guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Gauthier <jus...@justin-tech.com>
Subject Re: OpenID-Connect HTTP 500
Date Fri, 09 Feb 2018 04:45:03 GMT
I should also note that when in the redirect loop, I can see that the
usual URL of https://guacamole.justin-tech.com/#/ is showing as both ht
tps://guacamole.justin-tech.com/#session. and https://guacamole.justin-
tech.com/#/session.

Thanks again,

Justin

On Thu, 2018-02-08 at 23:37 -0500, Justin Gauthier wrote:
> I have been able to get the redirect from Guacamole to Keycloak to
> work, however, once I login to keycloak, and get redirected back to
> Guacamole, I get put into a redirect loop. It does not look like
> Guacamole is reading the token_id from the URL, and this is causing
> it
> to report invalid credentials, and refreshing.
> 
> In nginx I see the following in the access log:
> 
> 
> 10.0.1.203 - - [08/Feb/2018:23:14:51 -0500] "GET /auth/realms/Justin-
> Tech/protocol/openid-
> connect/auth?scope=openid+email+profile&response_type=id_token&client
> _i
> d=guacamole&redirect_uri=https%3A%2F%2Fguacamole.justin-
> tech.com%2F&nonce=a7tk6oajbm14p4aa5icuad0c60 HTTP
> 
> 
> With each refresh it is getting a new nonce token.
> 
> Additionally, I can see the id_token in the Guacamole URL, as well as
> a
> session state and not-before-policy.
> 
> In the POST to https://guacamole.justin-tech.com/api/tokens, I am
> seeing an Invalid login response, with key: invalid login.
> 
> It is expecting name: id_token, type: GUAC_OPENID_TOKEN, and an
> authorizationURI: https://keycloak.justin-tech.com/auth/realms/Justin
> -T
> ech/protocol/openid-
> connect/auth?scope=openid+email+profile&response_type=id_token&client
> _i
> d=guacamole&redirect_uri=https%3A%2F%2Fguacamole.justin-
> tech.com%2F&nonce=e1s34a0epan04mre7qduhpnrho, type:
> INVALID_CREDENTIALS.
> 
> The response paylode is: {"message":"Invalid
> login.","translatableMessage":{"key":"Invalid
> login.","variables":null},"statusCode":null,"expected":[{"name":"id_t
> ok
> en","type":"GUAC_OPENID_TOKEN","authorizationURI":"https://keycloak.j
> us
> tin-tech.com/auth/realms/Justin-Tech/protocol/openid-
> connect/auth?scope=openid+email+profile&response_type=id_token&client
> _i
> d=guacamole&redirect_uri=https%3A%2F%2Fguacamole.justin-
> tech.com%2F&nonce=e1s34a0epan04mre7qduhpnrho"}],"type":"INVALID_CREDE
> NT
> IALS"}
> 
> I also see a GET for https://guacamole.justin-tech.com/#session_state
> =b
> 1988d87-4a4d-4539-a186-1d2ef58aca04&id_token=[TOKEN]&not-before-
> policy=1518147539
> 
> I am seeing the following in the localhost_access_logs:
> 
> 10.0.60.20 - - [08/Feb/2018:23:18:01 -0500] "GET
> /guacamole/api/patches
> HTTP/1.1" 200 352
> 10.0.60.20 - - [08/Feb/2018:23:18:01 -0500] "POST
> /guacamole/api/tokens
> HTTP/1.1" 403 477
> 
> and here are the logs from catalina.log
> 
> Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet
> INFO: Webjars resource requested: /META-
> INF/resources/webjars/jquery/2.1.3/dist/jquery.min.js
> Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet
> INFO: Webjars resource requested: /META-
> INF/resources/webjars/angular/1.3.16/angular.min.js
> Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet
> INFO: Webjars resource requested: /META-
> INF/resources/webjars/lodash/2.4.1/dist/lodash.min.js
> Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet
> INFO: Webjars resource requested: /META-
> INF/resources/webjars/angular-
> cookies/1.3.16/angular-cookies.min.js
> Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet
> INFO: Webjars resource requested: /META-
> INF/resources/webjars/angular-
> route/1.3.16/angular-route.min.js
> Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet
> INFO: Webjars resource requested: /META-
> INF/resources/webjars/angular-
> touch/1.3.16/angular-touch.min.js
> Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet
> INFO: Webjars resource requested: /META-
> INF/resources/webjars/messageformat/1.0.2/messageformat.min.js
> Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet
> INFO: Webjars resource requested: /META-
> INF/resources/webjars/angular-
> translate/2.8.0/angular-translate.min.js
> Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet
> INFO: Webjars resource requested: /META-
> INF/resources/webjars/angular-
> translate-interpolation-messageformat/2.8.0/angular-translate-
> interpolation-messageformat.min.js
> Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet
> INFO: Webjars resource requested: /META-
> INF/resources/webjars/angular-
> translate-loader-static-files/2.8.0/angular-translate-loader-static-
> files.min.js
> Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet
> INFO: Webjars resource requested: /META-INF/resources/webjars/blob-
> polyfill/1.0.20150320/Blob.js
> Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet
> INFO: Webjars resource requested: /META-
> INF/resources/webjars/filesaver/1.3.3/FileSaver.min.js
> Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet
> INFO: Webjars resource requested: /META-
> INF/resources/webjars/angular-
> module-shim/0.0.4/angular-module-shim.js
> 
> Other than the redirect loop, I am not seeing any errors in any of
> the
> log files, other than the 403, which I belive to be caused by not
> reading the id_token from the URL.
> 
> 
> Note that according to the .well-known/openid-configuration file,
> scopes supported are "openid" and "offline_access", whereas the docs
> seem to indicate that the scope should be at least "openid profile",
