guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <mjum...@apache.org>
Subject Re: OpenID Auth Not Redirecting
Date Sat, 06 Apr 2019 18:48:08 GMT
On Sat, Apr 6, 2019 at 11:14 AM Nick Couchman <vnick@apache.org> wrote:

> On Fri, Apr 5, 2019 at 10:05 AM Craig Bloodworth <
> craig.bloodworth@theinformationlab.co.uk> wrote:
>
>> Maybe I'm not fully understanding how the OpenID extension should work,
>> but I believe instead of logging in with the standard Guacamole client
>> login screen the user should be forwarded to the OpenID Connect IdP (in
>> this case Google) to authenticate and then be sent back to the Guacamole
>> client. In the case of my implementation this redirect isn't happening.
>>
>> The extension is loaded:
>>
>> 09:00:44.048 [localhost-startStop-1] INFO
>> o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole".
>> 09:00:45.357 [localhost-startStop-1] INFO
>> o.a.g.extension.ExtensionModule - Extension "MySQL Authentication" loaded.
>> 09:00:45.361 [localhost-startStop-1] INFO
>> o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole".
>> 09:00:45.533 [localhost-startStop-1] INFO
>> o.a.g.extension.ExtensionModule - Extension "OpenID Authentication
>> Extension" loaded.
>>
>>
> Anything else show, here, when you hit the login screen?
>
>
>> And the guacamole.properties file is configured:
>>
>> openid-authorization-endpoint:
>> https://accounts.google.com/o/oauth2/v2/auth
>> openid-jwks-endpoint: https://www.googleapis.com/oauth2/v3/certs
>> openid-issuer: https://accounts.google.com
>> openid-client-id:
>> xxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com
>> openid-redirect-uri: https://servers.xxxxxxxxxxxxxxxx.co.uk
>> openid-username-claim-type: email
>> openid-scope: openid email profile
>> openid-allowed-clock-skew: 60
>> openid-max-token-validity: 300
>> openid-max-nonce-validity: 10
>>
>> But only the standard login screen is shown. What am I missing?
>>
>> I've checked the browser console and there are no obvious errors other
>> than the 403 error from /api/tokens which is triggered because I'm not
>> logged in.
>>
>
> Everything looks good to me, but I've never configured OpenID
> authentication before, so I'm not entirely sure.  Maybe others on the list
> will have more hints.
>

The OpenID extension .jar will need to be renamed such that it is loaded
before the MySQL extension .jar:

000-guacamole-auth-openid.jar
001-guacamole-auth-jdbc-mysql.jar

As the MySQL extension is loading first, its request for username+password
credentials is given priority over the OpenID extension's request for a
token.

Related thought: it might be good to modify the OpenID extension to
optionally add an arbitrary "Sign in with _____" button, rather than the
current all-or-nothing approach.

- Mike

Mime
View raw message