From user-return-4316-archive-asf-public=cust-asf.ponee.io@guacamole.apache.org  Sun Aug 12 09:40:00 2018
Return-Path: <user-return-4316-archive-asf-public=cust-asf.ponee.io@guacamole.apache.org>
X-Original-To: archive-asf-public@cust-asf.ponee.io
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by mx-eu-01.ponee.io (Postfix) with SMTP id B887618061A
	for <archive-asf-public@cust-asf.ponee.io>; Sun, 12 Aug 2018 09:39:59 +0200 (CEST)
Received: (qmail 89916 invoked by uid 500); 12 Aug 2018 07:39:58 -0000
Mailing-List: contact user-help@guacamole.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@guacamole.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@guacamole.apache.org>
List-Post: <mailto:user@guacamole.apache.org>
List-Id: <user.guacamole.apache.org>
Reply-To: user@guacamole.apache.org
Delivered-To: mailing list user@guacamole.apache.org
Received: (qmail 89904 invoked by uid 99); 12 Aug 2018 07:39:58 -0000
Received: from mail-relay.apache.org (HELO mailrelay2-lw-us.apache.org) (207.244.88.137)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 12 Aug 2018 07:39:58 +0000
Received: from mail-oi0-f49.google.com (mail-oi0-f49.google.com [209.85.218.49])
	by mailrelay2-lw-us.apache.org (ASF Mail Server at mailrelay2-lw-us.apache.org) with ESMTPSA id 4B54F222F
	for <user@guacamole.apache.org>; Sun, 12 Aug 2018 07:39:57 +0000 (UTC)
Received: by mail-oi0-f49.google.com with SMTP id d189-v6so22456240oib.6
        for <user@guacamole.apache.org>; Sun, 12 Aug 2018 00:39:57 -0700 (PDT)
X-Gm-Message-State: AOUpUlFx9n36vFKn1tZ/jh/NTVByhQFsDMvrt51vKjVPVFWBMb1dFSVq
	autfXtj+uTgo0UYSOWVO0vpk0fCoLoa14koZdgDFGQ==
X-Google-Smtp-Source: AA+uWPygSYS4MJyrPgayJIL673QWPSe24+DrbJLjWSONtSRs3gAC5L1W8/XwNvzgNr6LzGVHL06pfzqxoVIIPAbDz3I=
X-Received: by 2002:aca:1719:: with SMTP id j25-v6mr12389980oii.138.1534059596755;
 Sun, 12 Aug 2018 00:39:56 -0700 (PDT)
MIME-Version: 1.0
References: <00f401d4320c$c53ccec0$4fb66c40$@lindenberg.one>
In-Reply-To: <00f401d4320c$c53ccec0$4fb66c40$@lindenberg.one>
From: Mike Jumper <mjumper@apache.org>
Date: Sun, 12 Aug 2018 00:39:44 -0700
X-Gmail-Original-Message-ID: <CALKeL-OQ4rTQ2FXX-y+h3hkP8u9pn8g5Uga6MMsPYjVza4JsBQ@mail.gmail.com>
Message-ID: <CALKeL-OQ4rTQ2FXX-y+h3hkP8u9pn8g5Uga6MMsPYjVza4JsBQ@mail.gmail.com>
Subject: Re: starting a specific connection via URL?
To: user@guacamole.apache.org
Content-Type: multipart/alternative; boundary="000000000000544f180573381518"

--000000000000544f180573381518
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Sun, Aug 12, 2018, 00:20 Joachim Lindenberg <joachim@lindenberg.one>
wrote:

> Hello,
>
> I am wondering what is the best way to start a connection (with parameter=
s
> made available from my own authentication extension, but could be any) fr=
om
> another web application. I am aware of the following approaches:
>
> =C2=B7       I can pass username & password via the URL, however I don=C2=
=B4t know
> how to pass the connection identifier or whether that is available to my
> authentication extension). More important, I dislike the fact that userna=
me
> and password are shown by the browser in the url, visible to anyone looki=
ng
> at the screen.
>

I wouldn't recommend this approach for the reason cited.

While Guacamole does nicely pass URL parameters through to auth, that's
best used for auth mechanisms that don't use username/password.

=C2=B7       There is an extension https://github.com/grncdr/guacamole-auth=
-hmac
> that probably does something similar, but the code is unmaintained and I
> don=C2=B4t know whether it works with 0.9.14+.
>

Perhaps https://github.com/glyptodon/guacamole-auth-json would be a better
choice?

I wrote it some time ago for my day job when we were tasked with creating
an alternative to guacamole-auth-hmac which additionally would not expose
connection parameter details in the URL.

=C2=B7       I can generate a one-time-token in my web application, retriev=
e the
> token from the URL in my authentication extension, use it to identify use=
r
> and connection, return just that one connection to Guacamole, and rely on
> the convention that Guacamole starts the connection automatically if ther=
e
> is just one. Not sure what life-time the token will need =E2=80=93 e.g. w=
ill
> refresh work if the token is no longer valid?
>

This would be the best approach.

You could accomplish this through writing your own extension, or through
generating temporary, encrypted JSON tokens with the extension linked above=
.

I would recommend using the anonymous username (just an empty string) so
the UI handles all session info as temporary and anonymous.

