guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <>
Subject Re: Guacamole & OpenID
Date Fri, 14 Dec 2018 07:07:47 GMT
On Thu, Dec 13, 2018 at 10:38 PM B3r3n <> wrote:

> Hello Nick,
> >>
> >> The path forward to implement that for OpenID is fairly clear - it
> >> would just need to be done. I don't know what would need to be done
> >> for the generic header authentication, where there's no standard
> >> defining how logout should be signaled to the IDP.
> >>
> >
> > For the header module, we could add a header-logout-url parameter that
> > could be configured to take the user to a URL that would log them out of
> > whatever session generated the header?  This kind of kicks the problem of
> > how the header logout is accomplished out of the Guacamole realm and over
> > to whatever login system is generating the header.
> That would just be perfect. This matchines my request from 2 weeks ago.
> DELETE token being replaced by https://oidc/logout URL ...

Not replaced - in addition to.

... will remove the header and thus no more access on Guacamole, even if
> user keeps seeing menues etc.

No, unless the auth token from Guacamole is revoked, the user will still be
able to use Guacamole. The DELETE request is necessary.

Maybe also another point: upon auth-header module + not the required
> variable,
> block user to the Guacamole login page, not permitting login, just with a
> simple message as "Authentication required" ?

There actually is no login "page" per se - what you see when you're
prompted for credentials by Guacamole is the webapp handling an error
returned by the server which describes the credentials needed to log in.
The content of the error itself dictates the content of that prompt. In the
case of things like the MySQL or PostgreSQL authentication, the error
describes a username/password pair. For OpenID Connect, the error describes
an "id_token" query parameter and the URL that the user should be
redirected to to obtain that parameter.

You're right in abstract: there should be a similar and optional redirect
to an IDP to ultimately provide the header if it's missing. That may be
more complex than the logout redirect if the IDP needs some sort of
parameter in the URL to dictate a return path back to the webapp.

- Mike

View raw message