guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "B3r3n" <B3...@argosnet.com>
Subject Re: Guacamole & OpenID
Date Fri, 14 Dec 2018 08:20:12 GMT
Hello Mike,

Totally agreeing with Nick, this is a demand I expressed some weeks ago :-)

However, would it be possible to have it on 0.9.1.4 ?
That is my only missing to be close to perfection :-)

Brgrds

> On Thu, Dec 13, 2018, 22:36 B3r3n <B3r3n@argosnet.com wrote:
>
>> > On Thu, Dec 13, 2018 at 11:14 AM B3r3n <B3r3n@argosnet.com> wrote:
>> >>
>> >> Hello Mike,
>> >>
>> >> Well noted, I will test that ASAP.
>> >>
>> >
>> > Thanks, B3r3n.
>> >
>> >> However, since I moved using header auth, I would like to try achieving
>> it.
>> >> My only issue is with the logout feature of Guacamole.
>> >>
>> >> Apparently it sends a DELETE /guacamole/api/tokens/token_id. I intended
to change it to another GET /url logging out but whatever I do, right
after browser sends a POST /guacamole/api/tokens and regets a token.
>> >>
>> >
>> > With the header authentication, you will be immediately
>> > re-authenticated so long as the header that authenticates you is present
in the HTTP request.
>> >
>> >> Is there an URL I could use to logout from guacamole but where the
browser will accept a returning GET, redirect, whatever so it can really
be logged out from OpenID ?
>> >
>> > Single logout for OpenID Connect is not currently implemented in
>> Guacamole:
>> >
>> > https://issues.apache.org/jira/browse/GUACAMOLE-519
>> >
>> > The path forward to implement that for OpenID is fairly clear - it would
just need to be done. I don't know what would need to be done for the
generic header authentication, where there's no standard defining how
logout should be signaled to the IDP.
>> I agree, but my intention was to use a Apache Rewriterule or
>> ProxyHTMLurlmap,
>> or RewriteHTML to change the DELETE token URL to my logout OIDC URL. That's
why I would just like to know what do you expect once you sent this DELETE
token. If I can replace it by my logout URL, would remove the header
variable and bingo, clean logout from Guacamole :-)
>>
>
> No, as simple as it may sound, this wouldn't be a good approach. There is no
DELETE token URL (DELETE is the method of the HTTP request sent to the token
endpoint of Guacamole's REST service, not a component of a URL), and there
is good reason for Guacamole's REST service to be the way it is with respect
to logout. For proper security, clean up of resources, etc., single logout
needs to be implemented in addition to the Guacamole parts of the logout
process, not instead of those parts.
>
> Nick had a good proposal earlier: providing a mechanism within the header
auth for redirecting the user to a configurable URL after Guacamole logout
has completed.
>
> - Mike
>
>
>





Mime
View raw message