guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From JP Harvey <jphar...@cloudquarterback.com>
Subject RE: Re: OpenID-Connect HTTP 500
Date Sun, 11 Feb 2018 23:42:14 GMT
It can definitely work behind a proxy. As a test what about making location /guacamole instead
of / in the nginx config? You will have to change your redirect URL with OIDC also. You have
the headers configured so it should work ok but sometimes Tomcat can be fussy with reverse
proxying if you’re using a different path.

With regards to the logging we’re using Docker so it’s being logged to stdout, I’d suggest
if you’re installed on a host run Tomcat in the foreground so you can see the log messages
on the console. The log you’re looking for shows messages like these when you start up and
log on:

11-Feb-2018 20:58:34.593 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployWAR
Deployment of web application archive /usr/local/tomcat/webapps/guacamole.war has finished
in 6,026 11-Feb-2018 20:58:34.594 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory
Deploying web application directory /usr/local/tomcat/webapps/manager
11-Feb-2018 20:58:34.650 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory
Deployment of web application directory /usr/local/tomcat/webapps/manager has finished in
56 ms
11-Feb-2018 20:58:34.651 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory
Deploying web application directory /usr/local/tomcat/webapps/ROOT
11-Feb-2018 20:58:34.677 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory
Deployment of web application directory /usr/local/tomcat/webapps/ROOT has finished in 25
ms
11-Feb-2018 20:58:34.677 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory
Deploying web application directory /usr/local/tomcat/webapps/docs
11-Feb-2018 20:58:34.715 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory
Deployment of web application directory /usr/local/tomcat/webapps/docs has finished in 38
ms
11-Feb-2018 20:58:34.719 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory
Deploying web application directory /usr/local/tomcat/webapps/host-manager
11-Feb-2018 20:58:34.763 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory
Deployment of web application directory /usr/local/tomcat/webapps/host-manager has finished
in 44 ms
11-Feb-2018 20:58:34.763 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory
Deploying web application directory /usr/local/tomcat/webapps/examples
11-Feb-2018 20:58:35.114 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory
Deployment of web application directory /usr/local/tomcat/webapps/examples has finished in
11-Feb-2018 20:58:35.124 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler
["http-nio-8080"]
11-Feb-2018 20:58:35.136 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler
["ajp-nio-8009"]
11-Feb-2018 20:58:35.138 INFO [main] org.apache.catalina.startup.Catalina.start Server startup
in 6653 ms
11-Feb-2018 23:36:50.290 INFO [http-nio-8080-exec-6] org.webjars.servlet.WebjarsServlet.doGet
Webjars resource requested: /META-INF/resources/webjars/angular-touch/1.3.16/angular-touch.min.js
11-Feb-2018 23:36:50.807 INFO [http-nio-8080-exec-8] org.webjars.servlet.WebjarsServlet.doGet
Webjars resource requested: /META-INF/resources/webjars/angular-route/1.3.16/angular-route.min.js
11-Feb-2018 23:36:50.863 INFO [http-nio-8080-exec-10] org.webjars.servlet.WebjarsServlet.doGet
Webjars resource requested: /META-INF/resources/webjars/messageformat/1.0.2/messageformat.min.js
11-Feb-2018 23:36:50.865 INFO [http-nio-8080-exec-9] org.webjars.servlet.WebjarsServlet.doGet
Webjars resource requested: /META-INF/resources/webjars/angular-translate/2.8.0/angular-translate.min.js
11-Feb-2018 23:36:50.866 INFO [http-nio-8080-exec-1] org.webjars.servlet.WebjarsServlet.doGet
Webjars resource requested: /META-INF/resources/webjars/angular-translate-interpolation-messageformat/2.8.0/angular-translate-interpolation-messageformat.min.js
11-Feb-2018 23:36:50.918 INFO [http-nio-8080-exec-2] org.webjars.servlet.WebjarsServlet.doGet
Webjars resource requested: /META-INF/resources/webjars/angular-translate-loader-static-files/2.8.0/angular-translate-loader-static-files.min.js
11-Feb-2018 23:36:50.967 INFO [http-nio-8080-exec-3] org.webjars.servlet.WebjarsServlet.doGet
Webjars resource requested: /META-INF/resources/webjars/blob-polyfill/1.0.20150320/Blob.js
11-Feb-2018 23:36:50.980 INFO [http-nio-8080-exec-5] org.webjars.servlet.WebjarsServlet.doGet
Webjars resource requested: /META-INF/resources/webjars/angular-module-shim/0.0.4/angular-module-shim.js
11-Feb-2018 23:36:50.984 INFO [http-nio-8080-exec-4] org.webjars.servlet.WebjarsServlet.doGet
Webjars resource requested: /META-INF/resources/webjars/filesaver/1.3.3/FileSaver.min.js
11-Feb-2018 23:36:50.987 INFO [http-nio-8080-exec-7] org.webjars.servlet.WebjarsServlet.doGet
Webjars resource requested: /META-INF/resources/webjars/jquery/2.1.3/dist/jquery.min.js
11-Feb-2018 23:36:51.010 INFO [http-nio-8080-exec-8] org.webjars.servlet.WebjarsServlet.doGet
Webjars resource requested: /META-INF/resources/webjars/lodash/2.4.1/dist/lodash.min.js
11-Feb-2018 23:36:51.057 INFO [http-nio-8080-exec-1] org.webjars.servlet.WebjarsServlet.doGet
Webjars resource requested: /META-INF/resources/webjars/angular/1.3.16/angular.min.js
11-Feb-2018 23:36:51.088 INFO [http-nio-8080-exec-9] org.webjars.servlet.WebjarsServlet.doGet
Webjars resource requested: /META-INF/resources/webjars/angular-cookies/1.3.16/angular-cookies.min.js
11-Feb-2018 23:36:54.000 [http-nio-8080-exec-5] INFO o.a.g.r.auth.AuthenticationService -
User "xxxxx@xxxxxxx.com" successfully authenticated from [xxxxx].

