guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Gauthier <jus...@justin-tech.com>
Subject Re: OpenID-Connect HTTP 500
Date Thu, 08 Feb 2018 17:57:02 GMT
Nick,

I have completed that step, however now I am in an redirect loop.

Once I get home I'll take a look at the logs and provide that information.

Thanks for the help,

Justin

________________________________
From: Nick Couchman <vnick@apache.org>
Sent: Thursday, February 8, 2018 11:27:05 AM
To: user@guacamole.apache.org
Subject: Re: OpenID-Connect HTTP 500

On Thu, Feb 8, 2018 at 10:00 AM, Justin Gauthier <justin@justin-tech.com<mailto:justin@justin-tech.com>>
wrote:
Hello everyone,

I have discovered that I had a the openid-redirect-uri incorrectly
specified. That issue has now been resolved, and I get a login screen
now.

Now, when I get that login screen, I can login with credentials stored
in the postgres database, but I do not get redirected to Keycloak. I
see a 403 message with the following information:

{"message":"Invalid login","translatableMessage":{"key":"Invalid
login","variables":null},"statusCode":null,"expected":[{"name":"usernam
e","type":"USERNAME"},{"name":"password","type":"PASSWORD"}],"type":"IN
VALID_CREDENTIALS"}

My understanding is that Guacamole should be redirecting me to Keycloak
to authenticate, and then I should be redirected back to Guacamole with
the authentication token, and it would not ask for the username and
password?

Justin,
Authentication extensions are loaded in alphabetical order, which means the OpenID extension
is being loaded (and evaluated) after the JDBC extension.  I suggest that you rename the OpenID
extension to something that will force it to load first - when I do this with modules, I usually
prefix a number on to them.  For example, in the GUACAMOLE_HOME/extensions folder, instead
of installing it as "gaucamole-auth-openid-0.9.14.jar, install it as "guacamole-auth-0-openid-0.9.14.jar"
- the -0 before the -openid will cause it to be loaded and evaluated prior to the -jdbc JAR,
and perhaps allow the redirect to happen properly.

Regards,
Nick

Mime
View raw message