guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <mjum...@apache.org>
Subject Re: starting a specific connection via URL?
Date Sun, 12 Aug 2018 07:39:44 GMT
On Sun, Aug 12, 2018, 00:20 Joachim Lindenberg <joachim@lindenberg.one>
wrote:

> Hello,
>
> I am wondering what is the best way to start a connection (with parameters
> made available from my own authentication extension, but could be any) from
> another web application. I am aware of the following approaches:
>
> ·       I can pass username & password via the URL, however I don´t know
> how to pass the connection identifier or whether that is available to my
> authentication extension). More important, I dislike the fact that username
> and password are shown by the browser in the url, visible to anyone looking
> at the screen.
>

I wouldn't recommend this approach for the reason cited.

While Guacamole does nicely pass URL parameters through to auth, that's
best used for auth mechanisms that don't use username/password.

·       There is an extension https://github.com/grncdr/guacamole-auth-hmac
> that probably does something similar, but the code is unmaintained and I
> don´t know whether it works with 0.9.14+.
>

Perhaps https://github.com/glyptodon/guacamole-auth-json would be a better
choice?

I wrote it some time ago for my day job when we were tasked with creating
an alternative to guacamole-auth-hmac which additionally would not expose
connection parameter details in the URL.

·       I can generate a one-time-token in my web application, retrieve the
> token from the URL in my authentication extension, use it to identify user
> and connection, return just that one connection to Guacamole, and rely on
> the convention that Guacamole starts the connection automatically if there
> is just one. Not sure what life-time the token will need – e.g. will
> refresh work if the token is no longer valid?
>

This would be the best approach.

You could accomplish this through writing your own extension, or through
generating temporary, encrypted JSON tokens with the extension linked above.

I would recommend using the anonymous username (just an empty string) so
the UI handles all session info as temporary and anonymous.

- Mike

Mime
View raw message