From user-return-3445-archive-asf-public=cust-asf.ponee.io@guacamole.apache.org Mon Mar 5 20:01:10 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 769ED180676 for ; Mon, 5 Mar 2018 20:01:09 +0100 (CET) Received: (qmail 54705 invoked by uid 500); 5 Mar 2018 19:01:08 -0000 Mailing-List: contact user-help@guacamole.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@guacamole.apache.org Delivered-To: mailing list user@guacamole.apache.org Received: (qmail 54695 invoked by uid 99); 5 Mar 2018 19:01:08 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 05 Mar 2018 19:01:08 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id F2402C0553 for ; Mon, 5 Mar 2018 19:01:07 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.979 X-Spam-Level: * X-Spam-Status: No, score=1.979 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=guac-dev-org.20150623.gappssmtp.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id oJyCq2PSVuCX for ; Mon, 5 Mar 2018 19:01:06 +0000 (UTC) Received: from mail-qk0-f173.google.com (mail-qk0-f173.google.com [209.85.220.173]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 72B795F23D for ; Mon, 5 Mar 2018 19:01:06 +0000 (UTC) Received: by mail-qk0-f173.google.com with SMTP id g2so21875525qkd.12 for ; Mon, 05 Mar 2018 11:01:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=guac-dev-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=LEvvi2Ak+EYPEG6/NAoktvhoK67xGz501VrzRboRKNs=; b=otfxz6WwpXdysBTeHFer6s3TJHV4tNlxEnzJ6hzcNky2PNJUS3N4RbZwBhf4A75XSa TpdZklVPCZLu7eNPnmoutIZvvh5TT4MxrLN+/xKARdoIYK/Izaiw84vQaq9FTtzaveZk 9q7YHBaBdyQc/1riIWXQyrBtwye4FWCylcONd0jB+wJaIUSeMd3MINxL1ix4GWvtqQM7 NKaoUX363we8uzU4cNfAfJtdRBQYnquQoluhs0K/nZrWgQFZxQvcTQVuD0yZXyS01Wcy 3no5d4rffuD9iApuGVwbs5ql2FUfXnqlt46QZXyiIOwBsfOd/7WTRXq39ebH8Cl7B6kE O4Iw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=LEvvi2Ak+EYPEG6/NAoktvhoK67xGz501VrzRboRKNs=; b=tzW3TlMV65QFmioOx0TGUzvOCJ2DNCEGIF9pPmwEkIpl+dx5gIhrrkSsw1zkjTruuE Ke8RH3kKYuktmSSJfsA+YAM4oCtqS6JCa8I8NzekTs32d1V77iApUCh/75KRdKszQx0e OhHnlWd/QdRPrABzywdhuzruBCCLyS+S1nXYgnLd8jD3gNs7wKtkTUH1Wd+gO5qCM736 6gYMDtHM70L8H43y2veUjTUFsH+Mbeb6bjZwd66vFEEAxSal68CdVLl18+sEAjsK/Vix gCoGGkBIH/KynrMMswzMARVMcYjffWBLAooKkmcJN1KPc+A0SdSqDrIeVXsZzK/ZKziU JnWg== X-Gm-Message-State: AElRT7FBo3GfRDoyK4MXxCvmxEMNxXbdLsFzyM4lcMBaePJ5KpXSAT+o Pv6nHoyj2R2OE4wV52TJfQ9DeauCKlynlyeJJoNpISMP X-Google-Smtp-Source: AG47ELtG1oQrxuFF0iDzLI0Qees/1brmJ1NurUNLGtH67Ira8ybrndzQV8kSoP8/mzmZhquBMLLTmmhXJUaJAg8p0ds= X-Received: by 10.233.237.145 with SMTP id c139mr24160104qkg.78.1520276465258; Mon, 05 Mar 2018 11:01:05 -0800 (PST) MIME-Version: 1.0 Received: by 10.200.7.76 with HTTP; Mon, 5 Mar 2018 11:00:24 -0800 (PST) X-Originating-IP: [157.130.212.6] In-Reply-To: <1520267627038-0.post@n4.nabble.com> References: <1520267627038-0.post@n4.nabble.com> From: Mike Jumper Date: Mon, 5 Mar 2018 11:00:24 -0800 Message-ID: Subject: Re: OpenID module does not detect email claim To: user@guacamole.apache.org Content-Type: multipart/alternative; boundary="94eb2c0970d8ac2a810566aef2dd" --94eb2c0970d8ac2a810566aef2dd Content-Type: text/plain; charset="UTF-8" On Mon, Mar 5, 2018 at 8:33 AM, kevinmsrs wrote: > When trying to connect with the OpenID module, the logs out puts that the > "email" claim is missing from the token. Shouldn't it look at the id_token > for the email? the token response does not hold the email claim from what I > been reading. > > It does look at the id_token. The OpenID auth is attempting to pull the email claim from the received JWT, as this is the default claim used to determine identity. Here is the error from the tomcat log: > [http-nio-8080-exec-409] WARN o.a.g.a.o.t.TokenValidationService - > Username > claim "email" missing from token. Perhaps the OpenID scope and/or username > claim type are misconfigured? > > At this point, it becomes a redirect loop as Guacamole requests access > again > and then fails to read the claim. > If your IDP does not provide the email, you will need to choose another claim which will be present in the JWT and can serve as the identity of the user. You may need to modify the scope submitted to the IDP to ensure such a claim is present in the received token. Configuring this involves the "openid-username-claim-type" and "openid-scope" properties respectively: http://guacamole.apache.org/doc/gug/openid-auth.html#guac-openid-config - Mike --94eb2c0970d8ac2a810566aef2dd Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On M= on, Mar 5, 2018 at 8:33 AM, kevinmsrs <kevin.chan@msrs.us> = wrote:
When trying to = connect with the OpenID module, the logs out puts that the
"email" claim is missing from the token. Shouldn't it look at= the id_token
for the email? the token response does not hold the email claim from what I=
been reading.


It does look at the id_token. The Open= ID auth is attempting to pull the email claim from the received JWT, as thi= s is the default claim used to determine identity.

Here is the error from the tomcat log:
[http-nio-8080-exec-409] WARN=C2=A0 o.a.g.a.o.t.TokenValidationService= - Username
claim "email" missing from token. Perhaps the OpenID scope and/or= username
claim type are misconfigured?

At this point, it becomes a redirect loop as Guacamole requests access agai= n
and then fails to read the claim.

If yo= ur IDP does not provide the email, you will need to choose another claim wh= ich will be present in the JWT and can serve as the identity of the user. Y= ou may need to modify the scope submitted to the IDP to ensure such a claim= is present in the received token. Configuring this involves the "open= id-username-claim-type" and "openid-scope" properties respec= tively:


- M= ike

--94eb2c0970d8ac2a810566aef2dd--