guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <>
Subject Re: External link to a connection
Date Wed, 25 May 2016 19:05:41 GMT
On Tue, May 24, 2016 at 11:51 PM, Iker Ibarguren Berasaluze <> wrote:

> Hi,
> We have an intranet where I want to print the direct url to a connection
> for a user. I mean, if in my intranet I´m reading user1 profile, I want to
> append a button witch can be clicked in order to control this machine
> directly. I tried accessing guacamole mysql data but there is no the
> necesary info to get the url.
> Is there any way to do this?

The necessary information is indeed there - you just need to know how to
generate the URL. The base64 bit after ".../guacamole/client/" in the URL
of a connection is built from the following information:

1. The connection identifier (in MySQL / PostgreSQL, this will be the
connection ID)
2. The type ("c" for connections and "g" for balancing groups)
3. The identifier of the auth provider storing the connection data (usually
"postgresql", "mysql", or "ldap" - in your case the correct value would be

Each of these components separated from the other by a single NULL
character (U+0000), with the resulting string encoded with base64.

For example, "NQBjAHBvc3RncmVzcWw=", a valid base64 string taken from an
actual Guacamole deployment, decodes to:

    $ echo 'NQBjAHBvc3RncmVzcWw=' | base64 -d | xxd
    0000000: 3500 6300 706f 7374 6772 6573 716c       5.c.postgresql

"5" being the connection identifier, "c" indicating that this is a
connection and not a group, and "postgresql" representing the auth provider
(PostgreSQL). Within the Guacamole web application, this string is
generated within JavaScript by the "ClientIdentifier" class using
"ClientIdentifier.toString()" function:

The base64 identifier actually only has meaning to the JavaScript code - it
is decoded and parsed out into its individual components prior to making
the request to open the tunnel, at which point these values are included as
normal HTTP parameters:

The easiest way to obtain this string would be to simply copy it from the
URL of the connection from within the Guacamole interface, but you can also
use the above algorithm to generate it yourself.

Note that this does not bypass authentication - the users will still need
to authenticate with Guacamole to gain access to any connection, even if
they know the URL ahead of time.

If you would rather that users login to your existing application only, the
proper way to achieve this is to integrate Guacamole into that application
using an extension (such that Guacamole can validate the user's
authenticated status and pull their data, without prompting them again for
credentials). Avoid the temptation to disable Guacamole's authentication
entirely; it may seem simpler, but it is an EXTREMELY bad idea.

Hope this helps,

- Mike

View raw message