guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <mjum...@apache.org>
Subject Re: Guacamole & OpenID
Date Fri, 30 Nov 2018 17:37:14 GMT
On Wed, Nov 21, 2018 at 1:41 AM B3r3n <B3r3n@argosnet.com> wrote:
>
> Burping the whole session, I found some infos. It seems Guacamole considers
> invalid credentials:
> {"message":"Invalid login.","translatableMessage":{"key":"Invalid
> login.","variables":null},"statusCode":null,"expected":[{"name":"id_token","type":"GUAC_OPENID_TOKEN","authorizationURI":"https://auth/oxauth/restv1/authorize?scope=openid+email+profile&response_type=id_token&client_id=%40%213CBA.9C61.872A.9B54%210001%218204.1C64%210008%215F53.D604.4734.13E8&redirect_uri=https%3A%2F%2Fguacamole.security.equant.com%2Fguacamole%2F&nonce=buo73qjm36bac5uobsvjra2tjo"}],"type":"INVALID_CREDENTIALS"}
> entering infinite loop with OIDC server (Gluu).
>
> I wonder where Guacamole gets the user attribute to make the link between
> OIDC username & Guacamole username.

See the "openid-username-claim-type" property:

http://guacamole.apache.org/doc/gug/openid-auth.html#guac-openid-config

> Also wondering about the password.

No password will be available to Guacamole if using OpenID. If a valid
token is received from the IDP, the user will be authenticated.

> To reduce risk from differences, the user (test) has password "test" in both
> OIDC & MySQL local database.

You don't need to set a password if using OpenID. The MySQL
authentication will trust the authentication result of the OpenID
extension.

>
> Also my guacamole properties has MySQL details (to manage user profile) but
> no mysql auth jdbc.
>
> I noticed I could have both OIDC+MySQL jar files, OIDC loading first with a
> rename if needed. did not tested that yet.
>

If you don't have the MySQL auth .jar in place, those properties will
be ignored.

- Mike

Mime
View raw message