JP

From: Justin Gauthier [mailto:justin@justin-tech.com]
Sent: Sunday, February 11, 2018 14:04
To: user@guacamole.apache.org
Subject: Re: Re: OpenID-Connect HTTP 500

Hello JP,

Thanks for the response.

After looking at https://guacamole.apache.org/doc/gug/openid-auth.html, and the .well-known/openid-configuration
section of keycloak, it appears that keycloak does not support a scope of "openid email profile",
or even "openid profile", I have changed the 'openid-scope' section in guacamole.properties,
and it is still not working. Also in that section, regarding 'openid-username-claim-type',
I can see that claims_supported include both email, and preferred_username. Setting 'openid-username-claim-type'
to either of those does not work.

I have also noticed that there is a GET request for https://keycloak.justin-tech.com/auth/realms/Justin-Tech/protocol/openid-connect/auth?scope=openid&response_type=id_token&client_id=guacamole&redirect_uri=https%3A%2F%2Fguacamole.justin-tech.com&nonce=[NONCE<https://keycloak.justin-tech.com/auth/realms/Justin-Tech/protocol/openid-connect/auth?scope=openid&amp;response_type=id_token&amp;client_id=guacamole&amp;redirect_uri=https%3A%2F%2Fguacamole.justin-tech.com&amp;nonce=%5bNONCE>]

I then see the POST a short while later with the following response payload: {"message":"Invalid
login.","translatableMessage":{"key":"Invalid login.","variables":null},"statusCode":null,"expected":[{"name":"id_token","type":"GUAC_OPENID_TOKEN","authorizationURI":"https://keycloak.justin-tech.com/auth/realms/Justin-Tech/protocol/openid-connect/auth?scope=openid&response_type=id_token&client_id=guacamole&redirect_uri=https%3A%2F%2Fguacamole.justin-tech.com&nonce=[NONCE]"}],"type":"INVALID_CREDENTIALS<https://keycloak.justin-tech.com/auth/realms/Justin-Tech/protocol/openid-connect/auth?scope=openid&response_type=id_token&client_id=guacamole&redirect_uri=https%3A%2F%2Fguacamole.justin-tech.com&nonce=796bmc3pj9ur5mmhv8lhcag8dp>"}

It is odd that I can see the ID_TOKEN and other parameters in the URL, however do not see
that information in the dev tools.

