guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Gauthier <jus...@justin-tech.com>
Subject Re: Re: OpenID-Connect HTTP 500
Date Sun, 11 Feb 2018 22:04:03 GMT
Hello JP,
Thanks for the response.
After looking at https://guacamole.apache.org/doc/gug/openid-auth.html,
and the .well-known/openid-configuration section of keycloak, it
appears that keycloak does not support a scope of "openid email
profile", or even "openid profile", I have changed the 'openid-scope'
section in guacamole.properties, and it is still not working. Also in
that section, regarding 'openid-username-claim-type', I can see that
claims_supported include both email, and preferred_username. Setting
'openid-username-claim-type' to either of those does not work.
I have also noticed that there is a GET request for https://keycloak.ju
stin-tech.com/auth/realms/Justin-Tech/protocol/openid-
connect/auth?scope=openid&response_type=id_token&client_id=guacamole&re
direct_uri=https%3A%2F%2Fguacamole.justin-tech.com&nonce=[NONCE]
I then see the POST a short while later with the following response
payload: {"message":"Invalid
login.","translatableMessage":{"key":"Invalid
login.","variables":null},"statusCode":null,"expected":[{"name":"id_tok
en","type":"GUAC_OPENID_TOKEN","authorizationURI":"https://keycloak.jus
tin-tech.com/auth/realms/Justin-Tech/protocol/openid-
connect/auth?scope=openid&response_type=id_token&client_id=guacamole&re
direct_uri=https%3A%2F%2Fguacamole.justin-
tech.com&nonce=[NONCE]"}],"type":"INVALID_CREDENTIALS"}
It is odd that I can see the ID_TOKEN and other parameters in the URL,
however do not see that information in the dev tools.
The link I see in the URL is:
https://guacamole.justin-tech.com/#session_state=659548d0-bb82-4aea-b54
7-1f9374e519bd&id_token=[TOKEN]&not-before-policy=1518383231
One thing I am not sure about is, the URL used to access guacamole is h
ttps://guacamole.justin-tech.com/#/ however, the token is returned to h
ttps://guacamole.justin-tech.com/#session_state ... I am not sure if
this is the correct behavior.
Additionally, in my nginx proxy, I have the following configuration:
upstream guacamole {  server guacamole01.corp.justin-tech.com:8080;}
server {    listen 443 ssl;    server_name guacamole.justin-
tech.com;    ssl on;        # Remember to comment these out if you need
to change their defaults        include snippets/ssl-defaults.conf;
    proxy_buffering off;    proxy_http_version 1.1;    proxy_set_header
X-Forwarded-For $proxy_add_x_forwarded_for;    proxy_set_header Upgrade
$http_upgrade;    proxy_set_header Connection
$http_connection;#    access_log off;    proxy_pass_request_headers
on;    proxy_set_header Host $host;
    location / {      proxy_pass http://guacamole/guacamole/;    }    s
sl_certificate /etc/letsencrypt/live/justin-tech.com/fullchain.pem; #
managed by Certbot    ssl_certificate_key /etc/letsencrypt/live/justin-
tech.com/privkey.pem; # managed by Certbot

}
Note the trailing slash on the end of the proxy_pass. Without this, I
am unable to load guacamole at all. Also note that if I remove the
/guacamole/ from proxy_pass, and adjust the redirect URLs accordingly,
I get the same problem where the /#session_state is happening.
It is my understanding that the use of the "#" symbol in URLs can cause
problems because the information after the "#" is not forwarded.
This could explain why it appears that Guacamole is not seeing this
information, even though I can see it in the URL. Is there anyway to
get nginx to pass this information along to the backend server?
Also, I tried looking at the logs, but could not see anything
indicating that there was a token or anything passed back to guacamole.
Which log file should I be looking in for that? I also followed this
and added the file, however I did not see any increased logging. https:
//guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp-
logging in either /var/log/messages or /var/log/tomcat/catalina.2018-
02-11.log.
