guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ryan Underwood <r...@greymarketlabs.com>
Subject RE: OpenID / KeyCloak
Date Tue, 16 Apr 2019 15:02:54 GMT
A few thoughts:
- Are you sure that the asterisk(s) in your URL is what you intended? I know that keycloak
will let you specify the valid redirect URLs with wildcards so wasn't sure if that was a failed
configuration. The Guacamole angular app rewrites URLs and it's possible this is affecting
the hook for that.
- IIRC keycloak uses preferred_username for what you are likely calling the username claim.
If you're testing with "guacadmin" and using email you'll need to add one because it doesn't
exist by default in the database.
- Pasting some logs from keycloak, any reverse proxy, and the guacamole client would help
debugging. 
- Openid/guacamole works fine for logging in to guacamole but it's like the Hotel California
if you want to sign out.


-----Original Message-----
From: Justin Gauthier <justin@justin-tech.com> 
Sent: Tuesday, April 16, 2019 8:02 AM
To: user@guacamole.apache.org; user@guacamole.apache.org
Subject: Re: OpenID / KeyCloak

I have Guacamole 1.0 working with an older version of Keycloak, below are my settings:

Keycloak settings:




and the guacamole settings:


openid-authorization-endpoint: https://auth.[REDACTED]/auth/realms/[REDACTED]/protocol/openid-connect/auth
openid-jwks-endpoint: https://auth.[REDACTED]/auth/realms/[REDACTED]/protocol/openid-connect/certs
openid-issuer: https://auth.[REDACTED]/auth/realms/[REDACTED]
openid-client-id: guacamole
openid-redirect-uri: https://guacamole.[REDACTED]/guacamole/
openid-username-claim-type: username
openid-scope: openid email profile
openid-allowed-clock-skew: 500

The other tabs in keycloak are standard, just have to add the mapper(s) for the email and
username, like below.




Hopefully that helps.

Regards,

Justin

 
________________________________

From: kmartin <kmartin@6hat.fr>
Sent: Tuesday, April 16, 2019 7:55 AM
To: user@guacamole.apache.org
Subject: OpenID / KeyCloak 
 
Hello All, 

I set up Guacamole 1.0 + Keycloak 5.0 . Everything goes right until the login. 

i'm log in (on keycloak), i return back to guacamole and then I have loops between 2 URLs


https://services.xxx.fr:8081/guacamole*/#/*session_state=93ec82e2-2c19-4978-9347-5df101da3189&id_token=xxxx


and 

https://services.xxx.fr:8081/guacamole*/#*session_state=93ec82e2-2c19-4978-9347-5df101da3189&id_token=xxxx


Someone has already had the problem ? 

Here is my config: 

openid-authorization-endpoint: 
https://sso.xxx.fr:8443/auth/realms/xxx/protocol/openid-connect/auth
openid-jwks-endpoint: 
https://sso.xxx.fr:8443/auth/realms/xxx/protocol/openid-connect/certs
openid-issuer: https://sso.xxx.fr:8443/auth/realms/xxx
openid-client-id: gua
openid-redirect-uri: http://services.xxx.fr:8081/guacamole
openid-username-claim-type: username
openid-scope: openid email profile
openid-allowed-clock-skew: 500 

Thanks for your help ! 





--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/ 


Mime
View raw message