guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <mjum...@apache.org>
Subject Re: Guacamole & OpenID
Date Fri, 14 Dec 2018 06:46:28 GMT
On Thu, Dec 13, 2018, 22:36 B3r3n <B3r3n@argosnet.com wrote:

> > On Thu, Dec 13, 2018 at 11:14 AM B3r3n <B3r3n@argosnet.com> wrote:
> >>
> >> Hello Mike,
> >>
> >> Well noted, I will test that ASAP.
> >>
> >
> > Thanks, B3r3n.
> >
> >> However, since I moved using header auth, I would like to try achieving
> it.
> >> My only issue is with the logout feature of Guacamole.
> >>
> >> Apparently it sends a DELETE /guacamole/api/tokens/token_id. I
> >> intended to change it to another GET /url logging out but whatever I
> >> do, right after browser sends a POST /guacamole/api/tokens and regets a
> >> token.
> >>
> >
> > With the header authentication, you will be immediately
> > re-authenticated so long as the header that authenticates you is
> > present in the HTTP request.
> >
> >> Is there an URL I could use to logout from guacamole but where the
> >> browser will accept a returning GET, redirect, whatever so it can
> >> really be logged out from OpenID ?
> >
> > Single logout for OpenID Connect is not currently implemented in
> Guacamole:
> >
> > https://issues.apache.org/jira/browse/GUACAMOLE-519
> >
> > The path forward to implement that for OpenID is fairly clear - it
> > would just need to be done. I don't know what would need to be done
> > for the generic header authentication, where there's no standard
> > defining how logout should be signaled to the IDP.
> I agree, but my intention was to use a Apache Rewriterule or
> ProxyHTMLurlmap,
> or RewriteHTML to change the DELETE token URL to my logout OIDC URL.
> That's why I would just like to know what do you expect once you sent this
> DELETE token. If I can replace it by my logout URL, would remove the header
> variable and bingo, clean logout from Guacamole :-)
>

No, as simple as it may sound, this wouldn't be a good approach. There is
no DELETE token URL (DELETE is the method of the HTTP request sent to the
token endpoint of Guacamole's REST service, not a component of a URL), and
there is good reason for Guacamole's REST service to be the way it is with
respect to logout. For proper security, clean up of resources, etc., single
logout needs to be implemented in addition to the Guacamole parts of the
logout process, not instead of those parts.

Nick had a good proposal earlier: providing a mechanism within the header
auth for redirecting the user to a configurable URL after Guacamole logout
has completed.

- Mike

Mime
View raw message