guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <>
Subject Re: Guacamole & OpenID
Date Tue, 04 Dec 2018 19:18:27 GMT
On Mon, Dec 3, 2018 at 12:12 PM B3r3n <> wrote:

> ...
> openid-authorization-endpoint:
> https://tacauth.mydomain.tld/oxauth/restv1/authorize
> openid-jwks-endpoint: https://tacauth.mydomain.tld/oxauth/restv1/jwks
> openid-issuer
> <https://tacauth.mydomain.tld/oxauth/restv1/jwksopenid-issuer>:
> https://tacauth.mydomain.tld
> openid-client-id:
> @!EC70.5976.0EF8.1E8D!0001!C6E7.8D34!0008!A650.4304.641D.350F
> openid-redirect-uri: https://tacos.mydomain.tld/guacamole/
> openid-username-claim-type: preferred_username
> openid-scope: openid profile email

Note that "openid email profile" is the default. This will likely have no

> auth-provider:
> org.apache.guacamole.auth.openid.OpenIDAuthenticationProvider

The "auth-provider" property has been deprecated since 0.9.7 and was
removed in 0.9.10-incubating. Older releases would have logged a warning
regarding its use, while releases from 0.9.10-incubating onward will simply
ignore it. Continuing to specify this is bad practice and has no effect.

> Guacamole unique extension : guacamole-auth-openid-0.9.14.jar

When you say "unique" here, do you mean that this is the only .jar wile
within GUACAMOLE_HOME/extensions/?

> Guacamole lib : mysql-connector-java-8.0.13.jar
> MySQL is taken from Ubuntu, DB created via cat
> 001* then 002* to mysql –p guacamole_db, privileges granted.

If only the OpenID extension is installed, then all this will have no
effect. MySQL will not be used unless the MySQL extension is installed.

> but apparently FileAuthenticationProvider is enforced after it :

It is not enforced; it is only loaded. It will only have an effect if
"user-mapping.xml" is present.

> I am puzzled with the fact Guacamole claims the
> user-mapping.xml file, as well as the fact it
> bound the fileauth provider. To me that is useless since openid is here…

The "user-mapping.xml" authentication mechanism is built into Guacamole. It
is always loaded but is loaded last. If any extensions are present at all,
they will take priority, with "user-mapping.xml" finally getting a crack at
authentication after all other extensions have had a chance. If you do not
have a "user-mapping.xml" file at all, then this will have no effect.

> Login with Firefox to URL (not /guacamole/), PHP
> page is find (simple check to display variables), to call /guacamole/:
> URL/guacamole/ redirects to Gluu login page   OK
> Logging in as guacadmin/guacadmin                      OK
> Then endless looping between:
> URL/guacamole/#scope=openid+profile+email&id_token=JWT_token&session_id=9ae89b5e-d29d-4751-a022-a3f1a96526c8&state&session_state=24871b53-da56-4e4a-a85b-a754d5603472
> and
> URL/guacamole/#/scope=openid+profile+email&id_token=JWT_token&session_id=9ae89b5e-d29d-4751-a022-a3f1a96526c8&state&session_state=24871b53-da56-4e4a-a85b-a754d5603472

I think this is failing because of the presence of other parameters after
the "#/". The OpenID Connect extension for Guacamole works around issues
with AngularJS and OpenID by handling the mangled parameters as if they
were the name of a page, rewriting ".../#/id_token=FOO" to
".../#/?id_token=FOO". This workaround will not have any effect with a path
like ".../#/scope=FOO":

We may need a better workaround if OpenID Connect implementations can be
expected to throw other parameters in there besides the expected "id_token".

- Mike

View raw message