The link I see in the URL is:

https://guacamole.justin-tech.com/#session_state=659548d0-bb82-4aea-b547-1f9374e519bd&id_token=[TOKEN]&not-before-policy=1518383231<https://guacamole.justin-tech.com/#session_state=659548d0-bb82-4aea-b547-1f9374e519bd&id_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI4eTVad0VPU3F5MzBGejhrUkFVazlPMDdEUk85aE9LRkxhVHFTcWdTYnVJIn0.eyJqdGkiOiI3NzFmYzRkYi05NmU5LTQ1NTItOWIxYS0xZmJjMmE4NjFhNjIiLCJleHAiOjE1MTgzODYzMDUsIm5iZiI6MCwiaWF0IjoxNTE4Mzg1NDA1LCJpc3MiOiJodHRwczovL2tleWNsb2FrLmp1c3Rpbi10ZWNoLmNvbS9hdXRoL3JlYWxtcy9KdXN0aW4tVGVjaCIsImF1ZCI6Imd1YWNhbW9sZSIsInN1YiI6ImI0ODEwZDlhLWVlNzItNDBhOC05MDUzLTUwODEwZjI3NTI4ZCIsInR5cCI6IklEIiwiYXpwIjoiZ3VhY2Ftb2xlIiwibm9uY2UiOiI3OTZibWMzcGo5dXI1bW1odjhsaGNhZzhkcCIsImF1dGhfdGltZSI6MTUxODM4NTQwMiwic2Vzc2lvbl9zdGF0ZSI6IjY1OTU0OGQwLWJiODItNGFlYS1iNTQ3LTFmOTM3NGU1MTliZCIsImFjciI6IjAiLCJuYW1lIjoiSnVzdGluIEdhdXRoaWVyIEdhdXRoaWVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoianVzdGluIiwiZ2l2ZW5fbmFtZSI6Ikp1c3RpbiBHYXV0aGllciIsImZhbWlseV9uYW1lIjoiR2F1dGhpZXIiLCJlbWFpbCI6Imp1c3RpbkBqdXN0aW4tdGVjaC5jb20ifQ.fwAkxsv3mPvTmXhQ9A4SOlzlfDW0AmaV47Qm3OeCY0kK2CqTDW2NAp3tl8OBZnTcDIdP6qVvDAMUsBL477-xSGSWlDpbrjSAMcBuNa5nqaO2NH1lkQHVWsdwUtu0q30WTzwGCphkTpW9iLZSea8u_2BDBGuACgYm17F4vWzg8t9sl-lmz3M7xKod4LGeTAwGMMD0ddvDKGloC49jFLNPF3aRHUa-5HiK_jOlaGmFomStaHS2Yil5ZFaiQMRudXbhU_vlGTzIZ8alZ-NQdaMARwmvRFsbCsNLlsjw6NX6b-mv3AtOF75yLH6h6OTaEimwf7GBXzGCCWJNYSVAYia3eg&not-before-policy=1518383231>

One thing I am not sure about is, the URL used to access guacamole is https://guacamole.justin-tech.com/#/
however, the token is returned to https://guacamole.justin-tech.com/#session_state ... I am
not sure if this is the correct behavior.

Additionally, in my nginx proxy, I have the following configuration:

upstream guacamole {
  server guacamole01.corp.justin-tech.com:8080;
}

server {
    listen 443 ssl;
    server_name guacamole.justin-tech.com;
    ssl on;
        # Remember to comment these out if you need to change their defaults
        include snippets/ssl-defaults.conf;

    proxy_buffering off;
    proxy_http_version 1.1;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
#    access_log off;
    proxy_pass_request_headers on;
    proxy_set_header Host $host;

    location / {
      proxy_pass http://guacamole/guacamole/;
    }
    ssl_certificate /etc/letsencrypt/live/justin-tech.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/justin-tech.com/privkey.pem; # managed by Certbot


}

Note the trailing slash on the end of the proxy_pass. Without this, I am unable to load guacamole
at all. Also note that if I remove the /guacamole/ from proxy_pass, and adjust the redirect
URLs accordingly, I get the same problem where the /#session_state is happening.

