guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Couchman <vn...@apache.org>
Subject Re: OpenID Auth Not Redirecting
Date Sat, 06 Apr 2019 18:14:12 GMT
On Fri, Apr 5, 2019 at 10:05 AM Craig Bloodworth <
craig.bloodworth@theinformationlab.co.uk> wrote:

> Maybe I'm not fully understanding how the OpenID extension should work,
> but I believe instead of logging in with the standard Guacamole client
> login screen the user should be forwarded to the OpenID Connect IdP (in
> this case Google) to authenticate and then be sent back to the Guacamole
> client. In the case of my implementation this redirect isn't happening.
>
> The extension is loaded:
>
> 09:00:44.048 [localhost-startStop-1] INFO
> o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole".
> 09:00:45.357 [localhost-startStop-1] INFO o.a.g.extension.ExtensionModule
> - Extension "MySQL Authentication" loaded.
> 09:00:45.361 [localhost-startStop-1] INFO
> o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole".
> 09:00:45.533 [localhost-startStop-1] INFO o.a.g.extension.ExtensionModule
> - Extension "OpenID Authentication Extension" loaded.
>
>
Anything else show, here, when you hit the login screen?


> And the guacamole.properties file is configured:
>
> openid-authorization-endpoint:
> https://accounts.google.com/o/oauth2/v2/auth
> openid-jwks-endpoint: https://www.googleapis.com/oauth2/v3/certs
> openid-issuer: https://accounts.google.com
> openid-client-id:
> xxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com
> openid-redirect-uri: https://servers.xxxxxxxxxxxxxxxx.co.uk
> openid-username-claim-type: email
> openid-scope: openid email profile
> openid-allowed-clock-skew: 60
> openid-max-token-validity: 300
> openid-max-nonce-validity: 10
>
> But only the standard login screen is shown. What am I missing?
>
> I've checked the browser console and there are no obvious errors other
> than the 403 error from /api/tokens which is triggered because I'm not
> logged in.
>

Everything looks good to me, but I've never configured OpenID
authentication before, so I'm not entirely sure.  Maybe others on the list
will have more hints.

-Nick

>

Mime
View raw message