guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ryan Underwood <>
Subject RE: OpenID / KeyCloak
Date Tue, 16 Apr 2019 15:02:54 GMT
A few thoughts:
- Are you sure that the asterisk(s) in your URL is what you intended? I know that keycloak
will let you specify the valid redirect URLs with wildcards so wasn't sure if that was a failed
configuration. The Guacamole angular app rewrites URLs and it's possible this is affecting
the hook for that.
- IIRC keycloak uses preferred_username for what you are likely calling the username claim.
If you're testing with "guacadmin" and using email you'll need to add one because it doesn't
exist by default in the database.
- Pasting some logs from keycloak, any reverse proxy, and the guacamole client would help
- Openid/guacamole works fine for logging in to guacamole but it's like the Hotel California
if you want to sign out.

-----Original Message-----
From: Justin Gauthier <> 
Sent: Tuesday, April 16, 2019 8:02 AM
Subject: Re: OpenID / KeyCloak

I have Guacamole 1.0 working with an older version of Keycloak, below are my settings:

Keycloak settings:

and the guacamole settings:

openid-authorization-endpoint: https://auth.[REDACTED]/auth/realms/[REDACTED]/protocol/openid-connect/auth
openid-jwks-endpoint: https://auth.[REDACTED]/auth/realms/[REDACTED]/protocol/openid-connect/certs
openid-issuer: https://auth.[REDACTED]/auth/realms/[REDACTED]
openid-client-id: guacamole
openid-redirect-uri: https://guacamole.[REDACTED]/guacamole/
openid-username-claim-type: username
openid-scope: openid email profile
openid-allowed-clock-skew: 500

The other tabs in keycloak are standard, just have to add the mapper(s) for the email and
username, like below.

Hopefully that helps.




From: kmartin <>
Sent: Tuesday, April 16, 2019 7:55 AM
Subject: OpenID / KeyCloak 
Hello All, 

I set up Guacamole 1.0 + Keycloak 5.0 . Everything goes right until the login. 

i'm log in (on keycloak), i return back to guacamole and then I have loops between 2 URLs*/#/*session_state=93ec82e2-2c19-4978-9347-5df101da3189&id_token=xxxx


Someone has already had the problem ? 

Here is my config: 

openid-client-id: gua
openid-username-claim-type: username
openid-scope: openid email profile
openid-allowed-clock-skew: 500 

Thanks for your help ! 

Sent from: 

View raw message