It is my understanding that the use of the "#" symbol in URLs can cause problems because the
information after the "#" is not forwarded.

This could explain why it appears that Guacamole is not seeing this information, even though
I can see it in the URL. Is there anyway to get nginx to pass this information along to the
backend server?

Also, I tried looking at the logs, but could not see anything indicating that there was a
token or anything passed back to guacamole. Which log file should I be looking in for that?
I also followed this and added the file, however I did not see any increased logging. https://guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp-logging
in either /var/log/messages or /var/log/tomcat/catalina.2018-02-11.log.

Has anyone confirmed if the OpenID plugin works behind a proxy?

Thanks again.

Justin

On Sun, 2018-02-11 at 20:33 +0000, JP Harvey wrote:
Hey Justin,
It’s possible that the response does not contain the mail attribute, the Tomcat logs should
tell you if that is the case, in which case you’d need to specify the attribute in guacamole.config
with the openid-username-claim-type directive.
I’ve never used Keylock but based on this documentation for mod_auth_openidc http://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/mod-auth-openidc.html
preferred_username may be what you need as that is what they say to map using mod_auth_openidc:
    OIDCRemoteUserClaim preferred_username
Your first email said you had enabled the mappings to Username, given name, full name, email,
and family name so maybe this is not the issue, however might be worth a try since this is
a symptom of not having the username claim type that Guacamole is expecting in the response.
JP

On 2018/02/09 13:49:16, Justin Gauthier <j...@justin-tech.com<mailto:j...@justin-tech.com>>
wrote:
> Hey Nick,>
>
> Thanks for the response!>
>
> I suspected as much, unfortunately I am unsure why it’s not seeing the token. Like
I said, I don’t have anything else that uses OpenID to test the setup.>

>
> Hopefully Mike is able to assist when he gets a chance.>
>
> Thanks again for the help, it’s greatly appreciated.>
>
> ________________________________>
> From: Nick Couchman <ni...@gmail.com<mailto:ni...@gmail.com>>>
> Sent: Friday, February 9, 2018 8:40:25 AM>
> To: user@guacamole.apache.org<mailto:user@guacamole.apache.org>>
> Subject: Re: OpenID-Connect HTTP 500>
>
> On Thu, Feb 8, 2018 at 11:37 PM, Justin Gauthier <ju...@justin-tech.com<mailto:ju...@justin-tech.com>>>
wrote:>
> The response paylode is: {"message":"Invalid>
> login.","translatableMessage":{"key":"Invalid>
> login.","variables":null},"statusCode":null,"expected":[{"name":"id_tok>
> en","type":"GUAC_OPENID_TOKEN","authorizationURI":"https://keycloak.jus>
> tin-tech.com/auth/realms/Justin-Tech/protocol/openid->
> connect/auth?scope=openid+email+profile&response_type=id_token&client_i>
> d=guacamole&redirect_uri=https%3A%2F%2Fguacamole.justin-<http://tin-tech.com/auth/realms/Justin-Tech/protocol/openid->

> connect/auth?scope=openid+email+profile&response_type=id_token&client_i>
> d=guacamole&redirect_uri=https%3A%2F%2Fguacamole.justin->>
> tech.com<http://tech.com>%2F&nonce=e1s34a0epan04mre7qduhpnrho"}],"type":"INVALID_CREDENT>
> IALS"}>
>
> I also see a GET for https://guacamole.justin-tech.com/#session_state=b>
> 1988d87-4a4d-4539-a186-1d2ef58aca04&id_token=[TOKEN]&not-before->
> policy=1518147539>
>
>
> Mike can probably provide more precise information, but my guess is that there is something
about the response being sent back to the Guacamole Session that Guacamole is unhappy about
- either it isn't seeing the id_token parameter when it expects to, or it's in a format it
doesn't expect, or something like that.  I've not used Guacamole with OIDC, so I'm not going
to be of very much help, here.>

>
> -Nick>
>
Mime
View raw message