Has anyone confirmed if the OpenID plugin works behind a proxy?
Thanks again.
Justin
On Sun, 2018-02-11 at 20:33 +0000, JP Harvey wrote:
> Hey Justin,
> It’s possible that the response does not contain the mail attribute,
> the Tomcat logs should tell you if that is the case, in which case
> you’d need to specify the attribute in guacamole.config with the
> openid-username-claim-type
>  directive. 
> I’ve never used Keylock but based on this documentation for
> mod_auth_openidc
> 
> http://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/mod-auth-o
> penidc.html preferred_username may be what you need as that is what
> they say to map using mod_auth_openidc:
>     OIDCRemoteUserClaim preferred_username
> Your first email said you had enabled the mappings to Username, given
> name, full name, email, and family name so maybe this is not the
> issue, however might be worth a try since this is a symptom of not
> having
>  the username claim type that Guacamole is expecting in the response.
> JP
> On 2018/02/09 13:49:16, Justin Gauthier <j...@justin-tech.com> wrote:
> 
> 
> > Hey Nick,> 
> 
> > 
> 
> > Thanks for the response!> 
> 
> > 
> 
> > I suspected as much, unfortunately I am unsure why it’s not seeing
> the token. Like I said, I don’t have anything else that uses OpenID
> to test the setup.>
> 
> > 
> 
> > Hopefully Mike is able to assist when he gets a chance.> 
> 
> > 
> 
> > Thanks again for the help, it’s greatly appreciated.> 
> 
> > 
> 
> > ________________________________> 
> 
> > From: Nick Couchman <ni...@gmail.com>> 
> 
> > Sent: Friday, February 9, 2018 8:40:25 AM> 
> 
> > To: user@guacamole.apache.org> 
> 
> > Subject: Re: OpenID-Connect HTTP 500> 
> 
> > 
> 
> > On Thu, Feb 8, 2018 at 11:37 PM, Justin Gauthier <ju...@justin-tech
> .com>> wrote:>
> 
> 
> > The response paylode is: {"message":"Invalid> 
> 
> > login.","translatableMessage":{"key":"Invalid> 
> 
> >
> login.","variables":null},"statusCode":null,"expected":[{"name":"id_t
> ok> 
> 
> > en","type":"GUAC_OPENID_TOKEN","authorizationURI":"https://keycloak
> .jus>;
> 
> 
> > tin-tech.com/auth/realms/Justin-Tech/protocol/openid-> 
> 
> >
> connect/auth?scope=openid+email+profile&response_type=id_token&client
> _i> 
> 
> > d=guacamole&redirect_uri=https%3A%2F%2Fguacamole.justin-<http://tin
> -tech.com/auth/realms/Justin-Tech/protocol/openid->
> 
> >
> connect/auth?scope=openid+email+profile&response_type=id_token&client
> _i> 
> 
> > d=guacamole&redirect_uri=https%3A%2F%2Fguacamole.justin->> 
> 
> > tech.com<http://tech.com>%2F&nonce=e1s34a0epan04mre7qduhpnrho"}],"t
> ype":"INVALID_CREDENT>
> 
> 
> > IALS"}> 
> 
> > 
> 
> > I also see a GET for 
> https://guacamole.justin-tech.com/#session_state=b> 
> 
> > 1988d87-4a4d-4539-a186-1d2ef58aca04&id_token=[TOKEN]&not-before-> 
> 
> > policy=1518147539> 
> 
> > 
> 
> > 
> 
> > Mike can probably provide more precise information, but my guess is
> that there is something about the response being sent back to the
> Guacamole Session that Guacamole is unhappy about - either it isn't
> seeing the id_token parameter when it expects to, or
>  it's in a format it doesn't expect, or something like that.  I've
> not used Guacamole with OIDC, so I'm not going to be of very much
> help, here.>
> 
> > 
> 
> > -Nick> 
> 
> > 
> 
> 
> 
Mime
View raw message