guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From carl harris <ceharris...@gmail.com>
Subject Re: How to get GuacamoleConfiguration from url?
Date Wed, 13 Dec 2017 11:23:45 GMT

> On Dec 12, 2017, at 3:21 PM, genesis <gguth@live.com> wrote:
> But after that, if I click on other url: 
> http://guacamoleclient:8090/#/{guacamoleconfig_encrypted_2} with different
> GuacamoleConfiguration parameters, the browser will open another tab, but
> with the same connection of the first url, the same
> (/#/client/NzI0NwBjAG5vYXV0aA), this identifier should be different, because
> the id of the second connection is different.


In our application we tried doing something very similar -- put a base64 encoded JWT into
the URL as either a parameter or additional URI path segment and using a simple extension
to process the URL -- and we had the same result. Instead we put the JWT into the browser
as a session cookie, and modified our extension to look for the cookie containing our token.
This worked for us.

I feel I'd be remiss if I didn't point out, for those reading along who might be interested
in doing something similar, it is really imperative with either of these approaches that you
carefully validate the authenticity of the token. JWTs used in this way must be signed and
signatures must be properly validated, and depending on what sorts of details you're including
in connection parameters, should probably be encrypted as well. Also, the signing and encryption
is worth nothing unless you're extremely careful about key management -- as an attacker, if
I can get your key(s), I can almost certainly make tokens for myself that will let me access
your resources via Guacamole.

carl




Mime
View raw message