guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From JP Harvey <jphar...@cloudquarterback.com>
Subject RE: Re: OpenID-Connect HTTP 500
Date Sun, 11 Feb 2018 20:33:28 GMT
Hey Justin,
It's possible that the response does not contain the mail attribute, the Tomcat logs should
tell you if that is the case, in which case you'd need to specify the attribute in guacamole.config
with the openid-username-claim-type directive.
I've never used Keylock but based on this documentation for mod_auth_openidc http://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/mod-auth-openidc.html
preferred_username may be what you need as that is what they say to map using mod_auth_openidc:
    OIDCRemoteUserClaim preferred_username
Your first email said you had enabled the mappings to Username, given name, full name, email,
and family name so maybe this is not the issue, however might be worth a try since this is
a symptom of not having the username claim type that Guacamole is expecting in the response.
JP

On 2018/02/09 13:49:16, Justin Gauthier <j...@justin-tech.com<mailto:j...@justin-tech.com>>
wrote:
> Hey Nick,>
>
> Thanks for the response!>
>
> I suspected as much, unfortunately I am unsure why it's not seeing the token. Like I
said, I don't have anything else that uses OpenID to test the setup.>

>
> Hopefully Mike is able to assist when he gets a chance.>
>
> Thanks again for the help, it's greatly appreciated.>
>
> ________________________________>
> From: Nick Couchman <ni...@gmail.com<mailto:ni...@gmail.com>>>
> Sent: Friday, February 9, 2018 8:40:25 AM>
> To: user@guacamole.apache.org<mailto:user@guacamole.apache.org>>
> Subject: Re: OpenID-Connect HTTP 500>
>
> On Thu, Feb 8, 2018 at 11:37 PM, Justin Gauthier <ju...@justin-tech.com<mailto:ju...@justin-tech.com>>>
wrote:>
> The response paylode is: {"message":"Invalid>
> login.","translatableMessage":{"key":"Invalid>
> login.","variables":null},"statusCode":null,"expected":[{"name":"id_tok>
> en","type":"GUAC_OPENID_TOKEN","authorizationURI":"https://keycloak.jus>
> tin-tech.com/auth/realms/Justin-Tech/protocol/openid->
> connect/auth?scope=openid+email+profile&response_type=id_token&client_i>
> d=guacamole&redirect_uri=https%3A%2F%2Fguacamole.justin-<http://tin-tech.com/auth/realms/Justin-Tech/protocol/openid->

> connect/auth?scope=openid+email+profile&response_type=id_token&client_i>
> d=guacamole&redirect_uri=https%3A%2F%2Fguacamole.justin->>
> tech.com<http://tech.com>%2F&nonce=e1s34a0epan04mre7qduhpnrho"}],"type":"INVALID_CREDENT>
> IALS"}>
>
> I also see a GET for https://guacamole.justin-tech.com/#session_state=b>
> 1988d87-4a4d-4539-a186-1d2ef58aca04&id_token=[TOKEN]&not-before->
> policy=1518147539>
>
>
> Mike can probably provide more precise information, but my guess is that there is something
about the response being sent back to the Guacamole Session that Guacamole is unhappy about
- either it isn't seeing the id_token parameter when it expects to, or it's in a format it
doesn't expect, or something like that.  I've not used Guacamole with OIDC, so I'm not going
to be of very much help, here.>

>
> -Nick>
>

Mime
View raw message