guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <>
Subject Re: starting a specific connection via URL?
Date Sun, 12 Aug 2018 07:39:44 GMT
On Sun, Aug 12, 2018, 00:20 Joachim Lindenberg <>

> Hello,
> I am wondering what is the best way to start a connection (with parameters
> made available from my own authentication extension, but could be any) from
> another web application. I am aware of the following approaches:
> ·       I can pass username & password via the URL, however I don´t know
> how to pass the connection identifier or whether that is available to my
> authentication extension). More important, I dislike the fact that username
> and password are shown by the browser in the url, visible to anyone looking
> at the screen.

I wouldn't recommend this approach for the reason cited.

While Guacamole does nicely pass URL parameters through to auth, that's
best used for auth mechanisms that don't use username/password.

·       There is an extension
> that probably does something similar, but the code is unmaintained and I
> don´t know whether it works with 0.9.14+.

Perhaps would be a better

I wrote it some time ago for my day job when we were tasked with creating
an alternative to guacamole-auth-hmac which additionally would not expose
connection parameter details in the URL.

·       I can generate a one-time-token in my web application, retrieve the
> token from the URL in my authentication extension, use it to identify user
> and connection, return just that one connection to Guacamole, and rely on
> the convention that Guacamole starts the connection automatically if there
> is just one. Not sure what life-time the token will need – e.g. will
> refresh work if the token is no longer valid?

This would be the best approach.

You could accomplish this through writing your own extension, or through
generating temporary, encrypted JSON tokens with the extension linked above.

I would recommend using the anonymous username (just an empty string) so
the UI handles all session info as temporary and anonymous.

- Mike

View raw message