- Mike

--000000000000544f180573381518
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"auto"><div><div class=3D"gmail_quote"><div dir=3D"ltr">On Sun, =
Aug 12, 2018, 00:20 Joachim Lindenberg &lt;joachim@lindenberg.one&gt; wrote=
:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;bor=
der-left:1px #ccc solid;padding-left:1ex"><div lang=3D"DE" link=3D"#0563C1"=
 vlink=3D"#954F72"><div class=3D"m_7207657964107479926WordSection1"><p clas=
s=3D"MsoNormal"><span lang=3D"EN-GB">Hello,<u></u><u></u></span></p><p clas=
s=3D"MsoNormal"><span lang=3D"EN-GB">I am wondering what is the best way to=
 start a connection (with parameters made available from my own authenticat=
ion extension, but could be any) from another web application. I am aware o=
f the following approaches:<u></u><u></u></span></p><p class=3D"m_720765796=
4107479926MsoListParagraph"><u></u><span lang=3D"EN-GB" style=3D"font-famil=
y:Symbol"><span>=C2=B7<span style=3D"font:7.0pt &quot;Times New Roman&quot;=
">=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span></span></span><u></u><span la=
ng=3D"EN-GB">I can pass username &amp; password via the URL, however I don=
=C2=B4t know how to pass the connection identifier or whether that is avail=
able to my authentication extension). More important, I dislike the fact th=
at username and password are shown by the browser in the url, visible to an=
yone looking at the screen.</span></p></div></div></blockquote></div></div>=
<div dir=3D"auto"><br></div><div dir=3D"auto">I wouldn&#39;t recommend this=
 approach for the reason cited.</div><div dir=3D"auto"><br></div><div dir=
=3D"auto">While Guacamole does nicely pass URL parameters through to auth, =
that&#39;s best used for auth mechanisms that don&#39;t use username/passwo=
rd.</div><div dir=3D"auto"><br></div><div dir=3D"auto"><div class=3D"gmail_=
quote"><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-=
left:1px #ccc solid;padding-left:1ex"><div lang=3D"DE" link=3D"#0563C1" vli=
nk=3D"#954F72"><div class=3D"m_7207657964107479926WordSection1"><p class=3D=
"m_7207657964107479926MsoListParagraph"><span lang=3D"EN-GB"><u></u><u></u>=
</span></p><p class=3D"m_7207657964107479926MsoListParagraph"><u></u><span =
lang=3D"EN-GB" style=3D"font-family:Symbol"><span>=C2=B7<span style=3D"font=
:7.0pt &quot;Times New Roman&quot;">=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </=
span></span></span><u></u><span lang=3D"EN-GB">There is an extension <a hre=
f=3D"https://github.com/grncdr/guacamole-auth-hmac" target=3D"_blank" rel=
=3D"noreferrer">https://github.com/grncdr/guacamole-auth-hmac</a> that prob=
ably does something similar, but the code is unmaintained and I don=C2=B4t =
know whether it works with 0.9.14+.</span></p></div></div></blockquote></di=
v></div><div dir=3D"auto"><span style=3D"font-family:sans-serif"><br></span=
></div><div dir=3D"auto"><span style=3D"font-family:sans-serif">Perhaps=C2=
=A0</span><span style=3D"font-family:sans-serif"><a href=3D"https://github.=
com/glyptodon/guacamole-auth-json">https://github.com/glyptodon/guacamole-a=
uth-json</a></span><span style=3D"font-family:sans-serif">=C2=A0would be a =
better choice?</span><span style=3D"font-family:sans-serif"><br></span></di=
v><div dir=3D"auto"><span style=3D"font-family:sans-serif"><br></span></div=
><div dir=3D"auto"><span style=3D"font-family:sans-serif">I wrote it</span>=
<span style=3D"font-family:sans-serif">=C2=A0some time ago for my day job w=
hen we were tasked with creating an alternative to guacamole-auth-hmac whic=
h additionally would not expose connection parameter details in the URL.</s=
pan></div><div dir=3D"auto"><br></div><div dir=3D"auto"><div class=3D"gmail=
_quote"><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border=
-left:1px #ccc solid;padding-left:1ex"><div lang=3D"DE" link=3D"#0563C1" vl=
ink=3D"#954F72"><div class=3D"m_7207657964107479926WordSection1"><p class=
=3D"m_7207657964107479926MsoListParagraph"><span lang=3D"EN-GB"><u></u><u><=
/u></span></p><p class=3D"m_7207657964107479926MsoListParagraph"><u></u><sp=
an lang=3D"EN-GB" style=3D"font-family:Symbol"><span>=C2=B7<span style=3D"f=
ont:7.0pt &quot;Times New Roman&quot;">=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
 </span></span></span><u></u><span lang=3D"EN-GB">I can generate a one-time=
-token in my web application, retrieve the token from the URL in my authent=
ication extension, use it to identify user and connection, return just that=
 one connection to Guacamole, and rely on the convention that Guacamole sta=
rts the connection automatically if there is just one. Not sure what life-t=
ime the token will need =E2=80=93 e.g. will refresh work if the token is no=
 longer valid?</span></p></div></div></blockquote></div></div><div dir=3D"a=
uto"><br></div><div dir=3D"auto">This would be the best approach.</div><div=
 dir=3D"auto"><br></div><div dir=3D"auto">You could accomplish this through=
 writing your own extension, or through generating temporary, encrypted JSO=
N tokens with the extension linked above.</div><div dir=3D"auto"><br></div>=
<div dir=3D"auto">I would recommend using the anonymous username (just an e=
mpty string) so the UI handles all session info as temporary and anonymous.=
</div><div dir=3D"auto"><br></div><div dir=3D"auto">- Mike</div><div dir=3D=
"auto"><br></div><div dir=3D"auto"></div></div>

--000000000000544f180573381518--