" would yield the white page again. We're not sure why, so some feedback on how to correctly create roles would be helpful. Also, one or two error messages to the user - instead of a blank page - would be greatly appreciated :-) .
In case someone tries to reproduce this: we might have found a bug in Keyrock with empty state-variables; please keep an eye at https://github.com/oauthjs/node-oauth2-server/issues/487 . And if it's not a bug in Keyrock ... it might be one in Knowage ;-) .
TLDR: The tutorial on Knowage with Keyrock (as linked above) is rather outdated. A new one (as well as one or two changes in the code) would be very helpful. :-)
Thanks
Sebastian
