guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "B3r3n" <B3...@argosnet.com>
Subject Re: Guacamole & OpenID
Date Wed, 05 Dec 2018 07:58:51 GMT
> On Mon, Dec 3, 2018 at 12:12 PM B3r3n <B3r3n@argosnet.com> wrote:
>
>> ...
>>
>> openid-authorization-endpoint:
>> https://tacauth.mydomain.tld/oxauth/restv1/authorize
>> openid-jwks-endpoint: https://tacauth.mydomain.tld/oxauth/restv1/jwks
openid-issuer
>> <https://tacauth.mydomain.tld/oxauth/restv1/jwksopenid-issuer>:
https://tacauth.mydomain.tld
>> openid-client-id:
>> @!EC70.5976.0EF8.1E8D!0001!C6E7.8D34!0008!A650.4304.641D.350F
>> openid-redirect-uri: https://tacos.mydomain.tld/guacamole/
>> openid-username-claim-type: preferred_username
>> openid-scope: openid profile email
>>
>
> Note that "openid email profile" is the default. This will likely have no
effect.
Agree, but when you cant find the issue, you doubt of documentations, and so
enforce values ;-)

>> auth-provider:
>> org.apache.guacamole.auth.openid.OpenIDAuthenticationProvider
>>
>
> The "auth-provider" property has been deprecated since 0.9.7 and was removed
in 0.9.10-incubating. Older releases would have logged a warning regarding
its use, while releases from 0.9.10-incubating onward will simply ignore it.
Continuing to specify this is bad practice and has no effect.
noted, thanks

>
> ...
>> Guacamole unique extension : guacamole-auth-openid-0.9.14.jar
>>
>
> When you say "unique" here, do you mean that this is the only .jar wile
within GUACAMOLE_HOME/extensions/?
Yes, but I discovered I need to have MySQL as well, but in 2nd position. This
to be able to manage connexions, users etc.
However, when it is not I should not endless loop but have access to user's
simple profile.

>
>
>> Guacamole lib : mysql-connector-java-8.0.13.jar
>> MySQL is taken from Ubuntu, DB created via cat
>> 001* then 002* to mysql –p guacamole_db, privileges granted.
>>
>
> If only the OpenID extension is installed, then all this will have no
effect. MySQL will not be used unless the MySQL extension is installed.
>
> ...
>> but apparently FileAuthenticationProvider is enforced after it :
>>
>
> It is not enforced; it is only loaded. It will only have an effect if
"user-mapping.xml" is present.
>
> ...
>> I am puzzled with the fact Guacamole claims the
>> user-mapping.xml file, as well as the fact it
>> bound the fileauth provider. To me that is useless since openid is here…
>>
>
> The "user-mapping.xml" authentication mechanism is built into Guacamole. It
is always loaded but is loaded last. If any extensions are present at all,
they will take priority, with "user-mapping.xml" finally getting a crack at
authentication after all other extensions have had a chance. If you do not
have a "user-mapping.xml" file at all, then this will have no effect.
Ok, IMHO this remains puzzling. When you dont use something, why complaining
you cant get it. If there is no use of fileauthprovider & user-mapping because
other modules will do the job, complaining puzzles... Just my opinion...

>
>
>> Login with Firefox to URL (not /guacamole/), PHP
>> page is find (simple check to display variables), to call /guacamole/:
URL/guacamole/ redirects to Gluu login page   OK
>> Logging in as guacadmin/guacadmin                      OK
>> Then endless looping between:
>>
>> URL/guacamole/#scope=openid+profile+email&id_token=JWT_token&session_id=9ae89b5e-d29d-4751-a022-a3f1a96526c8&state&session_state=24871b53-da56-4e4a-a85b-a754d5603472
and
>>
>> URL/guacamole/#/scope=openid+profile+email&id_token=JWT_token&session_id=9ae89b5e-d29d-4751-a022-a3f1a96526c8&state&session_state=24871b53-da56-4e4a-a85b-a754d5603472
>>
>
> I think this is failing because of the presence of other parameters after
the "#/". The OpenID Connect extension for Guacamole works around issues
with AngularJS and OpenID by handling the mangled parameters as if they were
the name of a page, rewriting ".../#/id_token=FOO" to
> ".../#/?id_token=FOO". This workaround will not have any effect with a path
like ".../#/scope=FOO":
Just a sec. My browser is the one calling that URL right ?
If I dont mistake, it is said that everything after # in a URL is to be
ignored. Maybe Guacamole can recognize it but Apache as reverse proxy or
Tomcat7 should them comply with this rule and thus ignore (not relaying to)
these values. Accordingly, Guacamole detects an anymonous auth attempt, which
is logged. Am I right ?
>
> https://github.com/apache/guacamole-client/blob/fc457c080d813044e30e1f4e8fe855d6a5900259/extensions/guacamole-auth-openid/src/main/resources/config/openidConfig.js#L35-L54
>
> We may need a better workaround if OpenID Connect implementations can be
expected to throw other parameters in there besides the expected "id_token".
I saw AngularJS is now able to deal with implicit OIDC auth. Or maybe use a
web mode with authorization_code ?

Thanks for your help !

>
> - Mike
>
>
>





Mime
View raw message