> with a default of "openid email profile". I have tried changing
> openid-
> scope to "openid" and "openid profile".
> 
> These are my corrent guacamole.properties settings:
> 
> # OpenID-connect
> openid-authorization-endpoint: https://keycloak.justin-tech.com/auth/
> re
> alms/Justin-Tech/protocol/openid-connect/auth
> openid-jwks-endpoint: https://keycloak.justin-tech.com/auth/realms/Ju
> st
> in-Tech/protocol/openid-connect/certs
> openid-issuer: https://keycloak.justin-tech.com/auth/realms/Justin-Te
> ch
> openid-client-id: guacamole
> openid-redirect-uri: https://guacamole.justin-tech.com/
> 
> 
> I have also tried openid-redirect-uri without the trailing "/".
> 
> 
> Please let me know if there is any other information needed, if I
> left
> it out.
> 
> Thanks,
> 
> Justin
> 
> 
> On Thu, 2018-02-08 at 17:57 +0000, Justin Gauthier wrote:
> > Nick,
> > 
> > I have completed that step, however now I am in an redirect loop.
> > 
> > Once I get home I’ll take a look at the logs and provide that
> > information.
> > 
> > Thanks for the help,
> > 
> > Justin
> > 
> > From: Nick Couchman <vnick@apache.org>
> > Sent: Thursday, February 8, 2018 11:27:05 AMFeb 08, 2018 11:27:40
> > PM
> > org.webjars.servlet.WebjarsServlet doGet
> > INFO: Webjars resource requested: /META-
> > INF/resources/webjars/jquery/2.1.3/dist/jquery.min.js
> > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet
> > INFO: Webjars resource requested: /META-
> > INF/resources/webjars/angular/1.3.16/angular.min.js
> > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet
> > INFO: Webjars resource requested: /META-
> > INF/resources/webjars/lodash/2.4.1/dist/lodash.min.js
> > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet
> > INFO: Webjars resource requested: /META-
> > INF/resources/webjars/angular-cookies/1.3.16/angular-cookies.min.js
> > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet
> > INFO: Webjars resource requested: /META-
> > INF/resources/webjars/angular-route/1.3.16/angular-route.min.js
> > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet
> > INFO: Webjars resource requested: /META-
> > INF/resources/webjars/angular-touch/1.3.16/angular-touch.min.js
> > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet
> > INFO: Webjars resource requested: /META-
> > INF/resources/webjars/messageformat/1.0.2/messageformat.min.js
> > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet
> > INFO: Webjars resource requested: /META-
> > INF/resources/webjars/angular-translate/2.8.0/angular-
> > translate.min.js
> > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet
> > INFO: Webjars resource requested: /META-
> > INF/resources/webjars/angular-translate-interpolation-
> > messageformat/2.8.0/angular-translate-interpolation-
> > messageformat.min.js
> > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet
> > INFO: Webjars resource requested: /META-
> > INF/resources/webjars/angular-translate-loader-static-
> > files/2.8.0/angular-translate-loader-static-files.min.js
> > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet
> > INFO: Webjars resource requested: /META-INF/resources/webjars/blob-
> > polyfill/1.0.20150320/Blob.js
> > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet
> > INFO: Webjars resource requested: /META-
> > INF/resources/webjars/filesaver/1.3.3/FileSaver.min.js
> > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet
> > INFO: Webjars resource requested: /META-
> > INF/resources/webjars/angular-module-shim/0.0.4/angular-module-
> > shim.js
> > To: user@guacamole.apache.org
> > Subject: Re: OpenID-Connect HTTP 500
> >  
> > On Thu, Feb 8, 2018 at 10:00 AM, Justin Gauthier <justin@justin-tec
> > h.
> > com> wrote:
> > > Hello everyone,
> > > 
> > > I have discovered that I had a the openid-redirect-uri
> > > incorrectly
> > > specified. That issue has now been resolved, and I get a login
> > > screen
> > > now.
> > > 
> > > Now, when I get that login screen, I can login with credentials
> > > stored
> > > in the postgres database, but I do not get redirected to
> > > Keycloak.
> > > I
> > > see a 403 message with the following information:
> > > 
> > > {"message":"Invalid login","translatableMessage":{"key":"Invalid
> > > login","variables":null},"statusCode":null,"expected":[{"name":"u
> > > se
> > > rnam
> > > e","type":"USERNAME"},{"name":"password","type":"PASSWORD"}],"typ
> > > e"
> > > :"IN
> > > VALID_CREDENTIALS"}
> > > 
> > > My understanding is that Guacamole should be redirecting me to
> > > Keycloak
> > > to authenticate, and then I should be redirected back to
> > > Guacamole
> > > with
> > > the authentication token, and it would not ask for the username
> > > and
> > > password?
> > > 
> > 
> > Justin,
> > Authentication extensions are loaded in alphabetical order, which
> > means the OpenID extension is being loaded (and evaluated) after
> > the
> > JDBC extension.  I suggest that you rename the OpenID extension to
> > something that will force it to load first - when I do this with
> > modules, I usually prefix a number on to them.  For example, in the
> > GUACAMOLE_HOME/extensions folder, instead of installing it as
> > "gaucamole-auth-openid-0.9.14.jar, install it as "guacamole-auth-0-
> > openid-0.9.14.jar" - the -0 before the -openid will cause it to be
> > loaded and evaluated prior to the -jdbc JAR, and perhaps allow the
> > redirect to happen properly.
> > 
> > Regards,
> > Nick 
Mime
View raw message