Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 39A01200C2E for ; Sun, 19 Feb 2017 05:47:53 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 3831B160B71; Sun, 19 Feb 2017 04:47:53 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 7D2C0160B66 for ; Sun, 19 Feb 2017 05:47:52 +0100 (CET) Received: (qmail 50720 invoked by uid 500); 19 Feb 2017 04:47:51 -0000 Mailing-List: contact commits-help@guacamole.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@guacamole.incubator.apache.org Delivered-To: mailing list commits@guacamole.incubator.apache.org Received: (qmail 50711 invoked by uid 99); 19 Feb 2017 04:47:51 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 19 Feb 2017 04:47:51 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 02F481A0571 for ; Sun, 19 Feb 2017 04:47:51 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=6.31 tests=[KAM_LAZY_DOMAIN_SECURITY=1, RP_MATCHES_RCVD=-2.999] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id ZnD06YFX9NmQ for ; Sun, 19 Feb 2017 04:47:50 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 44FF75F4EE for ; Sun, 19 Feb 2017 04:47:49 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 88AE8E039E for ; Sun, 19 Feb 2017 04:47:44 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 135B72411B for ; Sun, 19 Feb 2017 04:47:44 +0000 (UTC) Date: Sun, 19 Feb 2017 04:47:44 +0000 (UTC) From: "Michael Jumper (JIRA)" To: commits@guacamole.incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Assigned] (GUACAMOLE-210) OAuth2 authentication plugin MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Sun, 19 Feb 2017 04:47:53 -0000 [ https://issues.apache.org/jira/browse/GUACAMOLE-210?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Michael Jumper reassigned GUACAMOLE-210: ---------------------------------------- Assignee: Michael Jumper > OAuth2 authentication plugin > ---------------------------- > > Key: GUACAMOLE-210 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-210 > Project: Guacamole > Issue Type: New Feature > Components: guacamole-client > Reporter: Michael Jumper > Assignee: Michael Jumper > > {panel:bgColor=#FFFFEE} > *The description of this issue was copied from [GUAC-1485|https://glyptodon.org/jira/browse/GUAC-1485], an issue in the JIRA instance used by the Guacamole project prior to its acceptance into the Apache Incubator.* > Comments, attachments, related issues, and history from prior to acceptance *have not been copied* and can be found instead at the original issue. > {panel} > It would be nice if Guacamole had OAuth2 authentication plugin. > OAuth2 is wide spread in web technologies and Guacamole deserves to have its implementation of the protocol. > My company had this use case and for now we are using a custom authentication plugin because implementing a generic OAuth2 compatible Guacamole authentication plugin presents some difficulties. > h1. RedirectURI doesn't work because of Angular anchor system > OAuth2 requires clients (Guacamole in our case) to register a redirect URI so that the OAuth2 server could callback the application when the user has been identify (or rejected) on its side. It also passes along some informations like tokens or reason of failure as part of the URL. If we set the Guacamole index URL as the redirect URI then this data never get passed along to the authenticate plugin. > Such redirect URI cannot contain any pound sign (#) because this sign in a URI is a delimiter after which data are not sent to the server on HTTP request. In the case of Guacamole, the Angular frontend uses those local URI data to determine which page to display. > Angular behavior cannot be easilly turned off and would lead to heaver code changes and uncompatibility with older browser. > h1. Retrieve to connection list on authentication > Connection list is retrieved at user login. It doesn't make sense to expect the OAuth server to give such list as it would not be generic enough. > Fortunatly, connection lists get merged between authentication plugins and this OAuth plugin could be paired with another one which goal would just be to provide the connection list. > h1. Token invalidation > Upon a successful authentication, the OAuth2 server will issued an auth token. > First, this token needs to be invalidated by Guacamole when user explicitly disconnects. > Second, there is no way for Guacamole to know if a stored auth token is still valid. Leaving the user to freely keep on using its Guacamole session even thought the token has expired. > I am just leaving these though here so the Guacamole community could start an discussion on this matter. -- This message was sent by Atlassian JIRA (v6.3.15#6346)